The July Patch Tuesday release contains three updates addressing "critical" security vulnerabilities in Windows, according to an advance notification issued this week. Two of the bulletins address previously revealed issues that are being exploited in limited attacks: One is a vulnerability in DirectShow, the other is a bug in the Microsoft Video ActiveX control.
Many security experts predicted that websites hosting the exploit for the ActiveX flaw, which was revealed this week, would only continue to grow, meaning Microsoft had to act quickly.
"Our engineering team has been working around the clock to produce an update for the issue...and we believe that they will be able to release an update of appropriate quality for broad distribution that protects against the attacks," wrote Jerry Bryant, a Microsoft security program manager, on the company's Security Response Center blog. "As you know, this information may change between now and next Tuesday."
The vulnerability impacts Windows XP and Server 2003 users and is particularly dangerous because users can be infected simply by visiting a website.
"It requires no user intervention at all," Dmitriy Ayrapetov, product line manager at internet security firm SonicWALL, told SCMagazineUS.com. "Anywhere you can click on a web page in Internet Explorer, that's where they're vulnerable."
He said he wouldn't be surprised if hijacked social networking sites, such as Facebook and Twitter, soon are used to spread the malware.
So far, most of the compromised websites being used to serve up the attack -- experts estimate the number is somewhere in the thousands -- are based in China, researchers said.
Right now, the goal of the malware writers largely is to install World of Warcraft password-stealing trojans on victim machines, Roger Thompson, chief research officer at ant-virus firm AVG, told SCMagazineUS.com. However, the payload could become more malicious, and he expects many more sites to be hacked and seeded with the exploit to launch drive-by downloads.
Until the fix is released, users should apply an available workaround, which is to set the kill bit for the affected ActiveX control.
In addition to the three "critical" patches, Microsoft plans to push out three "important" fixes affecting Publisher, Internet Security and Acceleration Server, and Virtual PC and Virtual Server, according to the notification.
See original article on scmagazineus.com
DirectShow, ActiveX zero-days among planned Microsoft fixes
Microsoft is hoping it can pull off a quick turnaround for a fix of a zero-day ActiveX vulnerability that was only disclosed this week.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Unlock SMB Success with Microsoft Copilot
Partner Content
Australian organisations must act on security – or risk AI ambitions falling flat
.png&h=140&w=231&c=1&s=0)
Partner Content
Ransomware targets Australian SME false sense of security
Partner Content
Logicalis APAC CIO Report: The CIO’s 2025 Mandate
Sponsored Whitepapers
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
.png&w=120&c=1&s=0)
EDUtech AU
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
