Microsoft released seven software patches on Tuesday, including fixes for critical security flaws in Internet Explorer and Windows
Media Player.
Advertisement:
Of the two critical patches released Tuesday, update MS06-004 provides a fix for a vulnerability in the way IE handles Windows Metafile (WMF) images, used by some CADs (computer-aided
designs). The flaw could allow an attacker to construct a WMF image that could allow remote code execution if a user viewed
a malicious Web site, e-mail or e-mail attachment. If successful, an attacker could take control of an affected system. The
update is critical for users of Internet Explorer 5.01 Service Pack 4 running on Microsoft Windows 2000 Service Pack 4, said
the bulletin.
This WMF-related vulnerability is not as severe as the WMF flaw Microsoft patched last month because it affects such a narrow
scope of users, said Michael Sutton, director of VeriSign's iDefense Labs unit in Reston, Va.
"We're not aware of any public exploit code for it at this time," he said.
The other critical update, MS06-005, is for a vulnerability in the way Windows Media Player processes bitmap (.bmp) files. An attacker could exploit this flaw
by creating a malicious .bmp file that could allow remote code execution if a user viewed a malicious Web site or e-mail message.
This vulnerability could also allow an attacker to take control of an affected system. The update is deemed critical for users
of Windows XP SP1 and SP2 and Windows Server 2003, Windows 98/SE/ME and Windows 2000 SP4.
The Windows Media Player flaw poses more of a ripe target for attackers, Sutton said. "Even though Windows Media Player is
not something generally used to render images, it has the capability of doing that. It's not difficult to create a Web page
that uses Windows Media Player to display an image instead of the default application. I think it's a ripe target for exploitation
if we see public exploit code for it," Sutton said.
The patches this week reflected an overall trend in client-side vulnerabilities, said Sutton.
But researchers said this latest round of vulnerability patches isn't that ominous.
"These are seven of the most boring patches I've ever seen," said Russ Cooper, senior information security analyst at Cybertrust
and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged
down applying seven bulletins tonight so they can get home with flowers and chocolates."
Interview: Keeping insider information inside
PortAuthority's appliance-based approach to data protection helps keep company secrets from getting out. PortAuthority President and CEO Pete Foley explains how it all works on this week's Network World Hot Seat.Watch it now
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
The Evolution of Network Security
- Check Point Software Organizations are facing up to the fact that their perimeter network defenses no longer afford the protection they once did. But the good news is a slew of new technologies are available to help companies stay out in front of the bad guys
