Directions in the MS05-050 security bulletin, which was released Oct. 11 to fix a flaw in DirectX, confused some customers, who then downloaded the wrong patch, a Microsoft spokesperson said Friday.
"Microsoft is aware that a limited amount of customers, who may have obtained the wrong security update for their version of DirectX, may think they are protected when, in fact, they are not," the spokesperson acknowledged in an e-mail to TechWeb.
According to the follow-on document that Microsoft posted in its support database Thursday, some Windows 2000 users running DirectX 8.0 or DirectX 9.0 had trouble figuring out which patch to deploy. They then downloaded the wrong fix, which left their PCs still vulnerable. To make matters worse, no notification popped up to let users know they'd goofed, or to say that the machine could still be compromised.
The misstep only affected users who manually downloaded an update from Microsoft's site, the spokesperson said. "Customers who have obtained [the update] automatically through all Microsoft distribution tools are protected from the vulnerability," she added. The distribution tools she referenced include Windows Update, Microsoft Update, Software Update Services (SUS), Windows Server Update Services (WSUS), and the Systems Management Server (SMS).
Microsoft also published instructions for manually verifying if the correct update was applied by matching version numbers of the Quartz.dll file against a list included in the Knowledgebase article posted on TechNet.
The revision of MS05-050 was the second such after-the-fact change since the Redmond, Wash.-based developer released its October patches last week. Earlier, the company admitted that one of the other three critical bulletins, MS05-051, was buggy, and offered a work-around for users whose computers had been showing a variety of off-beat behaviors, including blank screens and an inability to access Windows Update.
Bulletin MS05-050 revolves around an unchecked buffer in DirectShow, a DirectX component that streams media on Windows. An attacker who got a user to play a malformed AVI file could overrun that buffer, then grab complete control of the system, introduce additional code, or even delete files.
When Microsoft released the bulletin last week, it said there was no known exploit circulating; since then, no reports have surfaced of exploits in the wild.