The July Patch Tuesday release contains three updates addressing "critical" security vulnerabilities in Windows, according to an advance notification issued Thursday. Two of the bulletins address previously revealed issues that are being exploited in limited attacks: One is a vulnerability in DirectShow, the other is a bug in the Microsoft Video ActiveX control.
Many security experts predicted that websites hosting the exploit for the ActiveX flaw, which was revealed Monday, would only continue to grow, meaning Microsoft had to act quickly.
"Our engineering team has been working around the clock to produce an update for the issue...and we believe that they will be able to release an update of appropriate quality for broad distribution that protects against the attacks," wrote Jerry Bryant, a Microsoft security program manager, on the company's Security Response Center blog. "As you know, this information may change between now and next Tuesday."
The vulnerability impacts Windows XP and Server 2003 users and is particularly dangerous because users can be infected simply by visiting a website.
"It requires no user intervention at all," Dmitriy Ayrapetov, product line manager at internet security firm SonicWALL, told SCMagazineUS.com this week. "Anywhere you can click on a web page in Internet Explorer, that's where they're vulnerable."
He said he wouldn't be surprised if hijacked social networking sites, such as Facebook and Twitter, soon are used to spread the malware.
So far, most of the compromised websites being used to serve up the attack -- experts estimate the number is somewhere in the thousands -- are based in China, researchers said.
Right now, the goal of the malware writers largely is to install World of Warcraft password-stealing trojans on victim machines, Roger Thompson, chief research officer at ant-virus firm AVG, told SCMagazineUS.com this week. However, the payload could become more malicious, and he expects many more sites in the United States to be hacked and seeded with the exploit to launch drive-by downloads.
Until the fix is released, users should apply an available workaround, which is to set the kill bit for the affected ActiveX control.
In addition to the three "critical" patches, Microsoft on Tuesday plans to push out three "important" fixes, affecting Publisher, Internet Security and Acceleration Server and Virtual PC and Virtual Server, according to the notification.