Microsoft closed the zero-day vulnerability under attack for the past month as part of its monthly Patch Tuesday release.
The company released nine security bulletins addressing 16 vulnerabilities, of which three were critical, according to its July Patch Tuesday advisory. The remaining six rated “important.”
All three critical patches address issues where a victim could suffer an exploit if they visit malicious Web pages, said Marcus Carey, a security researcher at Rapid7. Two of the important patches fixed bugs that could be vulnerable to spearing phishing attacks, Carey said.
The zero-day vulnerability in Microsoft Core XML (MS12-043) disclosed in early June was undergoing active exploitation. The latest security update only fixed the heap overflow issue in MSXML versions 3, 4, and 6. Organizations running version 5, which corresponds to Office 2003 and 2007, should make sure to apply the interim FixIt measures until a future update is available. Microsoft has not see active exploits on the other two critical vulnerabilities, but officials predicted reliable exploit code could be out there within 30 days.
The cumulative security update for Internet Explorer (MS12-044) patched two remote code execution vulnerabilities that only affected Internet Explorer 9. Since earlier versions did not suffer from the vulnerability, it looks like the bugs came in with the new code in version 9. The other critical bulletin (MS12-045) fixed issues in Microsoft Data Access Components (MDAC). The vulnerability could compromise any Web application using MDAC if the user visits a malicious URL, Carey said.
Exploits targeting these vulnerabilities will likely soon appear in crimeware kits, Carey