DirectX targeted in Microsoft security updates

Microsoft said on Thursday that it will issue six security updates on Patch Tuesday next week, including a critical one that will fix two outstanding holes in DirectX that have been targeted in attacks.

In May, Microsoft announced that there had been attacks against a DirectX vulnerability that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

Earlier this week, Microsoft warned of attacks being launched that exploit a hole in the Video ActiveX Control when used in Internet Explorer for recording and playing video in DirectShow. Microsoft offered a workaround on Monday for that hole, which reportedly it had known about since last year.

The ActiveX control vulnerability was likely independently rediscovered by malicious hackers or leaked through the Microsoft Active Protection Program which the company uses to share early security information with third-party vendors, according to a statement from security firm Rapid7.

Asked for comment, a Microsoft spokeswoman provided a statement that said: "Microsoft received the original, private report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The company did not share any information with MAPP partners about the reported Video ActiveX Control vulnerability until immediately before the advisory posting on Monday."

The critical vulnerabilities affecting various Windows versions all could allow an attacker to run code remotely, while one of the non-critical holes involving Virtual PC and Virtual Server would allow remote code execution and the other non-critical holes could allow elevation of privilege.

Affected software for the critical updates is Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and 2008. The versions of Direct X affected are DirectX 7.0, 8.1 and 9.0.

The non-critical updates affect 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2006, Microsoft Virtual PC 2004 and 2007, and Microsoft Virtual Server 2005 R2.

Updated 1:55 p.m. PDT with Microsoft comment.

[FF2009]

The never ending stories of Windows holes...it is an almost daily event. You Got to love Windows, folks. lol

[monkeyfun14]

I know I mean it's not like OSX has holes.<br /><br />Oh wait...

[Vegaman_Dan]

It's true, FF2009- oh wait, sorry... had to reboot my MacBookPro for critical system updates, iTunes updates, Quicktime updates, etc. <br /> <br />You know, I have had to reboot my MacBookPro twice this week for updates and my PC's not a single time. <br /> <br />Some days one does better than the other. Oh well.

[gertruded]

The windows gorilla marketers always show up to spin the Windows horror story. LOL

[FutureGuy]

Here?s something the author intentionally or ignorantly left out <br />Both of these flaws affect older version of Windows; Windows Vista and Windows Server 2008 are not affected. <br /> <br />http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218401369 <br /> <br />So the flaw that she is talking about in lengths doesn?t affect the latest version of the OS that has been out for more than 2 years, I guess she forgot about this ?minor? detail. Care to respond?

[monkeyfun14]

That would make Windows look better then it does when they assume it affects all versions.<br /><br />Making Windows looking as bad as possible is the goal on cnet didn't you know?

[jessiethe3rd]

@ monkeyfun14 <br />Be careful of what you say in the land of Microsoft haters.... you may find yourself called a "fanboy"

[ellienc]

Being basically OS ignroant, my PC came with XP and I did not update to Vista. I am so confused about what I read, do I up grade to something that still is having problems, or do I just sit and keep downloading "fixies" to this one. Not all folks know the ins and outs and want only to use their compyuters for things like research, mail, participating in specail interest "groups". Not being a "tchy" what do we do??????

[MarkFlax]

To ellienc.<br /><br />You ask wether you should upgrade from XP to Vista, or stick with Vista.<br /><br />There's no easy answer, but if you are still happy with XP, then why not stay with that? Microsoft will still issue updates for it for the forseeable future.<br /><br />Vista is only having as many problems as any other 'new' Window Operating System when released. In fact, it is quite a bit more secure that previous versions. But Vista may not work on all XP systems, and many users find they have to purchase a new system specifically for Vista.<br /><br />So, if you are not ready to do that, XP works fine still, and will do so for some time, (as long as you look after it and the computer 'hardware' lasts), so go with what works for you.<br /><br />Hope that helps.<br /><br />Mark

[Alphaman63]

So, after a year, we're finally getting a patch, and all we see are articles saying "DirectX targeted in Microsoft security updates". Nothing about ActiveX flaws that have been exploited in the title? Nothing about MS taking a YEAR to protect its customers?<br /><br />Where's the outrage that it took a year? Where's the yelling and claims of ineptitude and ignorance like those that were foisted on Apple after they fixed a flaw after 6 months? A flaw that was never exploited in the wild, btw.<br /><br />I run lots of OS's beyond Windows, OS X, and Linux, and from my viewpoint, the inequity in reporting just leaves me shaking my head.<br /><br />Microsoft needs to be seriously taken to task for this. The lame excuses about not wanting to break ActiveX (after publishing a workaround that explicitly BROKE ActiveX) just don't hold water...

[CrashPad63]

Like Mac not patching the exploits found in Quicktime that still are not patched after a couple years, or maybe the vunerability in Safari that was exploited a full year after being handed to Apple for patching. And there are many more of this type of behaivior from Apple. Why? Who knows.

[grannynan44]

Hello All,<br /><br />Well I have a question but it's not related to the patch...I'm a 64 yr old female and not to savvy on the ins and outs of computers, so please take that in consideration if you have a answer for me..&gt;smiles&lt; Well anyway, I was wondering if anyone could tell me how to update my drivers I ran a free scan on it and it said I had like 18 out of date drivers...Is there any place on the net that I can do that free of charge? My computer is hanging up so bad it's driving me crazy!! I have all the security on it and I keep it defrgd and do my disk cleanup and all that stuff but it's so slow anymore...I have DSL Broadband but you sure wouldn't know it!!! If anyone can help this poor old Granny, it sure would be very much appreciated! &gt;smiles&gt; <br /><br />Ps My computer was bought in 2004 it's a Dell Dimension 4700 &gt;Probably Not A Good Thing&gt;Huh?&lt;<br /><br />Thank So Much in Advance,<br />Nancy

[GEO2003]

Hello Nancy <br />I will try to help you a little - Your pc is vey old, I can only assume that the scan you ran was because you visited some site where there was some advertising indicating that it can help you keep your pc updated for free. <br /> <br />There is so many of this adds on the internet that is hard to tell you which one are legit and which one's are not. <br /> <br />Most of the one's I have try is just a way to catch you and persuade you to buy the software. Other's try to track update drivers but they do so from either the pc manufacturer site or other site where users have posted drivers that they found to work with their pc. <br /> <br />My suggestion to you is not to trust this kind of scans, the reason for that is because your pc is very old and 99 percent of time new drivers are NOT available for this kind of machine. <br /> <br />The best way for you to check for updated drivers if any is to go directly to the Dell site, create a log on and search driver by typing your customer ID which should be somewhere in the back of your dell. <br />This will give you a list of all the drivers that were realease by dell for your pc specifically. <br /> <br />When the list is presented for you, the list is divided by type of drivers, you can expand the tree and find out the version of the driver and the date. <br /> <br />To compare this with what you have on your pc, keep the dell site open, click on the start button on windows XP, click on control panel, click on System. <br />The window that opens are for different information on your system, I am a little rusty on the name of the tabs, but just click through them until you find one that list a button label - DEVICE MANAGER, once you click on this button, a window listing all your hardware will be presented to you. <br /> <br />Here double click on the hardware that you want to check, for example, video card, this will open a new windows for that hardware driver and information, from here you can check the version and date of the driver on your system to the one avaible at the dell site. If it is the same, then you know there is no available update, if the website presents you with a newer driver, you can download it and install it. <br /> <br />Installing it is not hard as per your message it appears you know how to install other type of software. <br /> <br />HOWEVER, I can not over enphazice that you should not trust the scan that you did or any other type of this scans including scans for viruses from online websites, not matter if they are advertising on Cnet or any other trusted webiste, because they can be a mode of infection. <br /> <br />Your pc could be running slow because it is old, because it could have been infected already. Believe me I have a 2002 pc from Dell running XP, and the motherboard is beginning to show signs of failure, the original video card burnt out about six months ago, the hard drive even though fast, I can get it to run smoothly anymore. <br /> <br />To me changing parts on a pc this old is not worth it, there are cheap pc'ls now running around 450 dollars and if you wait and read carefully, buying a new one with Vista will even get you a free update to the new operating system - Windows 7 coming out in October 22. Keep this in mind if you plan to buy. Windows 7 is very stable, easy to use, and more secure then XP. <br /> <br />In the mean time, keep XP updated via Windows Update to have all recent patches. <br /> <br />I hope this helps you. <br /> <br />Geo

[GEO2003]

Nancy, <br />Here is a good article to keep you protected, even though is not about drivers, you can use this information for your current pc or a new one. <br /> <br />http://www.pcworld.com/article/168079/10_free_musthave_windows_security_downloads.html?tk=nl_wvx_h_cbstories <br /> <br />Highlight the entire line above and paste it into your browser address. <br /> <br />Geo

[grannynan44]

Hi Geo,<br /><br />Hey thank you so very much for your advice and I think you confirmed what I pretty much already knew!And that is I'm going to have to buy a new PC....Oh Ugh!!! Oh well....Guess I will have to save up my nickles and dimes and hope by the end of the year I can get me a new one! :) <br /><br />Once again, thank you so much for taking the time to write to me and give me the information..it is very much appreciated!!<br /><br />Have a Great Day Geo!!<br /><br />Nancy