Critical Flaw In DirectX Affects Most Windows Systems

The most serious of the three warnings involves DirectX, the set of multimedia programming instructions used by most PC games, as well as other entertainment-oriented applications and peripherals, such as sound cards and audio players. Virtually all editions of Windows, including the newest software out of Redmond, Windows Server 2003, are affected.

"Microsoft is unaware of any instances of this vulnerability being exploited, but continues to strongly encourage customers to install the patch," said a Microsoft spokesperson.

DirectX's flaw, said Microsoft, is in how it handles MIDI (Musical Instrument Digital Interface) music files. A clever attacker could craft a MIDI file to exploit the buffer overflow vulnerability, which would in turn allow any malicious code embedded in the music file to run. The intruder might then access the system with the user's privileges, where he could, for instance, delete files or even re-format the hard drive.

These MIDI files could be delivered to an unsuspecting user via HTML e-mail, in which case the end user would have to actually launch the file to compromise his PC. Another way the vulnerability could be exploited would be to insert the MIDI file into a Web site; in that scenario, said Microsoft, it's possible for the flaw to turn into a gaping security hole if a user simply visits the Web site, perhaps drawn by a link in an e-mail message.

The affected editions of DirectX range from the aging 5.2 -- which is used by Windows 98 -- to the newest version, 9.0. The vulnerability is unusual in that it applies to nearly all the currently-supported versions of Windows: systems running Windows 98, Millennium, 2000, NT, XP, and Windows Server 2003 are all at risk.

While Microsoft rated the vulnerability as 'critical,' the highest in its security warning rankings, there are some mitigating factors. On Windows Server 2003, for instance, the flaw is tagged as 'important,' the next level down.

By default, Internet Explorer on Windows Server 2003 runs in a beefed-up security mode that blocks the e-mail tactic an attacker might use. That would leave the hacker only with one ploy: lure users to a Web site that sports a malicious MIDI file.

"Unattended servers (machines without a user logged in) are not vulnerable to this attack," said the Microsoft spokesperson. Likewise, on Windows Server 2003, an administrator browsing only to trusted sites should be safe.

Patches to plug the various DirectX versions' security hole are available for download from Microsoft's TechNet Web site, and users can also retrieve the fix from the standard Windows Update site.

The second warning issued Wednesday targets systems running several versions of Microsoft SQL Server. Rated as 'important' by the Microsoft Security Response Center, the fix posted on the TechNet Web site patches three new vulnerabilities to SQL Server 7, SQL Server 2000, Microsoft Data Engine 1.0, and two editions of its SQL Server 2000 Desktop Engine. Desktop Engine is a database engine found in numerous Microsoft products, including Visual Studio, the developer edition of Microsoft Office, and Windows Server 2003.

The third alert -- rated as only 'moderate' in severity -- affects only Windows NT 4.0 Server and Windows NT 4.0 Terminal Server. This vulnerability stems from a flaw in those NT editions' file management, which could allow a remote denial of service (DoS) attack. If exploited, the server itself wouldn't fail, but only the application receiving a specially-built request. It, too, has been patched, with the fix posted on the TechNet site. Nor is NT 4.0 Server vulnerable if it's deployed in its default < a href= http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-029.asp> configuration.

The last 30 days have been a busy time for Microsoft. This is the third week in a row that Microsoft has released a trio of security warnings, and the second week with a vulnerability in Windows Server 2003, which Microsoft claims is its most secure operating system yet.

Of the 11 alerts during the past month, three, including this week's DirectX vulnerability, came labeled as 'critical.'

This story courtesy of TechWeb.