Microsoft Admits New Flaw. Deja Vu All Over Again.

Posted:
in General Discussion edited January 2014
Microsoft reveals 'critical' flaw



David Becker, Staff Writer, CNET News.com



Microsoft issued another passel of warnings about security holes Wednesday, including a "critical" flaw that affects most Windows PCs.





The most serious of the flaws involves DirectX, a library of graphics and multimedia programming instructions used by most PC games, and could allow malicious users to run code of their choice on a vulnerable PC.



The flaw is unusually widespread, affecting all versions of DirectX from version 5.2 to the current 9.0a running on all versions of Windows from Windows 98 through the new Windows Server 2003, according to the Microsoft bulletin.



The flaw, which received Microsoft's highest severity rating, involves the way DirectX handles MIDI music files. A malformed MIDI file could overrun the buffer in DirectX, at which point extra software embedded in the file would be executed.



Exploiting the flaw would entail the creation of a maliciously malformed MIDI file, which vulnerable Windows users would have to be tricked into running, either through e-mail or a Web page. "They'd have to come up with some way to get the user to click on that file," Stephen Toulouse of Microsoft's Security Response Center said, noting that default security settings in recent versions of Microsoft Outlook e-mail software and the Internet Explorer Web browser prevent the automatic launching of such files.



Default security settings are even stronger in Windows Server 2003, Toulouse added, which is why the flaw has a lower rating of "important" for that operating system.



Toulouse said there are no known exploits of the flaw, which was discovered by eEye Digital Security, but that affected Windows users should still apply the appropriate patch as soon as possible.



Microsoft also announced the availability of a cumulative patch--rated "important"--that fixes new and previously reported vulnerabilities in the company's SQL Server software.



A third bulletin warned of a "moderate" risk for a new method to launch a denial-of-service attack against a PC that runs the Windows NT 4.0 operating system.



The latest alerts continue a busy month of security issues for the software giant.



Mike Cherry, an analyst for research firm Directions on Microsoft, said the frequency of security alerts could be bad for Microsoft's image, particularly as they relate to Windows Server 2003, one of the first poster children for the company's "trustworthy computing" initiative.



"There should be some concern that, even with the improved testing in that product, they're continuing to find these problems," he said.



But no software maker can find every flaw before a product is released, Cherry said, and at least Microsoft is being upfront about potential problems.



"They're getting much better about discussing these problems as they're found," he said. "We never would have gotten this kind of information three years ago."

Comments

  • Reply 1 of 14
    cubedudecubedude Posts: 1,556member
    Quote:

    "critical"



    They need to use a thesaurus.
  • Reply 2 of 14
    adpowersadpowers Posts: 188member
    Another Wednesday, another Windows exploit. What do you know. This is the third Wednesday in a row that they have announced 3 new exploits.
  • Reply 3 of 14
    shankstashanksta Posts: 96member
    14 Seconds to crack a Windows password using an 800 dollar comp...



    Hackers are probably having a field day with this.
  • Reply 4 of 14
    ast3r3xast3r3x Posts: 5,012member
    i don't get it...how can people still even consider MS as an option, every week they are releasing an update to fix security problems or something...i mean...i didn't read the whole article but is there even a fix for this?!





    its just all very sad
  • Reply 5 of 14
    shankstashanksta Posts: 96member
    Quote:

    Originally posted by ast3r3x

    i don't get it...how can people still even consider MS as an option, every week they are releasing an update to fix security problems or something...i mean...i didn't read the whole article but is there even a fix for this?!





    its just all very sad




    Yes it is...



    This info was ALL over the news - CNN, FOX News, and even M$NBC! Though people (at least large companies) are now moving towards linux. I really don't think anyone even considers Apple when purchasing a New comp unless they already own one or know someone who does.



    Extremely Sad
  • Reply 6 of 14
    ast3r3xast3r3x Posts: 5,012member
    Quote:

    Originally posted by Shanksta

    Yes it is...



    This info was ALL over the news - CNN, FOX News, and even M$NBC! Though people (at least large companies) are now moving towards linux. I really don't think anyone even considers Apple when purchasing a New comp unless they already own one or know someone who does.



    Extremely Sad




    especially considering how secure OS X seems to be...and with panther and filevault (or whatever its called) that will be amazing to have
  • Reply 7 of 14
    Read the article. It's so pathetic its hillarious. DirectX has a flaw that allows a midi file to take over the system and give a hacker access.... A MIDI FILE!!!!! HAHAHA.. I think the most inept programmers in the world would have a hard time bumbling things that bad!!!!



    A MIDI FILE hosted on a web site can overtake your operating system.





    A MIDI FILE
  • Reply 8 of 14
    macsrgood4umacsrgood4u Posts: 3,007member
    Apple has its iTMS Tuesdays and Microsoft has its New Flaw Wednesdays!
  • Reply 9 of 14
    shankstashanksta Posts: 96member
    Quote:

    Originally posted by MacsRGood4U

    Apple has its iTMS Tuesdays and Microsoft has its New Flaw Wednesdays!



    They wish it was ONLY on Wednesday!



    Seems one thing where Windows beats Apple is its ability to release bugs faster - I will let them win that fight.
  • Reply 10 of 14
    groveratgroverat Posts: 10,872member
    I think MS being upfront about these things is a good sign that they are taking security issues more seriously than they used to.
  • Reply 11 of 14
    rageousrageous Posts: 2,170member
    MS is not being up front about anything. None of those 3 huge flaws were initially reported by MS, rather by 3rd parties.



    MS would just as soon have swept it under a rug and quietly released patches.



    I'm glad to see the OS finally getting some BAD press.
  • Reply 12 of 14
    groveratgroverat Posts: 10,872member
    Quote:

    I'm glad to see the OS finally getting some BAD press.



    Are we on the same planet, you and I?
  • Reply 13 of 14
    shankstashanksta Posts: 96member
    Quote:

    Originally posted by groverat

    I think MS being upfront about these things is a good sign that they are taking security issues more seriously than they used to.



    It's not that they are taking responsibility for it - they are saying something so they won't look like COMPLETE idiots if all "high security" windows machines are hacked. This was they can at least say they knew about it, warned people, and are trying to fix it.
  • Reply 14 of 14
    ast3r3xast3r3x Posts: 5,012member
    Quote:

    Originally posted by groverat

    Are we on the same planet, you and I?







    the only good press windows gets is from MS
Sign In or Register to comment.