Microsoft Details Problems in DirectPlay, Crystal Reports

By Larry Seltzer  |  Posted 2004-06-08 Print this article Print

The advisories, both moderate, concern an older version of the game-playing service and a vulnerability in the Crystal Reports component.

June is emerging as an easy month for Windows IT security personnel. On Tuesday, Microsoft revealed only two vulnerabilities in its products, both rated "moderate."

The first attack exploits a flaw in Microsofts DirectPlay service, used to implement multiplayer games on Windows independent of network details, and could lead to the failure of the application. The flaw derived from insufficient checking of network packets by the service and involves a malformed packet. Only the game is affected by the attack.

Only version 4 of DirectPlay is affected. Newer games use newer versions of DirectPlay, the current being version 8, which is part of DirectX version 9. Only a system actively running a DirectPlay version 4 game is vulnerable.

All versions of Windows XP, Windows 2000 and Windows Server 2003 are affected, and patches are available at the page describing the vulnerability. Windows 98, 98SE and Windows ME are affected as well, but since Microsoft does not deem this vulnerability "critical," it will not issue a patch for those operating systems, which are past the stage in their product lifetimes during which they receive noncritical patches. Windows NT 4 is not affected.

The second issue relates to the Crystal Reports viewer in three Microsoft products: Outlook 2003 with Business Contact Manager, Visual Studio .NET 2003 and Microsoft Business Solutions CRM 1.2. Crystal Reports is a well-known report package from Business Objects. The patches for all of these products may be found at this page.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. Outlook 2003 with Business Contact Manager is a separate add-on to Outlook 2003 on a separate CD. Microsoft warns that users who use both Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, and who have Internet Information Services installed, should install the update for both products. In other areas of the advisory, in a seeming contradiction, it is stated that only systems with IIS installed are vulnerable.

According to the description of the Crystal Reports issue, the vulnerability is in Crystal Reports itself, which is redistributed as part of the three affected Microsoft products. The vulnerability could result in the attacker retrieving and deleting files on the affected system. The attack occurs in the security context of the Crystal Reports component, so only files available to that component could be compromised.

Setting certain processes on the system, with more restrictive authentication rules, is one way to mitigate the problem. Microsoft CRM 1.2 already runs by default with access to Crystal Reports limited to Windows user group membership. See the advisory for more details.

Attempts to reach Business Objects were unsuccessful.

Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel