Browse And Get Owned Patch Coming Tuesday

Microsoft plans to fix a "browse-and-get-owned" vulnerability in its Video ActiveX Control when it releases software patches next week. The company acknowledged the vulnerability last week and is moving with uncharacteristic speed in issuing a fix for the problem. A second and similar vulnerability with Microsoft’s DirectShow was disclosed in May. It too will be fixed with Tuesday’s patches. According to Microsoft, both of the flaws affect older versions of Windows; Windows Vista and Windows Server 2008 users are not affected.

In an advanced summary of its upcoming July 14 security patch, Microsoft said it plans to release six security bulletins on Tuesday. Three of these will be listed as critical updates for Windows; one of them affects Windows Vista and Windows Server 2008. There will also be an important update for Publisher, an important update for Internet Security and Acceleration (ISA) Server, and an important update for Virtual PC and Virtual Server.

According to Jerry Bryant, senior security program manager at Microsoft, Microsoft is aware of limited attempts to exploit the DirectShow vulnerability. Trend Micro and Websense have found evidence to show that the ActiveX flaw is actively being exploited on Web sites in China. “Around 967 Chinese websites are reported to be infected by a malicious script that leads users to successive site redirections and lands them to download a .JPG file containing the exploit.” wrote Roland Dela Paz, a Trend Micro security engineer, in a blog post.