6 Patches from Microsoft; Vulnerability in Firefox 3.5

malware_warningMicrosoft released 6 security bulletins as announced. The actively exploited security hole in a video ActiveX component gets fixed by the updates, also flaws in DirectShow, the Embedded OpenType Font Engine, VirtualPC and -Server, ISA Server and Office 2007. A fix for the recently discovered vulnerability in Office, ISA Server 2004 and 2006 which also gets exploited on the net already is still missing though – so please apply the workarounds described in Microsofts security advisory or use the provided Fix-it-tool.

Microsoft expects exploits for all fixed vulnerabilities within the next 30 days according to the Exploitability Index of the security bulletin summary. The patches should be applied as soon as possible therefore to protect the own computer and/or network.

Firefox 3 Logo

The Mozilla Foundation issued a warning of a security hole in the Just-in-time compiler for JavaScript of the new Firefox 3.5 web browser. As exploit code is already publicly available they recommend to turn of the compiler temporarily. From the security advisory:

  1. Enter about:config in the browser’s location bar.
  2. Type jit in the Filter box at the top of the config editor.
  3. Double-click the line containing javascript.options.jit.content setting the value to false.

The developers are currently working on a fix. Until then it is a good idea to implement the described workaround.

Dirk Knop
Technical Editor