Microsoft releases 6 security updates

Another Patch Tuesday and Microsoft comes out with security updates for ActiveX, DirectX, ISA Server 2006, Office Publisher, Virtual PC, Virtual Server and Windows. Two of the issues are being actively exploited on the Internet and four of the issues are client-side vulnerabilities, which means the exploit can only occur if a user visits an evil website or opens a malformed document.

Eric Schultze, CTO, Shavlik Technologies comments:

Today’s release is important because patches were released for two recent 0-day attacks – a QuickTime file parsing vulnerability and the recently announced Directshow vulnerability. Both vulnerabilities are reported as being actively exploited on the Internet. While Microsoft has announced workarounds and/or provided Fixit tools for each of these issues, today’s patches will be welcomed by network administrators who have been tasked with remediating these issues.

Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution
This security update resolves two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution
This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Cumulative Security Update of ActiveX Kill Bits
This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege
This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege
This security update resolves a privately reported vulnerability in ISA Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.

Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.