News

Crystal Security Flaw Affects Microsoft Products

• By Scott Bekker
• June 08, 2004

A newly patched vulnerability in the Business Objects Crystal Reports software that is packaged with several Microsoft applications could allow an attacker to retrieve and delete files on an affected system.

The Crystal Reports patch is for one of two "moderate" vulnerabilities Microsoft fixed during its monthly Patch Tuesday, the day each month when Microsoft releases all the fixes it is ready to deliver. The other new flaw involves a DirectX feature present in most versions of Windows. However, that flaw appears to primarily affect gamers.

Microsoft uses its moderate rating to describe flaws that are difficult to exploit or at least partially mitigated by default installation settings. Both flaws are newly discovered and neither has been reported as being exploited, according to Microsoft.

Products that include Crystal Reports and are therefore vulnerable to the directory traversal flaw in the software include Visual Studio .NET 2003, Outlook 2003 with Business Contact Manager and Microsoft Business Solutions CRM 1.2.

The problem with DirectX involves versions 7.0 through 9.0 and can occur on all supported versions of Windows from Windows 98 through Windows Server 2003 except for the Windows NT 4.0 platforms. A flaw in the DirectPlay component of DirectX could allow an attacker to crash the application using DirectPlay.

The patches for the flaws are the 16th and 17th released by Microsoft this year. Technical details about the problem with Crystal Reports can be found here. The bulletin about the DirectPlay vulnerability is here.