Microsoft plans to release seven security updates Tuesday, including three critical fixes for remote code execution flaws in Windows, DirectX, and Internet Explorer.
Specifically, Microsoft said in its advance patch bulletin for December 2007, three "critical" bulletins affect Microsoft Windows, DirectX, DirectShow, Windows Media Format Runtime, and Internet Explorer; and four "important" bulletins affect Windows.
DirectX is a collection of application programming interfaces used to handle multimedia-related tasks on Microsoft platforms, especially game and video. The Microsoft DirectShow application programming interface (API) is a media-streaming architecture for the Windows platform. Microsoft said DirectShow can be used to help applications perform high-quality video and audio playback or capture.
Microsoft typically assigns the critical rating to flaws that can be exploited by a malware attack without user action. The important rating usually goes to flaws whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data or of the integrity or availability of processing resources.
It is not clear if any of the patches will address a recently-disclosed zero-day vulnerability in how Windows looks up other computers on the Internet.
Microsoft warned customers earlier this week that the vulnerability is a variation of one patched in 1999, which attackers could exploit to access sensitive data and redirect users to Web sites rigged with malware. It is not considered as big a threat as more recent zero-day flaws, however. Tim Rains of the Microsoft Security Response Center communications team said in an email late Monday that the software giant is investigating new public reports of a vulnerability in how Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). He said the specific technology affected is Windows' Web Proxy Auto-Discovery (WPAD) program.
As is the case each month, an update of Microsoft's Windows Malicious Software Removal Tool will accompany the release of the security patches. That update will be available via Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.
Meanwhile, Microsoft is planning to release six non-security, high-priority updates on Microsoft Update (MU) and Windows Server Update Services (WSUS); and one non-security, high-priority update for Windows on Windows Update (WU).
This month promises to be a busier patching month than November, when Microsoft only released two security updates addressing flaws remote and local attackers could exploit to compromise targeted Windows machines, including all supported versions of Windows 2000, Windows XP and Windows Server 2003.