Microsoft Warns of DirectX Security Flaw

Microsoft has released a security bulletin warning that a flaw in the DirectX graphic interface in a majority of Windows computers leaves users vulnerable to buffer overruns.

The vulnerability allows hackers to execute code on a user’s PC at the user’s security level, according to Microsoft. It affects PCs running Windows 98 and higher on the client side; on the server end, Windows Server 2003, Windows 2000 Server and some versions of Windows NT are affected.

Microsoft rated the flaw’s severity as “critical” in all cases except for Windows Server 2003. The company already has made a patch available at its Web site and urges users to apply it immediately.

MIDI Problems

Specifically, the flaw exploits DirectX’s DirectShow application programming interface (API), which performs desktop audio and video functions. As a result, in addition to granting an attacker access to a user’s computer, the flaw also has the potential to cause programs employing DirectShow to crash.

To exploit this flaw, an attacker would need to devise a jiggered MIDI file and then lure a user to download it by either visiting a Web site or opening an HTML-based e-mail.

Windows Server 2003 runs on a default configuration in which Outlook Express views e-mail in plain text instead of HTML; thus, the flaw is not rated critical for this version of the OS.

One More Thing

Forrester Research principal analyst Frank Gillett told the E-Commerce Times that use of advanced graphics capabilities on PCs has increased over time. “Windows XP is leaning harder on these technologies than ever [with processes like] rendering, menu-popping and anti-aliasing fonts,” he noted.

Meanwhile, Forrester research director Ken Smiley told the E-Commerce Times that as DirectX has built its API capabilities over time, it has become a common benchmark for PC developers working with any sort of graphics.

He noted that the version of DirectX that ships with Windows is usually obsolete out-of-the-box, so users frequently download an upgrade via the Web or obtain a new version bundled with a program like Windows Media Player or a new game. Games typically ship with the latest DirectX drivers.

Enterprise First

According to Smiley, the latest DirectX flaw affects consumers significantly more than enterprises. Unfortunately for consumers, they are low on the priority list in Microsoft’s secure computing strategy.

Even so, Smiley questioned whether the announcement constituted earth-shaking news.

“It won’t be the first [time] this happens, and it won’t be the last,” he said. “You just fix it and move on.”