plans to fix a "browse-and-get-owned"
vulnerability in its Video ActiveX
Control when it releases software patches next
week. The company acknowledged the vulnerability last week and is moving with uncharacteristic
speed in issuing a fix for the problem. A second and similar vulnerability
with Microsoft’s DirectShow was disclosed
in May. It too will be fixed with Tuesday’s patches. According to Microsoft, both
of the flaws affect older versions of Windows; Windows Vista and Windows Server
2008 users are not affected.
In an advanced summary
of its upcoming July 14 security patch,
Microsoft said it plans to release six security bulletins on Tuesday. Three of
these will be listed as critical updates for Windows; one of them affects Windows
Vista and Windows Server 2008. There will also be an important update for
Publisher, an important update for Internet Security and Acceleration (ISA)
Server, and an important update for Virtual PC and Virtual Server.
According to Jerry Bryant, senior security program manager
at Microsoft, Microsoft is aware of limited attempts to exploit the DirectShow
vulnerability. Trend Micro and Websense have found evidence to show that the ActiveX
flaw is actively being exploited on Web sites in China. “Around 967 Chinese
websites are reported to be infected by a malicious script that leads users to
successive site redirections and lands them to download a .JPG file containing
the exploit.” wrote
Roland Dela Paz, a Trend Micro security engineer, in
a blog post.