By Gregg Keizer
July 9, 2009 03:46 PM ET

Computerworld - Microsoft today said it would deliver six security updates next Tuesday, including two for holes that hackers have been using for months to attack Windows and Internet Explorer (IE).

Of the six updates previewed today in the advance notice, three will affect Windows, and one each will patch problems in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's Virtual PC and Virtual Server software. The Windows updates will be tagged "critical," Microsoft's highest threat ranking, while the others will be marked "important," the next rating down in the company's four-step scoring system.

The two aimed at a pair of zero-days -- vulnerabilities exploited before a patch is available -- are the top story, said Andrew Storms, director of security operations at nCircle Network Security. "What really trumps today are the [fixes for the] known bugs," said Storms, referring to one vulnerability in DirectX's DirectShow and another in an ActiveX control exploitable through IE6 and IE7.

"In fact, it's difficult to guess what we'll see in the other [four updates], but in the end it probably won't matter much," Storms said. "What we need are the mitigations for the DirectX and ActiveX bugs."

Microsoft made clear that two of the three critical Windows fixes next week will address vulnerabilities it has acknowledged in a pair of recent security advisories. In itself, that's very unusual; normally, the advance notifications and any accompanying commentary don't specify which bugs will be patched. "It is unusual," said Storms. "But I'm not entirely surprised, because of the way that Microsoft has been more communicative about security."

"We will be addressing the issue ... concerning a vulnerability in DirectShow," Jerry Bryant, a spokesman for the Microsoft Security Research Center (MSRC), said in a blog post today.

Bryant was referring to a late-May warning in which Microsoft acknowledged that on-going attacks were targeting a flaw in the QuickTime parser within DirectShow. Microsoft was not able to produce a patch in time to meet the regular June update schedule.

Relief for what ails you

By Dan Goodin in San Francisco

Microsoft on Tuesday plans to release updates patching three critical Windows security vulnerabilities, two of which are already under attack.

One of the updates plugs a hole in an Internet Explorer component that handles online video. Hundreds of thousands and possibly millions of websites - mostly catering to Chinese-speaking visitors - have been hijacked so that they secretly point to servers that exploit the critical vulnerability, creating what Microsoft has called a "browse-and-get-owned" experience for the people unfortunate enough to visit them.

"Our engineering teams have been working around the clock to produce an update for the issue discussed in Security Advisory 972890 (vulnerability in the Microsoft Video ActiveX Control) and we believe that they will be able to release an update of appropriate quality for broad distribution that protects against the attacks," Microsoft's Jerry Bryant writes here.

(Microsoft has already released a temporary fix for the bug. If you haven't installed it, you should do so now).

A second update will patch a critical vulnerability in DirectShow, the same media application related to the previously-discussed security bug. As reported in May, booby-trapped QuickTime files are being used to exploit the bug in "limited active attacks," Microsoft warns.

Both vulnerabilities affect only earlier versions of Windows. The Vista and 2008 versions of the operating system, which were developed under Microsoft's Secure Development Lifecycle, are not susceptible.

Microsoft provided few details about the third critical update, except to say that it affected all versions of Windows.

The details were released under a bulletin Microsoft releases on the Thursday before its Patch Tuesday, which falls on the second Tuesday of each month. The advance notice is designed to give IT employees who administer large numbers of PCs adequate time to prepare for the updates.

Tuesday's patch batch also includes updates fixing three vulnerabilities rated "important" in its Publisher app, Internet Security and Acceleration Server, and Virtual PC and Virtual Server.

The updates may or may not require machines to be rebooted, depending on whether certain DLL files are in use when the patch is applied. ®