Microsoft DirectX DirectShow Length Record Remote Code Execution Vulnerability

Microsoft patched nine vulnerabilities this month for Patch Tuesday. Among them are two critical flaws that have come under attack by hackers. - Microsoft released six security bulletins for this months Patch Tuesday, including fixes for vulnerabilities impacting DirectShow and the Video ActiveX Control that have been targeted by attackers.
The bulletins address a total of nine vulnerabilities. Three of the bulletins – the ones affecting...

Microsoft Corp. today issued software updates to plug at least nine different security holes in its various Windows operating systems and other software. Today's patch batch includes fixes for two very serious flaws that are actively being exploited by attackers to break into vulnerable PCs. Redmond issued patches to fix the vulnerability in itsVideo ActiveX Control for Internet Explorer, as well as the DirectShow flaw in Windows. Criminals currently are using both security holes to plant rogue software on PCs when users visit certain hacked or malicious Web sites. Contrary to what Microsoft itself said, the company did not release an official patch to plug the other ActiveX flaw hackers are actively exploiting -- which I first wrote about yesterday. Instead, it has released an interim workaround to blunt the threat from that weakness. Unfortunately, someone at Redmond seems to be a little confused about this point. In its advisory,

ZDI-09-045: Microsoft DirectShow Quicktime Atom Parsing Memory Corruption Vulnerability

TPTI-09-05: Microsoft DirectShow QuickTime Atom Parsing Memory Corruption Vulnerability