R
Raylina
Microsoft: Critical Flaw in Windows Music Program
Thu July 24, 2003 04:03 PM ET
I just read the above titled article at Reuters that
states there's a update path at:
Microsoft is offering more information and a patch at:
http://www.microsoft.com/security/security_bulletins/ms03-
03 0.asp
However this is not a valid website. If anyone knows where
or if this patch really exists please let me know. Thanks
Here is the article in its enirety:
SAN FRANCISCO (Reuters) - Microsoft Corp. MSFT.O has
issued a patch for a new, critical flaw in Windows that
could allow an attacker to take control of a victim's
computer or run malicious programs on it, the company said
on Thursday.
If exploited, the flaw could allow an attacker to delete
files, search records, send e-mails or even launch a new
attack from the victim's computer.
The problem involves how a technology in DirectX -- a
group of instructions used by Windows programs to play
audio and video -- handles MIDI (musical instrument
digital interface) files.
Basically, an attacker could write a MIDI file designed to
exploit the flaw and send it in an e-mail or host it on a
Web site or shared network, said Stephen Toulouse,
security program manager at Microsoft's Security Response
Center.
The malicious code could be launched by simply opening or
previewing the e-mail, unless the computer is running a
newer version of Outlook or the owner has downloaded
Outlook E-mail Security Update software, he said.
The attack could slip past anti-virus software and through
e-mail gateways undetected, said Russ Cooper of TruSecure
Corp., a security services provider.
"When this exploit comes out it will run on peoples'
desktops when they aren't even there," he said. That is
because "the file type is considered safe."
The flaw is rated critical for all versions of Windows
except Windows Server 2003, which has mitigating factors
that minimize the risk, Microsoft said.
There were no known exploits for the vulnerability, which
was discovered by eEye Digital Security, Microsoft said.
The Redmond, Washington-based company has issued a series
of security vulnerability advisories over the last week or
so, including another critical one last week that affected
all versions of Windows.
Microsoft is offering more information and a patch at:
http://www.microsoft.com/security/security_bulletins/ms03-
03 0.asp
Thu July 24, 2003 04:03 PM ET
I just read the above titled article at Reuters that
states there's a update path at:
Microsoft is offering more information and a patch at:
http://www.microsoft.com/security/security_bulletins/ms03-
03 0.asp
However this is not a valid website. If anyone knows where
or if this patch really exists please let me know. Thanks
Here is the article in its enirety:
SAN FRANCISCO (Reuters) - Microsoft Corp. MSFT.O has
issued a patch for a new, critical flaw in Windows that
could allow an attacker to take control of a victim's
computer or run malicious programs on it, the company said
on Thursday.
If exploited, the flaw could allow an attacker to delete
files, search records, send e-mails or even launch a new
attack from the victim's computer.
The problem involves how a technology in DirectX -- a
group of instructions used by Windows programs to play
audio and video -- handles MIDI (musical instrument
digital interface) files.
Basically, an attacker could write a MIDI file designed to
exploit the flaw and send it in an e-mail or host it on a
Web site or shared network, said Stephen Toulouse,
security program manager at Microsoft's Security Response
Center.
The malicious code could be launched by simply opening or
previewing the e-mail, unless the computer is running a
newer version of Outlook or the owner has downloaded
Outlook E-mail Security Update software, he said.
The attack could slip past anti-virus software and through
e-mail gateways undetected, said Russ Cooper of TruSecure
Corp., a security services provider.
"When this exploit comes out it will run on peoples'
desktops when they aren't even there," he said. That is
because "the file type is considered safe."
The flaw is rated critical for all versions of Windows
except Windows Server 2003, which has mitigating factors
that minimize the risk, Microsoft said.
There were no known exploits for the vulnerability, which
was discovered by eEye Digital Security, Microsoft said.
The Redmond, Washington-based company has issued a series
of security vulnerability advisories over the last week or
so, including another critical one last week that affected
all versions of Windows.
Microsoft is offering more information and a patch at:
http://www.microsoft.com/security/security_bulletins/ms03-
03 0.asp
