Thgis weeks Windows Flaw
Posted: Thu Jul 24, 2003 1:10 pm
link
July 23 — Microsoft issued another passel of warnings about security holes Wednesday, including a “critical” flaw affecting most Windows PCs. The most serious of the flaws involves DirectX, a library of graphics and multimedia programming instructions used by most PC games, and could allow malicious users to run code of their choice on a vulnerable PC.
THE FLAW IS unusually widespread, affecting all versions of DirectX from version 5.2 to the current 9.0a running on all versions of Windows from Windows 98 through the new Windows Server 2003, according to the Microsoft bulletin.
(MSNBC is a Microsoft - NBC joint venture.)
The flaw, which received Microsoft’s highest severity rating, involves the way DirectX handles MIDI music files. A malformed MIDI file could overrun the buffer in DirectX, at which point extra software embedded in the file would be executed.
Exploiting the flaw would entail the creation of a maliciously malformed MIDI file, which vulnerable Windows users would have to be tricked into running, either through e-mail or a Web page.
“They’d have to come up with some way to get the user to click on that file,” said Stephen Toulouse of Microsoft’s Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files.
Default security settings are even stronger in Windows Server 2003, Toulouse added, which is why the flaw has a lower rating of “important” for that operating system.
Toulouse said there are no known exploits of the flaw, which was discovered by eEye Digital Security, but affected Windows users should still apply the appropriate patch as soon as possible.
TWO OTHER PATCHES
Microsoft also announced the availability of a cumulative patch — rated “important” — fixing new and previously reported vulnerabilities in the company’s SQL Server software.
A third bulletin warned of a “moderate” risk for a new method to launch a denial-of-service attack against a PC running the Windows NT 4.0 operating system.
The latest alerts continue a busy month of security issues for the software giant.
Mike Cherry, an analyst for research firm Directions on Microsoft, said the frequency of security alerts could be bad for Microsoft’s image, particularly as they relate to Windows Server 2003, one of the first poster children for the company’s “trustworthy computing” initiative.
“There should be some concern that even with the improved testing in that product, they’re continuing to find these problem,” he said.
But no software maker can find every flaw before a product is released, Cherry said, and at least Microsoft is being upfront about potential problems.
“They’re getting much better about discussing these problems as they’re found,” he said. “We never would have gotten this kind of information three year ago.”
Copyright © 1995-2003 CNET Networks, Inc. All rights reserved
Archived topic from Iceteks, old topic ID:1123, old post ID:9905
July 23 — Microsoft issued another passel of warnings about security holes Wednesday, including a “critical” flaw affecting most Windows PCs. The most serious of the flaws involves DirectX, a library of graphics and multimedia programming instructions used by most PC games, and could allow malicious users to run code of their choice on a vulnerable PC.
THE FLAW IS unusually widespread, affecting all versions of DirectX from version 5.2 to the current 9.0a running on all versions of Windows from Windows 98 through the new Windows Server 2003, according to the Microsoft bulletin.
(MSNBC is a Microsoft - NBC joint venture.)
The flaw, which received Microsoft’s highest severity rating, involves the way DirectX handles MIDI music files. A malformed MIDI file could overrun the buffer in DirectX, at which point extra software embedded in the file would be executed.
Exploiting the flaw would entail the creation of a maliciously malformed MIDI file, which vulnerable Windows users would have to be tricked into running, either through e-mail or a Web page.
“They’d have to come up with some way to get the user to click on that file,” said Stephen Toulouse of Microsoft’s Security Response Center, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent automatic launching of such files.
Default security settings are even stronger in Windows Server 2003, Toulouse added, which is why the flaw has a lower rating of “important” for that operating system.
Toulouse said there are no known exploits of the flaw, which was discovered by eEye Digital Security, but affected Windows users should still apply the appropriate patch as soon as possible.
TWO OTHER PATCHES
Microsoft also announced the availability of a cumulative patch — rated “important” — fixing new and previously reported vulnerabilities in the company’s SQL Server software.
A third bulletin warned of a “moderate” risk for a new method to launch a denial-of-service attack against a PC running the Windows NT 4.0 operating system.
The latest alerts continue a busy month of security issues for the software giant.
Mike Cherry, an analyst for research firm Directions on Microsoft, said the frequency of security alerts could be bad for Microsoft’s image, particularly as they relate to Windows Server 2003, one of the first poster children for the company’s “trustworthy computing” initiative.
“There should be some concern that even with the improved testing in that product, they’re continuing to find these problem,” he said.
But no software maker can find every flaw before a product is released, Cherry said, and at least Microsoft is being upfront about potential problems.
“They’re getting much better about discussing these problems as they’re found,” he said. “We never would have gotten this kind of information three year ago.”
Copyright © 1995-2003 CNET Networks, Inc. All rights reserved
Archived topic from Iceteks, old topic ID:1123, old post ID:9905
