View Full Version : MS DirectX vuln - update available

2007-07-19, 19:25

- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=562
PUBLIC ADVISORY: 07.18.07 - "Exploitation of an input validation vulnerability in Microsoft Corp.'s DirectX library could allow an attacker to execute arbitrary code in the context of the current user. The vulnerability specifically exists in the way RLE compressed Targa format image files are opened. The Targa format allows multiple color depths and image storage options, depths and image storage options, and includes the ability to use run-length encoding (RLE), compression on the image data...
iDefense has confirmed that this vulnerability no longer exists in the June 2007 release*..."

MS - June 2007 DirectX SDK
* http://msdn2.microsoft.com/en-us/xna/aa937788.aspx
(Caution: 454MB download)

- DirectX End-User Runtimes Web Installer- 281KB download
(Digital signature dtd. June 21, 2007 12:04:59AM)
Microsoft DirectX® End-User Runtime will update your current version of DirectX — the core Windows® technology that drives high-speed multimedia and games on the PC.

Release Notes / Known Issues with the June 2007 SDK:
> http://msdn2.microsoft.com/en-us/xna/aa937789.aspx
Last updated June 13, 2007

(There is -no- MS Security Bulletin associated with this vulnerability, yet.)

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4183