Two security bulletins, from December 2007 and from June 2008 respectively, affecting the DirectX components of a wide range of Windows operating systems including Windows Vista Service Pack 1 and Windows XP Service Pack 3, have been updated.
Microsoft Security Bulletin MS07-064 released initially on December 11, 2007, plugs security holes in DirectX 7.0, 8.1, 9.0 and 10.0 running on Windows 2000, Windows XP SP2, Windows Server 2003 and Windows Vista RTM. One of the security issues is related to a DirectX Code Execution Vulnerability Parsing SAMI Files while the remaining one deals with a DirectX Code Execution Vulnerability Parsing WAV and AVI Files.
“This critical security update resolves two privately reported vulnerabilities in Microsoft DirectX. These vulnerabilities could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft informed.
Microsoft Security Bulletin MS08-033 addresses vulnerabilities in DirectX could “Allow Remote Code Execution (951698)”. Microsoft also patched vulnerabilities in all the DirectX and Windows versions mentioned above, but also in XP SP3, Windows Vista SP1, and Windows Server 2008. The company resolved a MJPEG Decoder Vulnerability and a Format Parsing Vulnerability. “This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file,” the Redmond giant stated.