Microsoft releases monthly security patches

Microsoft has warned customers about a security hole that could allow hackers to create denial of service attacks to Windows...

Microsoft has warned customers about security holes that hackers could exploit to create denial-of-service attacks to Windows applications.

One security hole attacks a vulnerability in a Windows component called IDirectPlay4, which is used to support multiplayer network games. 

A remote attacker could trigger the security vulnerability by connecting to a machine using DirectPlay and sending it a specially misformatted data packet. When received, that packet would cause the application using DirectPlay to crash, Microsoft said.

Microsoft has published a bulletin describing the hole, MS04-016, and rated the problem "moderate" . It said the hole is difficult to exploit and can be fixed by changing configuration settings or other factors.

Microsoft has provided patches for both 32- and 64-bit versions of Windows XP and Windows Server 2003 and has said customers should consider applying the updates.

The company has also patched three of its products to plug a new hole in the Crystal Reports and Crystal Enterprise reporting tools from Business Objects. The hole could allow a remote attacker to use a web interface to retrieve or delete files on affected systems, Microsoft said.

Microsoft released the patches in keeping with its stated policy of trying to limit security updates to one day, typically the second Tuesday of each month.

After releasing more than 20 patches for security holes in April, many of them related to "critical" holes in versions of Windows and the Internet Explorer web browser, Microsoft has had two quiet months. The company issued one bulletin in April for a single, non-critical vulnerability.

Paul Roberts writes for IDG News Service

Read more on IT risk management