Microsoft late Wednesday released a trio of security
patches to plug holes in software products used by millions of customers.
The most serious flaw involves a buffer overflow in DirectX, which is
used for multimedia support in Windows programs, including most games
running on Microsoft platforms. Microsoft warned that the vulnerability,
which carries a ‘critical’ rating, could allow an attacker to completely
take over a machine.
DirectX consists of a set of Application Programming Interfaces (APIs)
used by Windows programs. Within DirectX, the DirectShow technology performs
client-side audio and video sourcing, manipulation, and rendering. In its
advisory, Microsoft said two buffer overruns in DirectShow makes it possible
for a malicious user to execute code in the security context of the
logged-on user.
Affected software include DirectX 5.2 on Windows 98, DirectX 6.1 on
Windows 98 SE, DirectX 7.0a on Windows Millennium Edition, DirectX 7.0 on
Windows 2000, DirectX 8.1 on Windows XP and DirectX 8.1 on Windows Server
2003. DirectX 9.0a, when installed on Windows Server 2003, was also
vulnerable.
It is the second ‘critical’ security hole detected in the newest Windows
Server 2003 product.
Microsoft warned that an attacker could seek to exploit this
vulnerability by creating a specially crafted MIDI file and hosting it on a
Web site or on a network share, or send it by using an HTML-based
e-mail.
“If the file was embedded in a page the vulnerability could be exploited
when a user visited the Web page. In the HTML-based e-mail case, the
vulnerability could be exploited when a user opened or previewed the
HTML-based e-mail. A successful attack could cause DirectShow, or an
application making use of DirectShow, to fail. A successful attack could
also cause an attacker’s code to run on the users computer in the security
context of the user,” the company said, urging DirectX users to apply the
patch immediately.
In a separate alert, Microsoft said a flaw was found in a Windows NT 4.0 Server
file management function that can cause a denial-of-service vulnerability.
Affected software include Windows NT 4.0 Server and Windows NT 4.0 Terminal
Server Edition.
“The flaw results because the affected function can cause memory that it
does not own to be freed when a specially crafted request is passed to it.
If the application making the request to the function does not carry out any
user input validation and allows the specially crafted request to be passed
to the function, the function may free memory that it does not own. As a
result, the application passing the request could fail,” the company said.
The vulnerability carries a ‘moderate’ rating.
A third
advisory included a cumulative patch to fix three newly discovered holes
in the Microsoft SQL Server product. System administrators using SQL Server
7.0, SQL Server 2000, Microsoft Data Engine (MSDE) 1.0, Microsoft SQL Server
2000 Desktop Engine (MSDE 2000) and SQL Server 2000 Desktop Engine (Windows)
are urged to upgrade immediately.