Microsoft promises to stymie hackers next week with new patches

Takes unusual step of confirming fixes for bugs currently under attack

Microsoft today said it would deliver six security updates next Tuesday, including two for holes that hackers have been using for months to attack Windows and Internet Explorer (IE).

Of the six updates previewed today in the advance notice, three will affect Windows, and one each will patch problems in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's Virtual PC and Virtual Server software. The Windows updates will be tagged "critical," Microsoft's highest threat ranking, while the others will be marked "important," the next rating down in the company's four-step scoring system.

The two aimed at a pair of zero-days -- vulnerabilities exploited before a patch is available -- are the top story, said Andrew Storms, director of security operations at nCircle Network Security. "What really trumps today are the [fixes for the] known bugs," said Storms, referring to one vulnerability in DirectX's DirectShow and another in an ActiveX control exploitable through IE6 and IE7.

"In fact, it's difficult to guess what we'll see in the other [four updates], but in the end it probably won't matter much," Storms said. "What we need are the mitigations for the DirectX and ActiveX bugs."

Microsoft made clear that two of the three critical Windows fixes next week will address vulnerabilities it has acknowledged in a pair of recent security advisories. In itself, that's very unusual; normally, the advance notifications and any accompanying commentary don't specify which bugs will be patched. "It is unusual," said Storms. "But I'm not entirely surprised, because of the way that Microsoft has been more communicative about security."

"We will be addressing the issue ... concerning a vulnerability in DirectShow," Jerry Bryant, a spokesman for the Microsoft Security Research Center (MSRC), said in a blog post today.

Bryant was referring to a late-May warning in which Microsoft acknowledged that on-going attacks were targeting a flaw in the QuickTime parser within DirectShow. Microsoft was not able to produce a patch in time to meet the regular June update schedule.

Also on Tuesday's books is a fix for the more recent ActiveX bug that hackers have been using since early June to hijack increasing numbers of Windows XP PCs. According to the researchers who discovered the bug, Microsoft has had details of the vulnerability for more than 12 months, and attacks have been conducted since at least June 9.

Earlier today, Mike Reavey, a director at MSRC, confirmed that Microsoft has known of the bug since the early spring of 2008, but denied that the company knew of in-the-wild attacks until last week. "We were made aware of the attacks only the day before we released the advisory," Reavey said.

The fix for the ActiveX vulnerability won't be a patch per se, said Reavey, but will instead be an automatic update that will set a large number of "kill bits" to disable the flawed control. The fix, then, will be the same as the manual workaround that Microsoft published Monday along with its advisory.

"This will block all known attacks," promised Reavey, who added that Microsoft will continue its work on a full-fledged patch, which will be released at some point in the future. He declined to say whether that patch would be delivered "out-of-cycle" -- outside the normal monthly update schedule -- when it is ready.

Knowing exactly what will be fixed is an added bonus for users, argued Storms, again pointing out how unusual it is for Microsoft to confirm patches in today's advance warning. "Knowing that that patch is coming out Tuesday, enterprises may halt their current efforts to deploy the workaround and just wait for the automatic update," he said.

"The rest of the updates are a smorgasbord, if you will," Storms said, when asked to describe the other four updates slated for delivery on Tuesday. "For the most part, it looks like we're back to the historical trend, where newer products have fewer risks."

But the big news is the fixes for the two zero-days, he repeated. "Everyone should be glad to see them," he said.

Microsoft will release the six updates at approximately 1 p.m. ET on July 14.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftInternet Explorer

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?