MS Warns: Critical DirectShow Flaw Could Poison Windows

Dennis Faas's picture

It's still a few days till Valentine's, but already Microsoft has provided its February security gift for Windows users.

In yesterday's Patch Tuesday release, the Redmond-based software firm has unveiled fixes for 26 vulnerabilities, almost one-fifth of which are marked "critical".

Critical Fixes for Windows, MS Office Suite

The recent patches address flaws in Microsoft's Windows operating system and its Office software suite. Five of the vulnerabilities have been ear-marked "critical," Microsoft's highest threat rating, and another seven "important". One is considered "moderate".

Across the board, a total of 13 security bulletins have been released to address the 26 vulnerabilities.

In addition to the fixes, Microsoft has provided a temporary workaround for a widely discussed flaw in its Transport Layer Security, or TLS, and Secure sockets Layer (SSL) protocols.

Media Player Flaw Tops Threat List

Security firm nCircle believes that the most alarming of the vulnerabilities has been addressed by Microsoft Security Bulletin MS10-013, a patch for a flaw in Microsoft's media player.

"The nature of the exploit lends itself to drive-by attacks that leave unsuspecting victims infected," said nCircle's Andrew Storms, director of security operations. (Source: informationweek.com)

"Since media is what excites people most on the Internet today, an exploit of this bug would make it extremely easy to entice users to watch videos that are actually gateways to malware."

Remote Denial Of Service (DoS) Attacks

However, another security expert, Qualys' CTO Wolfgang Kandek, says MS10-013 isn't the only patch users should be concerned about. He believes MS10-006, which addresses a flaw in an SMB (server message block) client, and MS10-012, an aid for server administrators, are equally important.

On the latter threat, Kandek noted: "It allows a malicious, unauthenticated party to launch a remote denial of service attack... In addition remote authenticated clients can execute code using another flaw addressed in the bulletin."

For its part, the Microsoft Security Blog has pegged MS10-013 as the patch that "should be at the top of your list." The company warns that by not installing the fix, a DirectShow user could accidentally open a poisoined .AVI (audio / video) file and trigger an attack. (Source: pcworld.com)

Rate this article: 
No votes yet