News Stay informed about the latest enterprise technology news and product updates.

Microsoft issues critical patches for IE, Windows apps

Microsoft's latest batch of software updates favors the client side, including fixes for a trio of critical flaws affecting Internet Explorer, DirectShow and the MSDTC service.

As anticipated, Microsoft on Tuesday released nine security patches, three of which seal critical holes in the software giant's streaming media software architecture, widely used Internet Explorer Web browser and other key operating-system components.

Among the most severe is the update for a COM object instantiation memory corruption flaw in Internet Explorer. Microsoft planned to issue the update last month, but withdrew it at the last moment for more testing.

This fix, which covers Windows operating systems ranging back as far as Windows 98, prevents intruders from gaining remote control via a malicious Web page that manipulates the way the IE Web browser instantiates COM objects not intended for such use.

Another update fixes an unchecked buffer in Windows' DirectShow application, used for capturing and view streaming media on Microsoft Windows systems with and without video and audio acceleration. It is also integrated with DirectX technologies and is used for DVD players, MP3 players, digital video capture software and other popular media downloads.

If exploited, an attacker can remotely take over an affected system and install programs, change or delete data or create new accounts with full user rights. The flaw primarily targets the following workstation and desktop combinations:

  • Systems running DirectX 8.1 on Microsoft Windows XP Service Pack 1
  • Systems running DirectX 7.0 on Windows 2000 with Service Pack 4
  • Systems running DirectX 7.0 on Microsoft Windows XP with Service Pack 2, as well as XP Professional x64, Windows Server 2003 -- with and without Service Pack 1 -- and older OSes such as Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME).

    The update removes the vulnerability by modifying the way DirectShow validates the length of a message before passing it to the allocated buffer.

    The third critical update patches vulnerabilities with Microsoft Distributed Transaction Coordinator (MSDTC) service and COM+ service to prevent remote control and privilege escalation by attackers. In addition, the same patch seals important, but not critical, holes in the TIP. Among the affected OS versions are Windows XP with SP1 and SP2, and multiple flavors of Windows Server 2003. "These patches resolve a number of critical client-side vulnerabilities that may be used to install malicious software or potential security risks such as spyware and adware on end-user computers," said Oliver Friedrichs, senior manager for Symantec Security Response, in a prepared statement. "Symantec recommends that users apply the updates as quickly as possible and refrain from opening unknown attachments or clicking on suspicious links that arrive via email or instant messages."

    Other patches released Tuesday include:

  • Dig Deeper on Microsoft Windows security

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.