Crystal Security Flaw Affects Microsoft Products

A newly patched vulnerability in the Business Objects Crystal Reports software that is packaged with several Microsoft applications could allow an attacker to retrieve and delete files on an affected system.

The Crystal Reports patch is for one of two "moderate" vulnerabilities Microsoft fixed during its monthly Patch Tuesday, the day each month when Microsoft releases all the fixes it is ready to deliver. The other new flaw involves a DirectX feature present in most versions of Windows. However, that flaw appears to primarily affect gamers.

Microsoft uses its moderate rating to describe flaws that are difficult to exploit or at least partially mitigated by default installation settings. Both flaws are newly discovered and neither has been reported as being exploited, according to Microsoft.

Products that include Crystal Reports and are therefore vulnerable to the directory traversal flaw in the software include Visual Studio .NET 2003, Outlook 2003 with Business Contact Manager and Microsoft Business Solutions CRM 1.2.

The problem with DirectX involves versions 7.0 through 9.0 and can occur on all supported versions of Windows from Windows 98 through Windows Server 2003 except for the Windows NT 4.0 platforms. A flaw in the DirectPlay component of DirectX could allow an attacker to crash the application using DirectPlay.

The patches for the flaws are the 16th and 17th released by Microsoft this year. Technical details about the problem with Crystal Reports can be found here. The bulletin about the DirectPlay vulnerability is here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

  • Dealing with a Hyper-V VM That's Stuck on Screen

    A three-keystroke solution to a problem that has no discernible cause.

  • Weird Blue Tunnel Graphic

    Microsoft Goes Deep on 'Solorigate' Secondary Attack Methods

    Microsoft on Wednesday published an analysis of the second-stage "Solorigate" attack methods used by an advanced persistent threat (APT) attack group.

comments powered by Disqus