Microsoft has released seven security bulletins to patch 11 vulnerabilities in Windows, Internet Explorer, Windows Media Player and other parts of the operating system. Two of the bugs are currently being exploited by attackers, Microsoft confirmed.
Of the seven updates, three are rated critical - the highest ranking Microsoft uses - while the other four are labeled important, the second-highest category in the company's four-step scoring system.
The three critical bulletins, which fix seven different flaws in DirectX, the Windows Media Format runtime used in Windows Media Player and Internet Explorer, should be patched at once, said security experts. "These are the worst kind of client-side vulnerabilities that one could wish for," said Andrew Storms, director of security operations at nCircle. "All three of them deal with rich multimedia content.
"Obviously, attackers have moved away from sending malware and toward drive-by attacks," Storms added.
Amol Sarwate, the manager of Qualys's vulnerability lab, echoed Storms in both his choice of patches to administer first and his reasoning. "The three bulletins marked critical [include vulnerabilities that] are of the type we've seen attackers use to target common desktop users, rather than trying to attack servers."
Sarwate got a bit more specific, however, in pinpointing the single-most dangerous bug patched Tuesday: MS07-069, the bulletin that addresses four vulnerabilities in IE6 and IE7, should be deployed first, he advised, because one of those flaws is already being exploited in the wild. "The DHTML zero-day is extremely important to patch," said Sarwate.
The three critical updates - MS07-064, MS07-068 and MS07-069 - plug holes in DirectX, Windows Media Format runtime and IE6 and IE7, respectively. Six of the seven vulnerabilities covered by those updates were pegged as critical for Windows Vista, which Microsoft has touted as it most secure ever.
MS07-064 quashes a pair of bugs in the DirectX handles several streaming video file formats; hackers could exploit the vulnerabilities by duping users into viewing rigged streaming media, said Microsoft.
"This is significant, because many applications - and Windows itself - use DirectX to deliver rich content," said Storms, noting that ".wav files, .avi files, and SAMI [Synchronised Accessible Media Interchange] files are all very popular and are used by tons and tons of Web sites." Users are accustomed to opening such formats, he added, making it even likelier that an attack file would pass muster.
MS07-068, Storms said, is "an almost exact duplicate," since it also involves a file format parsing bug, he said. Windows Media Format runtime, part of Windows Media Player and a component used by other parts of Windows to display content, doesn't properly deal with Advanced Systems Format (.asf) files, Microsoft's proprietary streaming media file format.
The IE6/IE7 update, MS07-069, fixes four flaws, all critical for Windows 2000, XP and Vista but pegged as moderate for Windows Server 2003. Three of the quartet are memory corruption bugs in the browsers, while the fourth is in IE's rendering of pages that include Dynamic HTML code. According to Microsoft, exploits leveraging the DHTML bug have been spotted, making the vulnerability a "zero-day."
The second zero-day plugged Tuesday was handled by MS07-067, which provides an update to the Macrovision Inc. driver that has been involved in attacks for more than a month. Although Macrovision issued a replacement driver for Windows XP and Server 2003 weeks ago, Microsoft missed including a fix for the driver in November's patch because it needed more time to prepare and test the update.
Also among Tuesday's patch batch were two bulletins - MS07-063 and MS07-066 - that affect only Windows Vista. Both updates were tagged as important rather than critical, even though Microsoft acknowledged that they could result in remote code execution.
"[These] are pretty nasty bugs, but there are enough mitigating factors to knock them off the top tier," said Storms. Both he and Sarwate noted that attackers have to have valid log-on credentials and must log on locally in order to exploit the bug patched by MS07-066, while the other Vista-only vulnerability's impact is limited because the affected part of the Server Message Block Version 2, or SMBv2, protocol isn't turned on by default.
But even with a glut of patches - the most Microsoft has issued since August - there was at least one fix missing, said Sarwate. "WPAD has not yet been addressed," he said, talking about a flaw in Web Proxy Auto-Discovery servers that Microsoft confirmed eight days ago.
The seven updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services (WSUS).