Jul 13 2009
July 14th is “Patch Tuesday,” the day each month when Microsoft issues patches for Windows and other Microsoft products. (It also happens to fall on Bastille Day this year.)
Two of the three critical patches released this month are very high priority because they are already being exploited in the wild. Both deal with ActiveX-related video handling in Internet Explorer. One of them permits “drive-by” infection of a visitor viewing an infected web page. The other works by tricking people into viewing a malformed QuickTime video. These vulnerabilities affect users running Internet Explorer under Windows XP, but not Vista and Windows 7. Microsoft is less forthcoming about the third critical patch but, word is, it impacts all Windows versions.
Bottom line: When Windows Update offers you these critical updates, you should install them. Immediately.
Updates and clarifications . . .
If you are riding herd on any Windows-based servers, Internet Explorer running under Windows Server 2003 is vulnerable to the ActiveX exploits mentioned above; the Server 2008 environment is safe.
And, just to make myself perfectly clear, you have to be running Internet Explorer directly to be affected by these issues. Although other applications — the Outlook email client, for instance — use Internet Explorer components to view web content, they do so in a more restricted environment that blocks ActiveX exploits.