Six Security Fixes Expected on Patch Tuesday

• By Jabulani Leffall
• 07/10/09

This Tuesday, Microsoft is planning to roll out six fixes--three "critical" and three "important"--in its July security update.

The security issues expected to be addressed in this patch include four remote code execution (RCE) vulnerabilities and two elevation-of-privilege considerations. Affected programs range from Windows operating system components, to servers, to a fix for Microsoft Publisher.

"This is a critical month for Microsoft with published bug reports and attack code in the wild," noted Andrew Storms, director of security at nCircle.

Critical Patches
Critical patch No. 1 will be designed to stave off RCE exploits for all supported Windows OS versions.

The second critical item will be aimed at patching the DirectX multimedia control solution, a favorite complaint of security gadflies. This patch will affect DirectX versions 7.0, 8.1 and 9.0 running on systems using Windows XP, Windows 2000 and Windows Server 2003.

Microsoft has issued other security advisories about ActiveX in recent times. In May, Microsoft began an investigation of a DirectX bug in its DirectShow framework for multimedia files. In June, the company announced it was investigating a potential DirectX bug in Internet Explorer.

The final critical patch will be a Windows OS fix addressing RCE exploits. It's considered "critical" for Windows XP but "moderate" for Windows Server 2003.

Important Patches
First on the "important" list will be a virtualization fix--something to be seen more often, perhaps. It will be a patch to stop potential elevation-of-privilege attacks in Microsoft Virtual PC 2004 and Microsoft Virtual PC 2007 editions, as well as Microsoft Virtual Server 2005 R2 and Virtual Server 2005 R2 x64.

The next important patch will address Microsoft Internet Security and Acceleration Server 2006. ISA Server provides application-layer firewalling and protects Web servers. The server is being rolled up into Microsoft Forefront Threat Management Gateway, which Redmond calls a "comprehensive secure Web gateway solution" protecting client-side users from Web-based threats.

The third important item deals with 2007 Microsoft Office System Service Pack 1 in general, and Microsoft Office Publisher 2007 Service Pack 1 in particular. It is the rollout's fourth RCE exploit fix.

Depending on which components are included in Tuesday's announcement, July looks to be a reasonably busy month for IT pros. The entire slate of patches may require restarts.

As usual, those interested in nonsecurity updates may want to check out the monthly knowledgebase article. Microsoft has accompanied every security patch release with nonsecurity updates for more than a year now. Those items include a new Malicious Software Removal Tool and spam filter updates. Changes for Vista and Windows Server 2008 are also on tap via Windows Update, Microsoft Update and Windows Server Update Services.