June is emerging as an easy month for Windows IT security personnel. On Tuesday, Microsoft revealed only two vulnerabilities in its products, both rated “moderate.”
The first attack exploits a flaw in Microsofts DirectPlay service, used to implement multiplayer games on Windows independent of network details, and could lead to the failure of the application.
The flaw derived from insufficient checking of network packets by the service and involves a malformed packet. Only the game is affected by the attack.
Only version 4 of DirectPlay is affected. Newer games use newer versions of DirectPlay, the current being version 8, which is part of DirectX version 9. Only a system actively running a DirectPlay version 4 game is vulnerable.
All versions of Windows XP, Windows 2000 and Windows Server 2003 are affected, and patches are available at the page describing the vulnerability.
Windows 98, 98SE and Windows ME are affected as well, but since Microsoft does not deem this vulnerability “critical,” it will not issue a patch for those operating systems, which are past the stage in their product lifetimes during which they receive noncritical patches. Windows NT 4 is not affected.
The second issue relates to the Crystal Reports viewer in three Microsoft products: Outlook 2003 with Business Contact Manager, Visual Studio .NET 2003 and Microsoft Business Solutions CRM 1.2.
Outlook 2003 with Business Contact Manager is a separate add-on to Outlook 2003 on a separate CD. Microsoft warns that users who use both Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, and who have Internet Information Services installed, should install the update for both products.
In other areas of the advisory, in a seeming contradiction, it is stated that only systems with IIS installed are vulnerable.
According to the description of the Crystal Reports issue, the vulnerability is in Crystal Reports itself, which is redistributed as part of the three affected Microsoft products.
The vulnerability could result in the attacker retrieving and deleting files on the affected system. The attack occurs in the security context of the Crystal Reports component, so only files available to that component could be compromised.
Setting certain processes on the system, with more restrictive authentication rules, is one way to mitigate the problem. Microsoft CRM 1.2 already runs by default with access to Crystal Reports limited to Windows user group membership. See the advisory for more details.
Attempts to reach Business Objects were unsuccessful.