SECURITY FIX: DirectX 8 on Win2000/ME/98 SE/98

[TechZ]

DirectX consists of a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support. Within DirectX, the DirectShow technology performs client-side audio and video sourcing, manipulation and rendering. There are two buffer overruns with identical effects in the function used by DirectShow to check parameters in a Musical Instrument Digital Interface (MIDI) file. A security vulnerability results because it would be possible for a malicious user to attempt to exploit these flaws and execute code in the security context of the logged on user.

An attacker could seek to exploit this vulnerability by creating a specially crafted MIDI file designed to exploit this vulnerability and then host it on a Web site or on a network share, or send it via an HTML email. In the case where the file was hosted on a web site or network share, the user would need to open the specially crafted file. If the file was embedded in a page, the vulnerability could be exploited when a user visited the Web page. In the HTML E-mail case, the vulnerability could be exploited when a user opened or previewed the HTML e-mail. A successful attack could have the effect of either causing DirectShow, or an application making use of DirectShow, to fail, or causing an attacker's code to run on the user's computer in the security context of the user.

Download: Security Fix for DirectX 8 on Windows 2000/ME/98 SE/98

[slgrieb]

Uh, why not just update to DirectX 9.0c so in one swell foop you can fix all the old bugs and be exposed to all the latest ones?

[TechZ]

As slgrieb pointed out, for those still using an older version of Dx, update:
http://www.microsoft.com/windows/directx/default.aspx

[Luxman]

DirectX8-KBB19696-x86-ENU.exe

Properties/Digital Signatures/Thursday, August 07, 2003 (!)

[TechZ]

Date Published: 9/22/2005

They mustve been testing :P

or mabye its an updated version of an older fix?

[Platypus]

or mabye its an updated version of an older fix?

Most likely. The DirectX buffer vulnerability has been around since 2003, but if the fix has been updated, it would also be made available for extended phase products, as the vulnerability is classified critical. Some people could still be using DX8 for compatability reasons.