Microsoft patches ActiveX flaw

patched computer

Microsoft has released six fixes for nine flaws, including three critical ones in Windows.

The three Windows patches fix three DirectShow flaws, two for the OpenType Font engine, and one major one in the ActiveX control in Internet Explorer.

"All three of those also have an exploitability Index rating of "1" which means that we believe that consistent exploit code in the wild is highly likely within the first 30 days," said Microsoft security researcher Jerry Bryant in a blog post, noting two are already under active attack.

"We're glad to see Microsoft addressed the zero-day vulnerability in its video ActiveX control, even if it is not in the form of an actual patch," said Ben Greenbaum, senior research manager, Symantec Security Response.

"The flaw was already being exploited in Asia. There was potential for this to become a bigger problem for users if left unaddressed by Microsoft," he added. "In the meantime, the update that disables the vulnerable controls should help."

The other three bulletins are rated important, despite also being set for exploit. They affect Publisher, ISA Server and Virtual PC Server. A flaw was also found in Virtual PC, but it is less likely to be immediately exploited.

The zero-day flaw in Microsoft Officethat could leave users open to attack, announced on Monday, remains unpatched by this latest Patch Tuesday cycle. In the meantime, Microsoft has produced a workaround.