Microsoft flaw exploits music files

Microsoft has warned of a critical flaw in its DirectX multimedia software that could allow a hacker to take control of a PC via a music file.

The company has warned that buffer overruns are possible due to two flaws in its DirectShow software, part of DirectX.

DirectShow handles sound and video, and the flaw can be exploited by either sending a specially prepared Midi file as an email attachment, or by embedding it in a web page.

"Many users will not see multimedia files like this as hostile," said Integralis penetration tester Pete Philips.

"This makes it more likely that they would click on them than an .exe file which is traditionally used by the hacking community."

The flaw affects all versions of DirectX on all Microsoft operating systems, although users of Windows Server 2003 will have less of a problem as the default security settings makes it harder for the malware to run.

If infected, hackers will have access to the PC but will only have user privileges, not full administrator control. A patch is available here.

Microsoft has also released a patch for NT 4, despite the fact that the company no longer provides free support for the operating system.

A problem with the NT 4 Server file management software leaves systems open to denial of service (DoS) attacks.

A cumulative patch has also been issued for SQL Server version 7 and above.

This addresses three problems that could allow malware to launch DoS attacks, cause a buffer overrun or highjack communications between client and server.