Welcome | Sign In
LinuxInsider.com
Security

Microsoft Warns of DirectX Security Flaw

Print Version
E-Mail Article
Reprints
Microsoft Warns of DirectX Security Flaw

By Staff Writer
E-Commerce Times
Part of the ECT News Network
07/24/03 2:47 PM PT

In order to exploit the flaw, an attacker would need to devise a boobytrapped MIDI file and then lure a user to download it by either visiting a Web site or opening an HTML-based e-mail.


Microsoft (Nasdaq: MSFT) has released a security bulletin warning that a flaw in the DirectX graphic interface in a majority of Windows computers leaves users vulnerable to buffer overruns.

The vulnerability allows hackers to execute code on a user's PC at the user's security level, according to Microsoft. It affects PCs running Windows 98 and higher on the client side; on the server end, Windows Server 2003, Windows 2000 Server and some versions of Windows NT are affected.

Microsoft rated the flaw's severity as "critical" in all cases except for Windows Server 2003. The company already has made a patch available at its Web site and urges users to apply it immediately.

MIDI Problems

Specifically, the flaw exploits DirectX's DirectShow application programming interface (API), which performs desktop audio and video functions. As a result, in addition to granting an attacker access to a user's computer, the flaw also has the potential to cause programs employing DirectShow to crash.

To exploit this flaw, an attacker would need to devise a jiggered MIDI file and then lure a user to download it by either visiting a Web site or opening an HTML-based e-mail.

Windows Server 2003 runs on a default configuration in which Outlook Express views e-mail Increase Customer Sales with Email Marketing -- Free Trial from VerticalResponse in plain text instead of HTML; thus, the flaw is not rated critical for this version of the OS.

One More Thing

Forrester Research principal analyst Frank Gillett told the E-Commerce Times that use of advanced graphics capabilities on PCs has increased over time. "Windows XP is leaning harder on these technologies than ever [with processes like] rendering, menu-popping and anti-aliasing fonts," he noted.

Meanwhile, Forrester research director Ken Smiley told the E-Commerce Times that as DirectX has built its API capabilities over time, it has become a common benchmark for PC developers working with any sort of graphics.

He noted that the version of DirectX that ships with Windows is usually obsolete out-of-the-box, so users frequently download an upgrade via the Web or obtain a new version bundled with a program like Windows Media Player or a new game. Games typically ship with the latest DirectX drivers.

Enterprise First

According to Smiley, the latest DirectX flaw affects consumers significantly more than enterprises. Unfortunately for consumers, they are low on the priority list in Microsoft's secure computing strategy.

Even so, Smiley questioned whether the announcement constituted earth-shaking news.

"It won't be the first [time] this happens, and it won't be the last," he said. "You just fix it and move on."

Print Version E-Mail Article Reprints More by Staff Writer

Talkback: Be the first to comment on this story.

Related News Alerts

Microsoft Activate Alert | Search Archives

More by Staff Writer

A Midsummer's Mac Death Match, Round Two: Enderle vs. Chaffin
July 13, 2004
MacNewsWorld presents round two of our three-round Midsummer Mac Death Match, in which Mac Observer editor-in-chief Bryan Chaffin and the always-controversial industry analyst Rob Enderle square off on one of today's key Mac issues. Today Enderle and Chaffin eachs kicks metaphorical mounds of sand on the arguments the other made in round one on the question of where Apple will be five years from now. 		A Midsummer's Mac Death Match, Round One: Enderle vs. Chaffin
July 12, 2004
MacNewsWorld presents round one of our three-round Midsummer Mac Death Match. Today, Mac Observer editor-in-chief Bryan Chaffin and the always-controversial industry analyst Rob Enderle each offer their predictions of what sort of company Apple will be in five years. Will Apple rule the "Digital Life" -- or be the Atari of 2009? 		PeopleSoft Blames Oracle for Share Price Free Fall
July 07, 2004
Forrester vice president and CRM analyst Erin Kinikin described PeopleSoft as being on a very narrow tightrope since Oracle first made its takeover offer. "To prove [it] can survive as an independent company, PeopleSoft has to make its numbers," Kinikin told CRM Buyer. "Any time PeopleSoft pre-announces lower earnings, people are going to wonder if [it is] falling off the tightrope."
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> WiFi Hotspot Locator
> Inside LinuxInsider
LinuxInsider
E-Commerce Times
TechNewsWorld
MacNewsWorld
CRM Buyer
Today's LinuxInsider Sponsors
Avaya Aura™
Save up to 40% on calling costs with Avaya Aura™
Entrust Extended Validation SSL
Entrust EV SSL certificates -- "go green" for less. Now from only $199 per year.
Trend Micro Smart Protection Network(TM)
Lower your content security management costs by up to 40%.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2009 ECT News Network, Inc. All Rights Reserved.