http://www.eweek.com/article2/0,1895,1874284,00.asp By Ryan Naraine October 20, 2005 For the second time in as many weeks, the MSRC has revised one of its "critical" security bulletins after some users complained of problems figuring out which patch to apply. It appears that Windows 2000 users running Microsoft DirectX 8.0 or DirectX 9.0 had problems sorting through the bulletin to find the appropriate patches. In the ensuing confusion, the incorrect patch was applied, leaving the PC vulnerable to code execution attacks. A spokesperson for the Microsoft Security Response Center acknowledged the information mix-up but stressed that only a small subset of Windows 2000 users were affected. "Microsoft is aware that a limited amount of customers, who may have obtained the wrong security update for their version of DirectX, may think they are protected, when in fact, they are not," the spokesperson said in a statement released to Ziff Davis Internet News. "This only affects users who have selected the wrong package manually," she added. The spokesperson said that PC users who obtained the security update automatically through all Microsoft distribution tools, or have followed the steps in the bulletin to obtain the update for their systems, "are protected from the associated vulnerability." The revised MS05-050 bulletin now contains a Knowledge Base article with new information clarifying the issue. In the article, Microsoft explained that if the individual update package for DirectX 7.0 was installed on a Windows 2000 computer that is running DirectX 8 or DirectX 9, the patch did not fix the underlying vulnerability. Additionally, in those scenarios, the user did not receive notification that the patch was not applied. The company also published additional information to help users verify the version of Quartz.dll associated with the DirectX version to determine whether a computer was correctly updated. The MS05-050 bulletin was one of three "critical" security updates shipped this month to cover Windows code execution holes. The bulletin contained patches for an unchecked buffer in Microsoft DirectShow, the default Windows component used for high-quality capture and playback of multimedia streams. DirectShow is integrated with other DirectX technologies. Malicious hackers could exploit the DirectShow bug to take complete control of an affected system, but the threat is mitigated because some user interaction is required. For example, the victim must be tricked into launching a specially crafted .avi multimedia file for an attack to be successful. Immediately after this month's Patch Tuesday, Microsoft acknowledged that one of the patches to cover a critical Windows 2000 worm hole was causing problems for some customers. The problems with that patch ranged from empty Network Connections folders to incorrect recommendations from the Windows Update Web site. A separate Knowledge Base article was published with workarounds for Windows XP, Windows 2000 Server and Windows Server 2003 customers with the patch deployment problems. _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Fri Oct 21 2005 - 14:02:42 PDT