Inside Microsoft’s July Security Patch Batch

By Eric Schultze
Microsoft released six security bulletins  today — three rated Critical and three rated Important.  Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.

Today’s release is important because patches were released for two recent 0-day attacks – a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability.  Both vulnerabilities are reported as being actively exploited on the Internet.

Microsoft Response on MsVidCtl Flaw Was Lacking

Microsoft has expended a massive amount of time, energy and money in the last few years to improve both the quality of its software and the speed and efficiency of its security response process. It has succeeded in large part on both counts, especially on the security and reliability of its products. But, as the company’s response to the privately disclosed MsVidCtl ActiveX vulnerability in Internet Explorer shows, Microsoft still has some ground to cover on the issue of timely response.

The Microsoft MsVidCtl Video Control Flaw Explained

From Websense Security Labs
The recently publicized Zero-Day Vulnerability in Microsoft DirectShow is in the wild and spreads through infection of thousands of legitimate Web sites. The proof-of-concept of the vulnerability is out and exploitation is very easy to achieve. In our labs we have been tracking the spread of this new zero day—the first compromised domains mainly originating in China. Read the full story [Websense].

Microsoft’s July Patch Tuesday release will include a fix for the DirectShow vulnerability that was revealed in May, and the software giant said it likely will also have a patch available for a related flaw in the MsVidCtl ActiveX control that became public earlier this week and has been under active attack. The company said it has been working on a patch for the second vulnerability all week and believes that the fix should be ready for release July 15.

By Georg Wicherski, Kaspersky Lab Germany

As you’ve probably already heard, there’s a dangerous vulnerability in Internet Explorer 6 & Internet Explorer 7 being exploited in the wild. The vulnerability affects Windows XP Service Pack 0 to Service Pack 2. Microsoft hasn’t released a patch yet, but they have provided a work-around. Some people have simply recommended turning off JavaScript to mitigate this issue. However this vulnerability is a trivial buffer overflow which makes it possible to overwrite the SEH handler. Thus, heap spraying is not required and turning off JavaScript only mitigates attacks from less skilled attackers.

On May 28, our colleagues at The Microsoft Security Response Center released advisory 971778 which elaborated on a new vulnerability in Microsoft DirectShow effecting Windows 2000, Windows XP and Windows Server 2003. You can obtain more details on how to protect your environment from this vulnerability from the Microsoft SRD blog.
We have been closely monitoring the malware landscape for threats related  to leveraging exploits against this new vulnerability. We subsequently developed and released a generic detection for malformed media files, Exploit:Win32/CVE-2009-1537, based on MAPP information provided to us. Also, we have developed detections for the known malicious web pages, as Exploit:JS/Mult.BM or Trojan:HTML/Redirector.I. Our security products, such as Windows Live OneCare, Microsoft Security Essentials, and Forefront Client Security can block access to these malformed media files with signature definition update version 1.59.798 or higher. Read the full story [Microsoft Malware Protection Center].

In the first episode of the Threatpost Daily News Wrap podcast, Threatpost editors Ryan Naraine and Dennis Fisher discuss President Obama’s cybersecurity plan and the Microsoft DirectShow vulnerability.

From PC Mag (Larry Seltzer)
Microsoft has made much of the security advances in their recent products but some people ask why these are not incorporated into their earlier products. The basic answer is that it usually would come at a cost that users aren’t willing to pay in a software patch, but may be willing in a new product generation.
Yesterday’s revelation of a flaw in DirectShow in Windows XP and other older Windows versions is a perfect example. Windows Vista, Windows Server 2008 and Windows 7 were all not vulnerable. Why? Because the DirectShow code in XP had largely been replaced with the new Windows Media Foundation, developed using the company’s SDL (Security Development Lifecycle), a series of development rules designed to decrease the number of vulnerabilities in code and to limit the impact of those that remain. Read the full story []

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.