Microsoft’s July Patch Tuesday release will include a fix for the DirectShow vulnerability that was revealed in May, and the software giant said it likely will also have a patch available for a related flaw in the MsVidCtl ActiveX control that became public earlier this week and has been under active attack. The company said it has been working on a patch for the second vulnerability all week and believes that the fix should be ready for release July 15.
Microsoft said in its advance notification for July’s Patch Tuesday that “our engineering teams have been working around the clock to produce an update for the issue discussed in Security Advisory 972890 (vulnerability in the Microsoft Video ActiveX Control) and we believe that they will be able to release an update of appropriate quality for broad distribution that protects against the attacks…”
The latest video control vulnerability has been at the center of a lot of conversations in the security community this week, as it has been linked to a mass attack on legitimate Web sites that is pushing malware onto visitors’ machines. The attacks have been exploiting the vulnerability, which affects users running Windows XP and Windows Server 2003. Microsoft said this week that it has known about the flaw for more than a year, which was originally discovered by researcher Ryan Smith, who was with IBM ISS at the time. Smith and Mark Dowd are planning to discuss the details of the vulnerability at the Black Hat conference later this month.
The long delay in releasing a patch for the vulnerability has led researchers and other industry observers to question Microsoft’s actions on the issue. The company did take steps to ensure that Internet Explorer 8, the latest version of its browser, was not vulnerable. Windows Vista is protected against attacks, as well.