Article

Microsoft issues critical patches for IE, Windows apps

Anne Saita, News Director

As anticipated, Microsoft on Tuesday released nine security patches, three of which seal critical holes in the software giant's streaming media software architecture, widely used Internet Explorer Web browser and other key operating-system components.

Among the most severe is the update for a COM object instantiation memory corruption flaw in Internet Explorer.

    Requires Free Membership to View

Microsoft planned to issue the update last month, but withdrew it at the last moment for more testing.

This fix, which covers Windows operating systems ranging back as far as Windows 98, prevents intruders from gaining remote control via a malicious Web page that manipulates the way the IE Web browser instantiates COM objects not intended for such use.

Another update fixes an unchecked buffer in Windows' DirectShow application, used for capturing and view streaming media on Microsoft Windows systems with and without video and audio acceleration. It is also integrated with DirectX technologies and is used for DVD players, MP3 players, digital video capture software and other popular media downloads.

If exploited, an attacker can remotely take over an affected system and install programs, change or delete data or create new accounts with full user rights. The flaw primarily targets the following workstation and desktop combinations:

  • Systems running DirectX 8.1 on Microsoft Windows XP Service Pack 1
  • Systems running DirectX 7.0 on Windows 2000 with Service Pack 4
  • Systems running DirectX 7.0 on Microsoft Windows XP with Service Pack 2, as well as XP Professional x64, Windows Server 2003 -- with and without Service Pack 1 -- and older OSes such as Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME).

    The update removes the vulnerability by modifying the way DirectShow validates the length of a message before passing it to the allocated buffer.

    The third critical update patches vulnerabilities with Microsoft Distributed Transaction Coordinator (MSDTC) service and COM+ service to prevent remote control and privilege escalation by attackers. In addition, the same patch seals important, but not critical, holes in the TIP. Among the affected OS versions are Windows XP with SP1 and SP2, and multiple flavors of Windows Server 2003. "These patches resolve a number of critical client-side vulnerabilities that may be used to install malicious software or potential security risks such as spyware and adware on end-user computers," said Oliver Friedrichs, senior manager for Symantec Security Response, in a prepared statement. "Symantec recommends that users apply the updates as quickly as possible and refrain from opening unknown attachments or clicking on suspicious links that arrive via email or instant messages."

    Other patches released Tuesday include:

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: