Microsoft fixes critical Windows hole, others
In the latest Patch Tuesday, bulletins address flaws in Windows and Microsoft Office. The company is still working on a fix for a Mime HTML-related Windows vulnerability.
Microsoft today released three bulletins fixing four vulnerabilities in Windows and Microsoft Office, including one that is rated "critical" for Windows XP, Vista, and Windows 7.
The bulletin MS11-015 resolves one critical vulnerability in DirectShow and one in Windows Media Player and Media Center, according to the security advisory. The more severe of the flaws could allow remote code execution, and thus complete control of a computer, if a malicious Digital Video Recording file were opened. The one vulnerability rated "important" affects certain media files in all versions of Microsoft Windows, the company said in a blog post.
"Microsoft normally rates this type of file format vulnerabilities as only 'important' because user interaction is required," said Wolfgang Kandek, chief technology officer of Qualys. "However this particular flaw has a component that allows for an attack through a browser link and allows its exploitation in automated 'drive-by' fashion" by merely visiting a Web site.
The other two bulletins both address a preloading issue with DLL (Dynamic Link Library) and are rated "important." The bulletins were released as part of Patch Tuesday, the company's monthly security update roundup.
MS11-016 affects Microsoft Groove 2007 Service Pack 2 used in Office. The vulnerability could allow remote code execution if a user opened a legitimate Groove-related file that is located in the same network directory as a malicious library file.
Meanwhile, MS11-017 affects Windows Remote Client Desktop. The vulnerability could allow remote code execution if a user opened a legitimate Remote Desktop configuration file located in the same network folder as a malicious library file.
Microsoft also said it is working to provide a solution through its monthly security update process to address a Mime HTML-related hole in all supported versions of Windows which became public last month.