Microsoft fixes critical DirectX, Windows and IE flaws

By Bill Brenner, Senior News Writer 11 Dec 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft released seven patch bulletins for its December 2007 security update Tuesday, addressing critical flaws attackers could exploit to launch malicious code or gain extra system privileges on computers running DirectX, Internet Explorer (IE) and various versions of Windows.

Microsoft rated three updates critical, which means attackers could exploit the flaws to execute arbitrary code without user interaction and potentially hijack the targeted machine. They are:

MS07-064, which addresses two Microsoft DirectX flaws attackers could exploit to execute malicious code if the user opens a specially crafted file used for streaming media in DirectX. DirectX is a collection of application programming interfaces used to handle multimedia-related tasks on Microsoft platforms, especially game and video.

MS07-068, which addresses a Windows Media File Format flaw attackers could exploit to execute malicious code if the user views a specially crafted file in Windows Media Format Runtime.

MS07-069, a cumulative IE update that addresses four flaws. Attackers could exploit the most serious of these to run malicious code on targeted machines when the user views a specially crafted Web page with Internet Explorer. Microsoft said the security update is rated moderate for Internet Explorer 6 and 7 on Windows Server 2003, but is critical for all other supported releases of the browser.

Don Leatham, director of solutions and strategy for Scottsdale, Ariz.-based Lumension Security, said users should treat MS07-068 and 069 with the greatest urgency.

"Because of the media player component in MS07-068, you're looking at probably the largest attack vector, and the lesson of MS07-069 is that you have to be careful with Internet Explorer even if you're running it on a Vista machine," he said.

Microsoft updates: Microsoft warns of Windows zero-day: Attackers could exploit a zero-day flaw in Windows' Web Proxy Auto-Discovery (WPAD) feature to access sensitive data, Microsoft warned. Nov. 13 update - Microsoft fixes WSUS, releases Windows security updates Microsoft's November 2007 security update addresses flaws in Windows 2000, XP and Windows Server 2003. Inside MSRC: Microsoft tells details about latest security advisories: Microsoft's Christopher Budd examines the public disclosure of a vulnerability in a driver provided by Macrovision and an issue installing updates on Microsoft Windows systems.

Eric Schultze, CTO of Shavlik Technologies LLC in Roseville, Minn., said IT administrators should deploy the IE update first since the flaws are already being exploited in the wild. He also suggested that IT shops continue to move slowly in deploying Vista, given the number of Vista-related issues this month.

Microsoft rated four updates as important, which typically describes flaws attackers could exploit to compromise the confidentiality, integrity or availability of user data or the integrity or availability of processing resources. They are:

MS07-063, which addresses a Windows Vista flaw connected to Server Message Block Version 2 (SMBv2). Microsoft said the flaw could allow an attacker to tamper with data transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2. Schultze said this flaw is an example of how Microsoft failed to weed out all the coding flaws when developing the latest version of Windows.

MS07-065, which addresses a flaw in the Message Queuing Service (MSMQ), which attackers could exploit to execute malicious code or gain elevated system privileges on Windows 2000 Server, Windows 2000 Professional and Windows XP. An attacker must have valid logon credentials to exploit this vulnerability, Microsoft noted.

MS07-066, which addresses a Windows Vista flaw connected to the Windows kernel. An attacker who successfully exploited this vulnerability could take complete control of an affected system, Microsoft warned.

MS07-067, which addresses a local privilege elevation flaw in how the Macrovision driver in Windows handles configuration parameters. An attacker who successfully exploited this vulnerability could take complete control of the system, and the problem specifically affects Windows XP Service Pack 2, XP Professional x64 Edition; Windows XP Professional x64 Edition SP2; Windows Server 2003 SP1; Windows Server 2003 SP2; Windows Server 2003 x64 Edition; and Windows Server 2003 x64 Edition SP2.

Tags: Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Security comparison: Mac OS X vs. Windows How to test IPv6 infrastructures Microsoft repairs critical DirectShow, Video ActiveX vulnerabilities Microsoft warns of new Office Web Components vulnerability Microsoft to address DirectShow, ActiveX zero-day flaws New attack code targets Microsoft ActiveX zero-day vulnerability When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary