Microsoft patching DirectShow, IE on Patch Tuesday

Microsoft hasn't yet posted its Patch Tuesday bulletins, but the updates have popped up on its Web site.

Last Thursday, Microsoft said that it plans to issue seven sets of security patches next week, including critical fixes for DirectX, IE and Bluetooth.

Fixes are also slated for Active Directory, the Windows Internet Name Service (WINS) and the Pragmatic General Multicast (PGM) protocol, used by Windows to stream media to many recipients. These updates are all rated "important."

A seventh update, rated "moderate," is listed as a "Kill Bit" update for Windows. This type of patch will disable code that is known to have a security bug.

So far I see the following on Microsoft's Web site:

Security Update for Windows Server/Windows 2000 (KB951698)

 A security issue has been identified in Microsoft DirectShow that could allow an attacker to compromise your Windows-based system and gain control over it. Cumulative Security Update for Internet Explorer for Windows Server 2003 64-bit Itanium Edition (KB950759) This update addresses the vulnerability discussed in Microsoft Security Bulletin MS08-031. To find out if other security updates are available for you, see the Overview section of this page. 

Cumulative Security Update for ActiveX Killbits for Windows XP x64 Edition (KB950760)

Security Update for Internet Explorer 8 Beta 1 (KB951804)

 This update addresses the vulnerability discussed in Microsoft Knowledge Base 951804.     According to the KB article this relates to two issues:•    HTML Objects Memory Corruption Vulnerability – CVE-2008-1442•    Request Header Cross-Domain Information Disclosure Vulnerability – CVE-2008-1544Update: The

bulletins are up.

The IE bugs affect IE 5, 6, and 7 too.Update2

Here's my story on this:

Microsoft has released security patches for some of its products, fixing critical flaws in the Internet Explorer browser, DirectX and Bluetooth wireless software for Windows.

The company has also released less-critical updates for its server products, fixing bugs in Active Directory, the Windows Internet Name Service (WINS) and the Pragmatic General Multicast (PGM) protocol, used by Windows to stream media to many recipients.

A seventh update, rated moderate, adds "kill bits" that disable buggy speech-recognition software and a program used to manage Logitech devices.

In total, 10 bugs were squashed in these seven updates, released Tuesday.

Desktop users will want to be sure to install the critical Internet Explorer and DirectX updates as soon as possible, said Amol Sarwate, vulnerability lab manager with security vendor Qualys. Some of the flaws addressed in these patches can be exploited in Web-based attacks where a criminal tricks the victim into visiting a malicious Web page and then takes advantage of the bug to install malicious software on the Windows PC.

The Bluetooth vulnerability is also rated critical by Microsoft. But to exploit this flaw, attackers would have to be close enough to the Windows machine to send it maliciously encoded Bluetooth packets, Sarwate said.

One of the two bugs that was patched in the MS08-031 Internet Explorer update has been publicly known since January. Attackers could take advantage of this flaw to get unauthorized access to data stored by the browser, Microsoft said.

Another publicly disclosed bug lies in the Microsoft Speech API, which lets Windows users operate their computers using voice commands. Last year, researchers discovered that they could do things like delete files on computers that used this technology, enabled by remotely playing voice commands on a victim's computer.

The Speech API flaw was one of two programs that Microsoft has disabled with its MS08-032 "kill bit" update. The second flaw lies in an ActiveX control that ships with the Logitech Desktop Manager (LDM) software.

The LDM, which manages Logitech devices like Web cameras, contains buggy software called the BackWeb Web Package ActiveX object. So if a victim running the LDM software visited a malicious Web site, attackers could theoretically take advantage of this flaw and run unauthorized software on his computer.

Third-party applications such as the Logitech Desktop Manager have been the source of many security problems for Windows users. Lately, researchers have discovered a rash of major flaws in products such as Apple's QuickTime, Adobe's Flash and other media players. Often, these bugs can be exploited by attackers in Web-based attacks in order to run unauthorized software on a victim's PC.


Copyright © 2008 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline