Microsoft to Patch 3 Critical Flaws to Prevent System Hijacking

Vista is vulnerable to three critical security flaws-in IE, Windows and multimedia technologies-that could let attackers hijack systems.

Microsoft will put out seven security bulletins on Patch Tuesday, with three critical updates that could lead to systems getting hijacked via Windows, Internet Explorer, and/or Microsoft's multimedia frameworks and APIs.

Vista is vulnerable to all three of the critical flaws, although Microsoft noted in a table of affected software included in its monthly advance notification that updates are currently available.

One of the critical bulletins affects Windows, DirectX and DirectShow.

DirectShow, a multimedia framework and API Microsoft designed to give developers a common interface for media across various programming languages, can be used to render or record media files on demand. DirectShow, which contains DirectX plugins for audio-signal processing and DirectX Video Acceleration to speed up video playback, is distributed as part of Microsoft's Platform SDK.

Windows Media Player uses DirectShow, as do most video applications on Windows. Many third-party video applications use DirectShow or a variant, as well.

Past security problems with DirectShow and DirectX have been sparse but serious. One critical flaw, fixed in October 2005, could have allowed an attacker to hijack a system. Microsoft also patched a critical DirectX flaw in 2003 that concerned an unchecked buffer that again could have led to a system takeover.

Microsoft's second critical advisory affects Windows and Windows Media Format Runtime. Another critical advisory for Windows Media Format Runtime came out one year ago, in December 2006. That earlier flaw could have led to remote code execution.

eEye's Zero-Day Tracker as of Dec. 7 wasn't showing any known zero-day vulnerabilities for DirectX, DirectShow or Windows Media Format Runtime, so users will just have to wait until Patch Tuesday on Dec. 11 to find out more on Microsoft's media security fixes.

The third critical security update affects Windows and Internet Explorer.

Microsoft also plans to release six non-security, high-priority updates on Microsoft Update and Windows Server Update Services. The company will also release one nonsecurity, high-priority update for Windows on Windows Update.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.