Microsoft today fixed a serious, under-attack flaw in a video ActiveX control, along with other critical flaws involving QuickTime files and fonts. But a critical zero-day hole in another ActiveX control remains unpatched.
The most important fix in today's Patch Tuesday fixes a hole disclosed eight days ago in the Microsoft Video ActiveX control. The flaw, which has been under active attack, is rated critical for Windows XP and moderate for Windows 2003. The MS09-032 patch disables the unused (for legitimate purposes) control to stymie potential attacks, but doesn't actually fix the underlying flaw.
Note: As of 2pm, Microsoft has not yet posted the individual bulletin links (for MS09-032, etc.). Until it does those links will only bring you to the TechNet home page.
A second fix closes another under-attack hole involving the way Microsoft DirectShow processes QuickTime content. The MS09-028 patch closes three security bugs, disclosed in May, that can be triggered upon opening or even just previewing a poisoned QuickTime file. Windows XP, 2000 and Server 2003 are all affected, whether or not Apple's QuickTime is installed on the vulnerable PC. See the MS09-028 bulletin for more info.
Two critical vulnerabilities in the Microsoft Embedded OpenType Font Engine get closed with the third patch, MS09-029. While neither flaw is listed as under active attack, both get a dangerous "Consistent exploit code likely" rating in Microsoft's Exploitability Index. Windows 2000, XP, Server 2003, Vista and Server 2008 are all at risk.
Three other patches close holes rated important, rather than critical. A patch for Office 2007 closes a hole in Microsoft Office Publisher that could be attacked upon opening a malicious Publisher file (see MS09-030). Two others for Virtual PC and Virtual Server (MS09-033), and for the Microsoft Internet Security and Acceleration Server 2006 (MS09-031), close privilege escalation securiyt flaws and are likely of most concern for IT types.
These fixes will arrive via Automatic Updates, and you can also retrieve tham manually by running Microsoft Update. But keep in mind that one critical flaw reported just yesterday remains unfixed. The flaw involving an Office-installed ActiveX control allows for drive-by-download attacks, but can be mitigated by running a quick Fix-it download.