Security fixes on tap for Windows, IE, DirectX

By Bill Brenner, Senior News Writer 06 Dec 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft plans to release seven security updates Tuesday, including three critical fixes for remote code execution flaws in Windows, DirectX, and Internet Explorer.

Specifically, Microsoft said in its advance patch bulletin for December 2007, three "critical" bulletins affect Microsoft Windows, DirectX, DirectShow, Windows Media Format Runtime, and Internet Explorer; and four "important" bulletins affect Windows.

DirectX is a collection of application programming interfaces used to handle multimedia-related tasks on Microsoft platforms, especially game and video. The Microsoft DirectShow application programming interface (API) is a media-streaming architecture for the Windows platform. Microsoft said DirectShow can be used to help applications perform high-quality video and audio playback or capture.

Microsoft updates: Microsoft warns of Windows zero-day: Attackers could exploit a zero-day flaw in Windows' Web Proxy Auto-Discovery (WPAD) feature to access sensitive data, Microsoft warned. Nov. 13 update  - Microsoft fixes WSUS, releases Windows security updates Microsoft's November 2007 security update addresses flaws in Windows 2000, XP and Windows Server 2003. Inside MSRC: Microsoft tells details about latest security advisories: Microsoft's Christopher Budd examines the public disclosure of a vulnerability in a driver provided by Macrovision and an issue installing updates on Microsoft Windows systems.

Microsoft typically assigns the critical rating to flaws that can be exploited by a malware attack without user action. The important rating usually goes to flaws whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data or of the integrity or availability of processing resources.

It is not clear if any of the patches will address a recently-disclosed zero-day vulnerability in how Windows looks up other computers on the Internet.

Microsoft warned customers earlier this week that the vulnerability is a variation of one patched in 1999, which attackers could exploit to access sensitive data and redirect users to Web sites rigged with malware. It is not considered as big a threat as more recent zero-day flaws, however. Tim Rains of the Microsoft Security Response Center communications team said in an email late Monday that the software giant is investigating new public reports of a vulnerability in how Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). He said the specific technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program.

As is the case each month, an update of Microsoft's Windows Malicious Software Removal Tool will accompany the release of the security patches. That update will be available via Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Meanwhile, Microsoft is planning to release six non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS); and one non-security, high-priority update for Windows on Windows Update (WU).

This month promises to be a busier patching month than November, when Microsoft only released two security updates addressing flaws remote and local attackers could exploit to compromise targeted Windows machines, including all supported versions of Windows 2000, Windows XP and Windows Server 2003.

Tags: Windows Security: Alerts, Updates and Best Practices,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert IT managers under pressure to weaken Web security policy US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary