Security fixes on tap for Windows, IE, DirectX

Microsoft plans to release seven security updates Tuesday, including three critical fixes for Windows, DirectX, DirectShow, Windows Media Format Runtime and Internet Explorer.

Microsoft plans to release seven security updates Tuesday, including three critical fixes for remote code execution flaws in Windows, DirectX, and Internet Explorer.

Specifically, Microsoft said in its advance patch bulletin for December 2007, three "critical" bulletins affect Microsoft Windows, DirectX, DirectShow, Windows Media Format Runtime, and Internet Explorer; and four "important" bulletins affect Windows.

DirectX is a collection of application programming interfaces used to handle multimedia-related tasks on Microsoft platforms, especially game and video. The Microsoft DirectShow application programming interface (API) is a media-streaming architecture for the Windows platform. Microsoft said DirectShow can be used to help applications perform high-quality video and audio playback or capture.

Microsoft updates:
Microsoft warns of Windows zero-day: Attackers could exploit a zero-day flaw in Windows' Web Proxy Auto-Discovery (WPAD) feature to access sensitive data, Microsoft warned.

Nov. 13 update  - Microsoft fixes WSUS, releases Windows security updates Microsoft's November 2007 security update addresses flaws in Windows 2000, XP and Windows Server 2003.

Inside MSRC: Microsoft tells details about latest security advisories: Microsoft's Christopher Budd examines the public disclosure of a vulnerability in a driver provided by Macrovision and an issue installing updates on Microsoft Windows systems.

Microsoft typically assigns the critical rating to flaws that can be exploited by a malware attack without user action. The important rating usually goes to flaws whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data or of the integrity or availability of processing resources.

It is not clear if any of the patches will address a recently-disclosed zero-day vulnerability in how Windows looks up other computers on the Internet.

Microsoft warned customers earlier this week that the vulnerability is a variation of one patched in 1999, which attackers could exploit to access sensitive data and redirect users to Web sites rigged with malware. It is not considered as big a threat as more recent zero-day flaws, however. Tim Rains of the Microsoft Security Response Center communications team said in an email late Monday that the software giant is investigating new public reports of a vulnerability in how Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). He said the specific technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program.

As is the case each month, an update of Microsoft's Windows Malicious Software Removal Tool will accompany the release of the security patches. That update will be available via Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Meanwhile, Microsoft is planning to release six non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS); and one non-security, high-priority update for Windows on Windows Update (WU).

This month promises to be a busier patching month than November, when Microsoft only released two security updates addressing flaws remote and local attackers could exploit to compromise targeted Windows machines, including all supported versions of Windows 2000, Windows XP and Windows Server 2003.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close