Microsoft on Tuesday tackled nine vulnerabilities with six security bulletins, including patches for two "zero day" vulnerabilities confirmed to have attracted attacks in recent weeks.
"Addressing two zero day issues shows that Microsoft can turn things around pretty quickly," said Eric Schultze, CTO of Shavlik Technologies in St. Paul, Minn., a leading enterprise network security firm.
Schultze characterized July's "Patch Tuesday" release as "pretty much an average number for Microsoft to do for the month," though he noted that with three "critical" bulletins and three more rated "important," all six were in the upper half of the severity range.
The July security bulletins released by Redmond, Wash.-based Microsoft include:
-- MS09-029: A "critical" Microsoft Windows patch that addresses a pair of reported vulnerabilities in the operating system's Embedded OpenType (EOT) Font Engine. Schultze said the exploit was a previously unknown means of attacking computers through Web sites or e-mails bearing the compromised embedded fonts.
-- MS09-028: One of two vulnerabilities known publicly and being exploited "in the wild," this "critical" security update addresses a Microsoft DirectShow issue that allows attackers to remotely execute code on computers via a rigged QuickTime media file.
-- MS09-032: The last of the "critical" patches, this bulletin provides a fix for a Microsoft Video ActiveX Control that has been exploited in the wild. Microsoft had already issued a FixIt workaround that shut down the vulnerable control in ActiveX, Schultze said, and Tuesday's "cumulative killbit patch" is actually redundant for users who had already installed a June ActiveX patch and run the FixIt tool.
-- MS09-033: This "important" security bulletin concerning an elevation of privilege issue resolves a flaw with Microsoft Virtual PC and Microsoft Virtual Server that allows an attacker to take over a guest operating system. It appears to be a fairly standard-issue bug and not the major crippler to virtualized systems that security experts dread, Schultze said.
-- MS09-031: An "important" update, this patch fixes a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006 that allows an attacker to gain administrator privileges on an ISA server configured in a specific and, according to Microsoft, extremely rare way. Microsoft claims that "all the planets would have to align just right" for the bad guys to exploit this, said Schultze, who was briefed by the software giant ahead of its monthly security updates.
-- MS09-030: Microsoft's last security update deals with another remote code execution vulnerability involving potentially malicious Microsoft Office Publisher files. This patch is rated "important" by Microsoft and responds to a privately reported vulnerability.
