Seven security bulletins that patch 11 vulnerabilities in Windows, Internet Explorer, Windows Media Player and other parts of the operating system are now available following Microsoft's monthly Patch Tuesday update. Two of the bugs are currently being exploited by attackers, Microsoft confirmed.
Of the seven updates, three are rated 'critical' - the highest ranking Microsoft uses - while the other four are labelled 'important', the second-highest category in the company's four-step scoring system.
The three critical bulletins, which fix seven different flaws in DirectX, the Windows Media Format runtime used in Windows Media Player and Internet Explorer, should be patched immediately, a pair of security experts said on Tuesday. "These are the worst kind of client-side vulnerabilities that one could wish for," said Andrew Storms, director of security operations at nCircle. "All three of them deal with rich multimedia content.
"Obviously, attackers have moved away from sending malware and toward drive-by attacks," Storms added.
Amol Sarwate, the manager of Qualys' vulnerability lab, echoed Storms in both his choice of patches to administer first and his reasoning. "The three bulletins marked critical [include vulnerabilities that] are of the type we've seen attackers use to target common desktop users, rather than trying to attack servers."
Sarwate got a bit more specific, however, in pinpointing the single-most dangerous bug patched on Tuesday: MS07-069, the bulletin that addresses four vulnerabilities in Internet Explorer (IE) 6.0 and IE 7.0, should be deployed first, he advised, because one of those flaws is already being exploited in the wild. "The DHTML zero-day is extremely important to patch," said Sarwate.
The three critical updates - MS07-064, MS07-068 and MS07-069 - plug holes in DirectX, Windows Media Format runtime and IE 6.0 and IE 7.0, respectively. Six of the seven vulnerabilities covered by those updates were pegged as critical for Windows Vista, which Microsoft has touted as it most secure ever.
MS07-064 quashes a pair of bugs in the DirectX handles several streaming video file formats; hackers could exploit the vulnerabilities by duping users into viewing rigged streaming media, said Microsoft.
"This is significant, because many applications - and Windows itself - use DirectX to deliver rich content," said Storms, noting that ".wav files, .avi files, and SAMI [Synchronized Accessible Media Interchange] files are all very popular and are used by tons and tons of websites." Users are accustomed to opening such formats, he added, making it even likelier that an attack file would pass muster.