DirectX targeted in Microsoft security updates

From CNET News.com: Microsoft said on Thursday that it will issue six security updates on Patch Tuesday next week, including a critical one that will fix two outstanding holes in DirectX that have been targeted in attacks.

In May, Microsoft announced that there had been attacks against a DirectX vulnerability that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

Earlier this week, Microsoft warned of attacks being launched that exploit a hole in the Video ActiveX Control when used in Internet Explorer for recording and playing video in DirectShow. Microsoft offered a workaround on Monday for that hole, which reportedly it had known about since last year.

The ActiveX control vulnerability was likely independently rediscovered by malicious hackers or leaked through the Microsoft Active Protection Program which the company uses to share early security information with third-party vendors, according to a statement from security firm Rapid7.

Asked for comment, a Microsoft spokeswoman provided a statement that said: "Microsoft received the original, private report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The company did not share any information with MAPP partners about the reported Video ActiveX Control vulnerability until immediately before the advisory posting on Monday."

View: Article @ Source Site