Silicon Shecky

Yep, that’s right, its that time of month where Microsoft’s servers get slammed. Its patch week.

This month some patches for holes that have Zero Day Exploits out for them already. Included in this is the Active X Video Hole, The Direct X Quicktime Hole, and the Open Type Font hole. The first two I had talked about when they came out, with the Direct X hole being the one that it looked like Microsoft had no serious plans of patching. Nice to be proven wrong.

There is no fix this month for Office Web components, which have recently come under attack. I expect this fix is being worked on and will be out soon. Considering the move to the cloud that people talk about, and that Office Web competes with Google Documents, they do need to secure it.

As always, I do recommend paying attention when you patch as one reader pointed out, you can choose not to install IE8, which still comes down as a critical patch, unless you download it and then stop the install of it, or tell the updater to hide the download of it. Yeah, its a pain, and unfortunately the everyday end user who we tell to make sure they install critical patches will still inadvertently install the sucker, we can at least try to educate them a little and not make the same mistake ourselves.

It seems that a vulnerability in Direct X’s Direct Show subsystem is coming under attack. Now the vulnerability allows execution of code, but only as the logged on user, which means if you are smart, then the normal user account does not have admin rights, and code executed through this vulnerability won’t be able to do as much.

The thing that makes this so major, even though it doesn’t automatically grant admin rights, is the fact that Direct X is used for a lot of multimedia applications. In fact most games use either Direct X or Open GL for rendering. Now add on that the issue is with a Quicktime subroutine in Direct Show, and that even if you have Quicktime installed on your system, the Direct X exploit Can still be access, and you have the makings of a huge issue.

Now the other thing that is interesting is that this only affects Windows 2000, 2003 and XP. Vista and 2008 are not affected, or at least have not been shown to be affected by this vulnerability.

Workarounds and more information is available in the actual Microsoft Security Advisory for this vulnerability.