July 2009 Black Tuesday – and another 0day in IE

July’s Black Tuesday has come and gone, with Microsoft releasing six security bulletins covering nine separate “CVE” numbered security holes.

MS09-028 / KB 971633 patches the 0day hole in DirectShow that I talked about a few weeks ago. If you use Firefox, as I explained back then, you’re already covered.

MS09-029 / KB 961371 patches a security hole in the OpenType interpreter. No known exploits.

MS09-030 / KB 969516 fixes Microsoft Publisher. N o known exploits.

MS09-031 / KB 970953 only affects ISA server, so you probably aren’t at risk.

MS09-032 / KB 973346 is yet another ActiveX killbit rollup that, inter alia, fixes the Internet Explorer Video ActiveX control 0day hole I talked about last week. It’s another messy bunch of ActiveX zappers, most of which aren’t necessary if you use Firefox or Chrome. Note that, in spite of what you might’ve read on the Microsoft site, this rollup does NOT include a patch for the Excel ActiveX 0day problem described in KB 973472. If you want to avoid that ActiveX 0day, you should use Firefox. Is there an echo in here?

MS09-033 / KB 969856 only affects Virtual PC.

If you use Firefox, you don’t need to be overly concerned about any of the patches yet. I shudder to think how many programs will get killed by the new ActiveX killbit rollup. (Remember that Firefox doesn’t use ActiveX – nor does Chrome – only Internet Explorer.)

I’m putting us up to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Let’s see who starts screaming the loudest.