Critical flaw in Windows DirectX

SAN FRANCISCO: Microsoft Corp. has issued a patch for a new, critical flaw in Windows that could allow an attacker to take control of a victim's computer or run malicious programs on it, the company said.

If exploited, the flaw could allow an attacker to delete files, search records, send e-mails or even launch a new attack from the victim's computer.

The problem involves how a technology in DirectX -- a group of instructions used by Windows programs to play audio and video -- handles MIDI (musical instrument digital interface) files.

Basically, an attacker could write a MIDI file designed to exploit the flaw and send it in an e-mail or host it on a Web site or shared network, said Stephen Toulouse, security program manager at Microsoft's Security Response Center.

The malicious code could be launched by simply opening or previewing the e-mail, unless the computer is running a newer version of Outlook or the owner has downloaded Outlook E-mail Security Update software, he said.

The attack could slip past anti-virus software and through e-mail gateways undetected, said Russ Cooper of TruSecure Corp., a security services provider.

"When this exploit comes out it will run on peoples' desktops when they aren't even there," he said. That is because "the file type is considered safe."

The flaw is rated critical for all versions of Windows except Windows Server 2003, which has mitigating factors that minimize the risk, Microsoft said.

There were no known exploits for the vulnerability, which was discovered by eEye Digital Security, Microsoft said.

The company has issued a series of security vulnerability advisories over the last week or so, including another critical one last week that affected all versions of Windows.

Microsoft is offering more information and a patch at: http://www.microsoft.com/security/security_bulletins/ms03-03 0.asp

© Reuters