Microsoft promises to stymie hackers next week with new patches

Microsoft today said it would deliver six security updates next Tuesday, including two for holes that hackers have been using for months to attack Windows and Internet Explorer (IE).

Of the six updates previewed today in the advance notice, three will affect Windows, and one each will patch problems in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's Virtual PC and Virtual Server software. The Windows updates will be tagged "critical," Microsoft's highest threat ranking, while the others will be marked "important," the next rating down in the company's four-step scoring system.

The two aimed at a pair of zero-days -- vulnerabilities exploited before a patch is available -- are the top story, said Andrew Storms, director of security operations at nCircle Network Security. "What really trumps today are the [fixes for the] known bugs," said Storms, referring to one vulnerability in DirectX's DirectShow and another in an ActiveX control exploitable through IE6 and IE7.

"In fact, it's difficult to guess what we'll see in the other [four updates], but in the end it probably won't matter much," Storms said. "What we need are the mitigations for the DirectX and ActiveX bugs."

Microsoft made clear that two of the three critical Windows fixes next week will address vulnerabilities it has acknowledged in a pair of recent security advisories. In itself, that's very unusual; normally, the advance notifications and any accompanying commentary don't specify which bugs will be patched. "It is unusual," said Storms. "But I'm not entirely surprised, because of the way that Microsoft has been more communicative about security."

"We will be addressing the issue ... concerning a vulnerability in DirectShow," Jerry Bryant, a spokesman for the Microsoft Security Research Center (MSRC), said in a blog post today.

Bryant was referring to a late-May warning in which Microsoft acknowledged that on-going attacks were targeting a flaw in the QuickTime parser within DirectShow. Microsoft was not able to produce a patch in time to meet the regular June update schedule.

Also on Tuesday's books is a fix for the more recent ActiveX bug that hackers have been using since early June to hijack increasing numbers of Windows XP PCs. According to the researchers who discovered the bug, Microsoft has had details of the vulnerability for more than 12 months, and attacks have been conducted since at least June 9.

Earlier today, Mike Reavey, a director at MSRC, confirmed that Microsoft has known of the bug since the early spring of 2008, but denied that the company knew of in-the-wild attacks until last week. "We were made aware of the attacks only the day before we released the advisory," Reavey said.

The fix for the ActiveX vulnerability won't be a patch per se, said Reavey, but will instead be an automatic update that will set a large number of "kill bits" to disable the flawed control. The fix, then, will be the same as the manual workaround that Microsoft published Monday along with its advisory.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.