December Patch Tuesday: 3 bulletins critical, 4 important

Stephen Withers
Wednesday, 12 December 2007 01:27

Your IT - Home IT

Microsoft's security bulletins for December affect all currently supported versions of Windows.

This month's critical vulnerabilities were found in DirectX, Windows Media Format Runtime, and Internet Explorer. All three have the potential to allow remote code execution.

The DirectX issue is a longstanding one, affecting all currently supported versions of Windows (from 2000 to Vista) and versions 7.0, 8.1, 9.0c and 10.0 of DirectX itself. A maliciously crafted streaming media file can trigger the execution of code delivered within the media. It appears to be related to a DirectShow vulnerability that was patched in 2005.

The Windows Media vulnerability also involves code execution triggered by a maliciously crafted file.

The Internet Explorer update patches four vulnerabilities, the most serious of which allows remote code execution when visiting a maliciously crafted web page.

The effects of all the above issues is reduced if the user does not have administrative rights.

THe remaining vulnerabilities addressed this month all have a maximum rating of Important.

Vista's gets an updated kernel to overcome a privilege escalation vulnerability plus a patch for SMBv2 to block a remote code execution issue. Windows 2000 and XP get a fix for a vulnerability in the Message Queueing Service.

Finally, the previously disclosed Macrovision SECDRV.SYS vulnerability allowing privilege escalation under XP and Server 2003 has been fixed.

The usual updates for the Malicious Software Removal Tool and the Windows Mail Junk E-mail Filter were also issued.

Non-security items released include an XP patch that improves the performance of web sites using AJAX, a Daylight Saving Time update, and bug fixes for Windows Live Writer.