Two security bulletins, from December 2007 and from June 2008 respectively, affecting the DirectX components of a wide range of Windows operating systems including Windows Vista Service Pack 1 and Windows XP service Pack 3, have been updated.
According to Microsoft, the modifications were designed to simply add DirectX 9.0a on the list of impacted DirectX versions. The pair of patches are set up to resolve no less than four security vulnerabilities and both security bulletins are labeled with the maximum severity rating from Microsoft: Critical.
Released initially on December 11, 2007, Security Bulletin MS07-064 plugs security holes in DirectX 7.0, 8.1, 9.0 and 10.0 running on Windows 2000, Windows XP SP2, Windows Server 2003 and Windows Vista RTM. One of the security issues is related to a DirectX Code Execution Vulnerability Parsing SAMI Files while the remaining one deals with a DirectX Code Execution Vulnerability Parsing WAV and AVI Files.
"This critical security update resolves two privately reported vulnerabilities in Microsoft DirectX. These vulnerabilities could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft informed.
As far as Security Bulletin MS08-033 is concerned, Microsoft also patched vulnerabilities in all the DirectX and Windows versions mentioned above, but also in XP SP3, Windows Vista SP1, and Windows Server 2008. The company resolved a MJPEG Decoder Vulnerability and a Format Parsing Vulnerability. "This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file," the Redmond giant stated.