Two of the three critical patches released this month are very high priority because they are already being exploited in the wild. Both deal with ActiveX-related video handling in Internet Explorer. One of them permits “drive-by” infection of a visitor viewing an infected web page. The other works by tricking people into viewing a malformed QuickTime video. These vulnerabilities affect users running Internet Explorer under Windows XP, but not Vista and Windows 7. Microsoft is less forthcoming about the third critical patch but, word is, it impacts all Windows versions.

Bottom line: When Windows Update offers you these critical updates, you should install them. Immediately.

Updates and clarifications . . .

If you are riding herd on any Windows-based servers, Internet Explorer running under Windows Server 2003 is vulnerable to the ActiveX exploits mentioned above; the Server 2008 environment is safe.

And, just to make myself perfectly clear, you have to be running Internet Explorer directly to be affected by these issues. Although other applications — the Outlook email client, for instance — use Internet Explorer components to view web content, they do so in a more restricted environment that blocks ActiveX exploits.

The sole Microsoft patch fixes a “critical” flaw in PowerPoint. “Critical” means it’s a big deal. In this case, opening a maliciously crafted PowerPoint presentation could allow an attacker to execute code remotely on a victim’s computer. All versions of PowerPoint released in the past 10 years are vulnerable to this one.

Adobe is patching Reader/Acrobat to fix yet another problem associated with embedded JavaScript. This issue, as well as a work-around, was discussed in an earlier post here.

You can safely assume that the bad guys, knowing that people are often sloppy about security updates, will try to take advantage of both vulnerabilities. The Adobe Reader bug will likely be the primary target. Almost everyone has Adobe Reader installed on their computer and most folks are used to encountering PDF files on web sites.

Be careful out there.

It’s generally a good idea not to let security updates slide for very long. Once the word is out, the bad guys try to reverse-engineer the patches. If they find anything particularly juicy, they take advantage of the fact that many people are remiss about applying the patches. For instance, the primary mode of infection used by the currently infamous Conficker worm is a vulnerability that was fixed several months ago.

A little side-note: April 14, 2009 is also the day Windows XP goes on “extended support.”