Microsoft to Patch 3 Critical Flaws to Prevent System Hijacking

[InfoSec News <alerts () infosecnews org>]

http://www.eweek.com/article2/0,1895,2229965,00.asp

By Lisa Vaas
eWEEK.com
December 7, 2007 

Vista is vulnerable to three critical security flaws—in IE, Windows and 
multimedia technologies—that could let attackers hijack systems.

Microsoft will put out seven security bulletins on Patch Tuesday, with 
three critical updates that could lead to systems getting hijacked via 
Windows, Internet Explorer, and/or Microsoft's multimedia frameworks and 
APIs.

Vista is vulnerable to all three of the critical flaws, although 
Microsoft noted in a table of affected software included in its monthly 
advance notification that updates are currently available.

One of the critical bulletins affects Windows, DirectX and DirectShow.

DirectShow, a multimedia framework and API Microsoft designed to give 
developers a common interface for media across various programming 
languages, can be used to render or record media files on demand. 
DirectShow, which contains DirectX plugins for audio-signal processing 
and DirectX Video Acceleration to speed up video playback, is 
distributed as part of Microsoft's Platform SDK.

Windows Media Player uses DirectShow, as do most video applications on 
Windows. Many third-party video applications use DirectShow or a 
variant, as well.

Past security problems with DirectShow and DirectX have been sparse but 
serious. One critical flaw, fixed in October 2005, could have allowed an 
attacker to hijack a system. Microsoft also patched a critical DirectX 
flaw in 2003 that concerned an unchecked buffer that again could have 
led to a system takeover.

Microsoft's second critical advisory affects Windows and Windows Media 
Format Runtime. Another critical advisory for Windows Media Format 
Runtime came out one year ago, in December 2006. That earlier flaw could 
have led to remote code execution.

eEye's Zero-Day Tracker as of Dec. 7 wasn't showing any known zero-day 
vulnerabilities for DirectX, DirectShow or Windows Media Format Runtime, 
so users will just have to wait until Patch Tuesday on Dec. 11 to find 
out more on Microsoft's media security fixes.

The third critical security update affects Windows and Internet 
Explorer.

Microsoft also plans to release six non-security, high-priority updates 
on Microsoft Update and Windows Server Update Services. The company will 
also release one nonsecurity, high-priority update for Windows on 
Windows Update.

__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/