Polish researcher Krystian Kloskowski disclosed a flaw in Microsoft DirectX SDK Version 6 this week that was ranked as having a high degree of danger by vulnerability monitoring organizations.
The flaw is caused by a boundary error in a Live Picture Corporation ActiveX control when handling the SourceUrl property, according to a Secunia
advisory released today that ranks the bug as "critical."
The vulnerability can be exploited to execute arbitrary code, according to Secunia, which warned that other applications using the same ActiveX control could be affected.
FrSIRT, the French Security Incident Response Team,
also ranked the flaw as "critical," adding that the bug can be exploited when a user is tricked into visiting a specially crafted webpage.
Microsoft announced this past Thursday that it plans to release two critical patches for Internet Explorer this week. Other high-risk bulletins will affect Windows, Office, XML Core Services and Visual Basic and Office for Mac. All flaws deemed "critical" by Microsoft allow remote code execution.
Paul Zimski, senior director of market strategy at Patchlink, told SCMagazine.com that this month’s distribution is particularly important because of the high number of patches that prevent remote code execution.
"Although there are only six critical patches, [the flaws] all introduce remote execution attack vectors," he said. "It’s been somewhat of a busy month in the third-party arena as well.
A lot of vendors are releasing their own patches, so Microsoft isn’t the only thing going on this month. And this is definitely a nasty Patch Tuesday based on the information available."
Two of the "important" flaws awaiting a fix also allow remote code execution, according to
Microsoft's advisory. Patches are set to be released for "important" flaws in Windows, Windows Vista and Virtual PC and Virtual Server.
Last month, Microsoft released six security bulletins, including three "critical" patches for Office and .Net Framework.