July Microsoft Security Bulletins Include Vulnerabilities Affecting Windows, Office, Publisher, and Other Microsoft Products. Immediate Action Required.
Wednesday, July 15, 2009
Microsoft Corporation released a special security bulletin with information on a critical security vulnerability affecting Office 2003 and Office 2003 web components and announced that a patch is not yet available to correct this problem. Until a patch is released, Microsoft has released a "work around" solution to the problem. CSSD recommends that users immediately implement this work around solution by visiting Microsoft's Web site at http://support.microsoft.com/kb/973472 and clicking the "Fix It" icon under "Enable workaround".
Microsoft also released its monthly security bulletins for July with information on several new security vulnerabilities affecting various products, including the Video Active X Control, DirectShow, Publisher, and Windows Embedded OpenType Font Engine. These vulnerabilities could allow personal computers and file servers running Microsoft Windows to be compromised.
When Microsoft releases a patch to address the vulnerability affecting Office 2003 and Office 2003 web components, it will be made available through the Pitt Software Update Service. Patches are now available on the Pitt Software Update Service for the vulnerabilities released in the July security bulletin. Details on those vulnerabilities follow.
- Microsoft Security Bulletin MS09-028 describes three vulnerabilities in Microsoft Direct Show for Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted QuickTime media file.
- Microsoft Security Bulletin MS09-029 describes two vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. An attacker who successfully exploits these vulnerabilities could take complete control of an affected system.
- Microsoft Security Bulletin MS09-032 describes a vulnerability in Microsoft Video ActiveX Control. This vulnerability could allow remote code execution if a user using Internet Explorer views a specially crafted Web page that uses the ActiveX control.
In addition, CSSD recommends that all users identify and install the following security update that Microsoft rates as important.
- Microsoft Security Bulletin MS09-030 describes a vulnerability in Microsoft Publisher. This vulnerability could allow an attacker to take complete control of an affected system if a user opens a specially crafted Publisher file.
All Microsoft Windows users are strongly urged to use the Pitt Software Update Service to automatically download and install the latest Microsoft security updates and service packs as soon as they become available.
CSSD also recommends that all users install Symantec AntiVirus software and use the LiveUpdate feature to get the latest virus definitions. Symantec AntiVirus is available at no cost to students, faculty, staff, and departments from CSSD Software Licensing Services, 105 Bellefield Hall, and can also be downloaded from software.pitt.edu.
Please contact the Technology Help Desk at 412 624-HELP [4357] if you have any questions regarding this announcement.