Microsoft said on Thursday that it will issue six security updates on Patch Tuesday next week, including a critical one that will fix two outstanding holes in DirectX that have been targeted in attacks.
In May, Microsoft announced that there had been attacks against a DirectX vulnerability that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.
Earlier this week, Microsoft warned of attacks being launched that exploit a hole in the Video ActiveX Control when used in Internet Explorer for recording and playing video in DirectShow. Microsoft offered a workaround on Monday for that hole, which reportedly it had known about since last year.
The ActiveX control vulnerability was likely independently rediscovered by malicious hackers or leaked through the Microsoft Active Protection Program which the company uses to share early security information with third-party vendors, according to a statement from security firm Rapid7.
Asked for comment, a Microsoft spokeswoman provided a statement that said: "Microsoft received the original, private report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The company did not share any information with MAPP partners about the reported Video ActiveX Control vulnerability until immediately before the advisory posting on Monday."
The critical vulnerabilities affecting various Windows versions all could allow an attacker to run code remotely, while one of the non-critical holes involving Virtual PC and Virtual Server would allow remote code execution and the other non-critical holes could allow elevation of privilege.
Affected software for the critical updates is Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and 2008. The versions of Direct X affected are DirectX 7.0, 8.1 and 9.0.
The non-critical updates affect 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2006, Microsoft Virtual PC 2004 and 2007, and Microsoft Virtual Server 2005 R2.
Updated 1:55 p.m. PDT with Microsoft comment.