Microsoft issued six updates for its software on Tuesday, its regularly scheduled patch day, fixing three vulnerabilities in its DirectX multimedia libraries and another two issues in the way its operating system handles OpenType fonts.
The software giant also fixed a flawed ActiveX component that is currently being used by online criminals to compromise the systems of unwary users, but left a more recent issue unpatched. The issue, a flaw in the way Microsoft's Office Web Components handles data, is currently being used by attackers to compromise systems, said Dave Marcus, director of security research and communications for McAfee's AVERT Labs, said in a statement.
"Despite todays fixes, Windows users continue to be attacked," Marcus said. "The attacks involve booby trapped Web sites that load malicious code onto a vulnerable computer. The compromised PCs are commandeered and join a botnet, a network of hijacked computers."
On Monday, Microsoft issued a security advisory for the flaw in Office Web Components, stating that the vulnerability could be used in a "browse and get owned" scenario. Last week, the company had revealed that similar attacks were taking advantage of a flawed ActiveX control. That issue was fixed in the latest set of patches.
With its Tuesday patches, Microsoft also closed holes in its ISA Server software, Office Publisher application, and its virtual machine program, Virtual PC.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos