Microsoft to Patch 3 Critical Flaws to Prevent System Hijacking

By Lisa Vaas  |  Posted 2007-12-07 Print this article Print

Vista is vulnerable to three critical security flaws-in IE, Windows and multimedia technologies-that could let attackers hijack systems.

Microsoft will put out seven security bulletins on Patch Tuesday, with three critical updates that could lead to systems getting hijacked via Windows, Internet Explorer, and/or Microsoft's multimedia frameworks and APIs. Vista is vulnerable to all three of the critical flaws, although Microsoft noted in a table of affected software included in its monthly advance notification that updates are currently available. One of the critical bulletins affects Windows, DirectX and DirectShow.
DirectShow, a multimedia framework and API Microsoft designed to give developers a common interface for media across various programming languages, can be used to render or record media files on demand. DirectShow, which contains DirectX plugins for audio-signal processing and DirectX Video Acceleration to speed up video playback, is distributed as part of Microsoft's Platform SDK.
Windows Media Player uses DirectShow, as do most video applications on Windows. Many third-party video applications use DirectShow or a variant, as well. Past security problems with DirectShow and DirectX have been sparse but serious. One critical flaw, fixed in October 2005, could have allowed an attacker to hijack a system. Microsoft also patched a critical DirectX flaw in 2003 that concerned an unchecked buffer that again could have led to a system takeover. Microsoft's second critical advisory affects Windows and Windows Media Format Runtime. Another critical advisory for Windows Media Format Runtime came out one year ago, in December 2006. That earlier flaw could have led to remote code execution. eEye's Zero-Day Tracker as of Dec. 7 wasn't showing any known zero-day vulnerabilities for DirectX, DirectShow or Windows Media Format Runtime, so users will just have to wait until Patch Tuesday on Dec. 11 to find out more on Microsoft's media security fixes. The third critical security update affects Windows and Internet Explorer. Microsoft also plans to release six non-security, high-priority updates on Microsoft Update and Windows Server Update Services. The company will also release one nonsecurity, high-priority update for Windows on Windows Update. Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel