Microsoft fixes 9 vulnerabilities, but leaves one open to attack

Microsoft on Tuesday, July 14th, as part of its monthly patch procedure, released 6 new bulletins, repairing 9 security vulnerabilities. While the patch addressed two of the "zero-day" exploits -- Microsoft's DirectShow & Video ActiveX Control -- it left a third exploit vulnerable to hackers.

The bulletins fixed vulnerabilities in Windows, Microsoft Office, Virtual PC and Virtual Server and the Internet Security and Acceleration (ISA) server.

Of the 6 vulnerabilities, 3 were rated critical, while the remaining bulletins were marked as important. 8 of the 9 exploit codes were at the top of Windows' Exploitability Index, meaning that a hacker could consistently exploit those vulnerabilities.

While the patch fixed exploits in Microsoft Video's ActiveX Control -- a vulnerability which allowed for remote code execution when using Internet Explorer -- no correction was made for the vulnerability in the Office Web Components that allows hackers the ability to gain user rights to a computer.

To prevent exploit, Microsoft suggests users keep Office Web Components Library from running in Internet Explorer. Users can use Microsoft's "Fix it" to disable Office Web Components, or they can fix it themselves by configuring the kill bit for control in the registry.