Microsoft patches 10 bugs in Windows, IE and Bluetooth

'No user interaction required' to hack Windows' Bluetooth, says analyst

1 2 Page 2
Page 2 of 2

Both can be exploited by tempting users to a malicious Web site, said Microsoft.

MS08-033, also marked as critical, fixes a pair of serious flaws in DirectX, Windows' library of multimedia APIs. Attackers could exploit the bugs by feeding malicious files to users or possibly getting them to steer to a site that hosted malformed multimedia content streams.

Schultze wasn't sure whether an exploit would require help from the user. "The bulletin just isn't clear," he said. He also pointed out that both bugs involve flaws in the "quartz.dll," a file instrumental to DirectShow, one of DirectX's APIs. "Quartz.dll has had numerous problems in the past," said Schultze. "At least three in the last three years." Computerworld, however, was able to find just two Microsoft bulletins -- MS07-064 from last year and MS05-050 from 2005 -- that finger quartz.dll.

Beyond the three critical bulletins, the most intriguing, said Reguly, was MS08-032, a "moderate" update that fixes a flaw in Microsoft's speech API and disables an ActiveX control created by third-party developer BackWeb Technologies Inc.

"They completely left the speech API out of the prepatch notice," noted Reguly, referring to the advance warning of today's updates that Microsoft issued last Thursday.

According to BackWeb's own security advisory, the flawed ActiveX control is included with the Logitech Desktop Manager, which is update notification software bundled with Logitech's hardware, including keyboards, mice and Web cams designed for Windows. A patched version of the ActiveX control is available from Logitech International SA in an update from its site.

Microsoft simply disabled the flawed control by setting its "kill bit" in the Windows registry, a last-ditch defense often recommended when a patch isn't available. Microsoft, however, has said in the past the it would set kill bits for troubled third-party ActiveX controls via a security update at the developer's request. In April, for example, Microsoft disabled a Yahoo Inc. ActiveX control.

Left unfixed today is a bug in IE that Microsoft warned users about two weeks ago. That bug, when combined with a flaw in Apple Inc.'s Safari Web browser, leaves users open to attack, Microsoft said in a security advisory on May 30.

"They haven't had time to fix that," said Schultze. "But it will be interesting to see how they handle it when they do."

June's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Shop Tech Products at Amazon