Microsoft plugs critical DirectShow, Video ActiveX holes

Microsoft on Tuesday issued patches to fix critical vulnerabilities in DirectShow and Video ActiveX that have been targeted in attacks, as well as fixes for holes in Embedded OpenType Font Engine and Microsoft Publisher that could allow someone to remotely take control of the PC.

Overall, the six "Patch Tuesday" updates fix nine vulnerabilities in Windows, Microsoft Office, Internet Security and Acceleration Server, Virtual PC, and Virtual Server.

The three DirectShow vulnerabilities could allow an attacker to remotely run code on the machine if a user opened a specially crafted QuickTime file. Microsoft warned of exploits against one of the holes in May.

The fix for the ActiveX control addresses a vulnerability that could allow remote code execution if someone viewed a malicious Web page via Internet Explorer using the ActiveX control. Microsoft offered a workaround for the hole last week.

Affected software for the critical updates is Windows 2000, Windows XP, Windows Vista, and Windows Server 2003 and 2008. The versions of Direct X affected are DirectX 7.0, 8.1, and 9.0.

The noncritical updates, rated "important," affect 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2006, Microsoft Virtual PC 2004 and 2007, and Microsoft Virtual Server 2005 R2.

In addition, Microsoft updated its Malicious Software Removal Tool (downloadable here) to remove the Win32/FakeSpypro rogue security program designed to trick people into paying for alleged security software they don't need.

Meanwhile, a comprehensive update for the Office Web Components vulnerability affecting Excel, which the company said on Monday was being exploited in attacks, was not yet ready for broad distribution, according to Microsoft. The company is urging customers to apply the automatic "Fix It" workaround, provided in Knowledge Base Article 973472.