Microsoft on Tuesday issued patches to fix critical vulnerabilities in DirectShow and Video ActiveX that have been targeted in attacks, as well as fixes for holes in Embedded OpenType Font Engine and Microsoft Publisher that could allow someone to remotely take control of the PC.
Overall, the six 'Patch Tuesday' updates fix nine vulnerabilities in Windows, Microsoft Office, Internet Security and Acceleration Server, Virtual PC and Virtual Server.
The three DirectShow vulnerabilities could allow an attacker to remotely run code on the machine if a user opened a specially crafted QuickTime file. Microsoft warned of exploits against one of the holes in May.
The fix for the ActiveX control addresses a vulnerability that could allow remote code execution if someone viewed a malicious web page via Internet Explorer using the ActiveX control. Microsoft offered a workaround for the hole last week.
Affected software for the critical updates is Windows 2000, Windows XP, Windows Vista, and Windows Server 2003 and 2008. The versions of Direct X affected are DirectX 7.0, 8.1 and 9.0.
The non-critical updates, rated 'important', affect 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2006, Microsoft Virtual PC 2004 and 2007, and Microsoft Virtual Server 2005 R2.
In addition, Microsoft updated its Malicious Software Removal Tool to remove the Win32/FakeSpypro rogue security program designed to trick people into paying for alleged security software they do not need.
Meanwhile, a comprehensive update for the Office Web Components vulnerability affecting Excel, which the company said on Monday was being exploited in attacks, was not yet ready for broad distribution, according to Microsoft. The company is urging customers to apply the automatic 'Fix It' workaround, provided in Knowledge Base Article 973472.
Talkback
What they really need to do with ActiveX is to set a date, preferably yesterday, that beyond that date no new ActiveX controls will be allowed.
Imagine MS first put together a list (as short as possible) of allowed ActiveX controls, and then UPDATED Windows and IE ( sometime "by yesterday") to no longer accept any new variety of ActiveX controls of any sort.
ActiveX controls == "Open Hole Controls" (More or less).
Get shot of any new attacks from it by stopping all new ones and later, as problems may arise with old approved ones, stop them too.
ActiveX controls mostly just ruin Windows reputation.
It doesn't actually ruin their reputation, it just re- enforces it more strongly.
ActiveX has always been a security problem, and it is time for it to go away, quit using it, outlaw it, anything to prevent programmers use, and employment on a customer base.