Microsoft game for plugging two security flaws

Microsoft released two security patches for its Windows operating systems on Tuesday, plugging holes in an online gaming feature and a third-party program the company includes with several applications.

One patch fixes a problem in the DirectPlay network gaming functionality of DirectX, which enables games that support the feature to offer head-to-head match ups over the internet. The security issue could enable an attacker to disrupt the connection and crash the game.

The second patch solves a security problem with the Crystal Reports Web Viewer, a third-party product included with Visual Studio .Net 2003, Outlook 2003 with Business Contact Manager, and Microsoft Business Solutions CRM 1.2. The flaw could allow for a denial-of-service attack or give an attacker access to information on the computer.

The two flaws are ranked as "moderate," the software giant's second-lowest grade for security vulnerabilities.

Stephen Toulouse, security program manager for the company, said: "Even if it is not software that Microsoft has written, it is software that Microsoft has provided, so we are issuing a fix."

The two software updates bring the total number of bulletins issued by Microsoft to 17 in 2004, though the actual number of vulnerabilities fixed by the patches is much higher.

Microsoft released patches for a score of flaws in mid-April, but the fixes did not prevent the Sasser computer worm, released to the internet 17 days later, from spreading.

The latest flaws can't be used by attackers to gain control of computers, so they can't be used by a worm writer to create a Sasser-like program.

The network-gaming flaw only affects games that use Microsoft's free peer-to-peer gaming system rather than the client-server architecture used by many multiplayer games, such as the Quake and Unreal Tournament series. The flaw is present in Microsoft's consumer desktop operating systems - including Windows 98, 98SE, ME, 2000, XP and XP 64-bit - and also affects Windows Server 2003.

"The game could either crash or the UI (user interface) might become unresponsive," Toulouse said.

The Crystal Reports Web Viewer allows users to view and modify documents created with Business Objects' Crystal Reports application. The vulnerability in the viewer could allow an attacker to delete and modify files on the victim's system.

The software giant also used the monthly update cycle to revamp its security website by collecting its scheduled monthly updates in the same place and adding an RSS (Really Simple Syndication) feed of security bulletins to its site.

Robert Lemos writes for CNET News.com