Article

Microsoft fixes critical DirectX, Windows and IE flaws

Bill Brenner

Microsoft released seven patch bulletins for its December 2007 security update Tuesday, addressing critical flaws attackers could exploit to launch malicious code or gain extra system privileges on computers running DirectX, Internet Explorer (IE) and various versions of Windows.

Microsoft rated three updates critical, which means attackers could exploit the flaws to execute arbitrary code without user interaction and potentially hijack the targeted machine. They are:

    Requires Free Membership to View

MS07-064, which addresses two Microsoft DirectX flaws attackers could exploit to execute malicious code if the user opens a specially crafted file used for streaming media in DirectX. DirectX is a collection of application programming interfaces used to handle multimedia-related tasks on Microsoft platforms, especially game and video.

MS07-068, which addresses a Windows Media File Format flaw attackers could exploit to execute malicious code if the user views a specially crafted file in Windows Media Format Runtime.

MS07-069, a cumulative IE update that addresses four flaws. Attackers could exploit the most serious of these to run malicious code on targeted machines when the user views a specially crafted Web page with Internet Explorer. Microsoft said the security update is rated moderate for Internet Explorer 6 and 7 on Windows Server 2003, but is critical for all other supported releases of the browser.

Don Leatham, director of solutions and strategy for Scottsdale, Ariz.-based Lumension Security, said users should treat MS07-068 and 069 with the greatest urgency.

"Because of the media player component in MS07-068, you're looking at probably the largest attack vector, and the lesson of MS07-069 is that you have to be careful with Internet Explorer even if you're running it on a Vista machine," he said.

Microsoft updates:
Microsoft warns of Windows zero-day: Attackers could exploit a zero-day flaw in Windows' Web Proxy Auto-Discovery (WPAD) feature to access sensitive data, Microsoft warned.

Nov. 13 update - Microsoft fixes WSUS, releases Windows security updates Microsoft's November 2007 security update addresses flaws in Windows 2000, XP and Windows Server 2003.

Inside MSRC: Microsoft tells details about latest security advisories: Microsoft's Christopher Budd examines the public disclosure of a vulnerability in a driver provided by Macrovision and an issue installing updates on Microsoft Windows systems.

Eric Schultze, CTO of Shavlik Technologies LLC in Roseville, Minn., said IT administrators should deploy the IE update first since the flaws are already being exploited in the wild. He also suggested that IT shops continue to move slowly in deploying Vista, given the number of Vista-related issues this month.

Microsoft rated four updates as important, which typically describes flaws attackers could exploit to compromise the confidentiality, integrity or availability of user data or the integrity or availability of processing resources. They are:

MS07-063, which addresses a Windows Vista flaw connected to Server Message Block Version 2 (SMBv2). Microsoft said the flaw could allow an attacker to tamper with data transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2. Schultze said this flaw is an example of how Microsoft failed to weed out all the coding flaws when developing the latest version of Windows.

MS07-065, which addresses a flaw in the Message Queuing Service (MSMQ), which attackers could exploit to execute malicious code or gain elevated system privileges on Windows 2000 Server, Windows 2000 Professional and Windows XP. An attacker must have valid logon credentials to exploit this vulnerability, Microsoft noted.

MS07-066, which addresses a Windows Vista flaw connected to the Windows kernel. An attacker who successfully exploited this vulnerability could take complete control of an affected system, Microsoft warned.

MS07-067, which addresses a local privilege elevation flaw in how the Macrovision driver in Windows handles configuration parameters. An attacker who successfully exploited this vulnerability could take complete control of the system, and the problem specifically affects Windows XP Service Pack 2, XP Professional x64 Edition; Windows XP Professional x64 Edition SP2; Windows Server 2003 SP1; Windows Server 2003 SP2; Windows Server 2003 x64 Edition; and Windows Server 2003 x64 Edition SP2.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: