Microsoft Addresses Tardy Patch

Microsoft released nine security bulletins, three rated critical, on its regularly scheduled Patch Tuesday, officials announced.

The patches include one that was pulled at the last minute in September because officials deemed it not ready to be installed on user systems.

The security bulletin, a critical fix to Internet Explorer (IE), involves a problem in the browser’s DDS Library Shape Control (msdds.dll) library and other COM objects.

If a user logged on as the administrator and falls for the attack by inadvertently downloading and installing the malware , that would give the attacker full rights to the compromised system. The attacker could then add, delete and change all files on the computer.

The vulnerability affects several versions of IE 5 and 6.

This month’s security update included two other critical security bulletins. Both, if exploited, would give the malware writer complete control of the end user’s system and allow them to modify and delete files on the computer.

The first relates to an unchecked buffer vulnerability in Microsoft’s DirectShow, the multimedia architecture behind DirectX. Users who have permissions set might be able to mitigate the damage if the system is compromised, officials said. The vulnerability affects Windows users running versions of DirectX 8 or 9.

Multiple flaws make up the third critical-rated security bulletin this month. Four vulnerabilities in Microsoft’s COM+ and the Microsoft Distributed Transaction Coordinator could allow the attacker complete control over the system.

The security bulletin applies to Windows 2000, Windows XP (Service Pack 1 and 2, and x64 edition) and Windows Server 2003 systems.

For more information on this month’s security bulletins, visit Microsoft’s security site here.

News Around the Web