News

Crystal Security Flaw Affects Microsoft Products

A newly patched vulnerability in the Business Objects Crystal Reports software that is packaged with several Microsoft applications could allow an attacker to retrieve and delete files on an affected system.

The Crystal Reports patch is for one of two "moderate" vulnerabilities Microsoft fixed during its monthly Patch Tuesday, the day each month when Microsoft releases all the fixes it is ready to deliver. The other new flaw involves a DirectX feature present in most versions of Windows. However, that flaw appears to primarily affect gamers.

Microsoft uses its moderate rating to describe flaws that are difficult to exploit or at least partially mitigated by default installation settings. Both flaws are newly discovered and neither has been reported as being exploited, according to Microsoft.

Products that include Crystal Reports and are therefore vulnerable to the directory traversal flaw in the software include Visual Studio .NET 2003, Outlook 2003 with Business Contact Manager and Microsoft Business Solutions CRM 1.2.

The problem with DirectX involves versions 7.0 through 9.0 and can occur on all supported versions of Windows from Windows 98 through Windows Server 2003 except for the Windows NT 4.0 platforms. A flaw in the DirectPlay component of DirectX could allow an attacker to crash the application using DirectPlay.

The patches for the flaws are the 16th and 17th released by Microsoft this year. Technical details about the problem with Crystal Reports can be found here. The bulletin about the DirectPlay vulnerability is here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.