Microsoft issued a critical patch for two vulnerabilities in the core graphics subsystem of Windows, one of eight fixes released Tuesday as part of its monthly security updates.

Microsoft released a total of five critica patches in its April security bulletin. Two of them fix bugs in Windows, two fix bugs in Windows and Internet Explorer (IE), and one fixes a vulnerability in Microsoft Office. The critical rating means an attacker could potentially exploit the flaws to hack into a victim's computer.

The other patches fix vulnerabilities in Windows and Office and were rated "important." Microsoft releases patches on the second Tuesday of every month, which has become known in the industry as "Patch Tuesday." (Compare Patch and Vulnerability Management products.)

MS08-021 fixes two vulnerabilities in Windows' graphics device interface (GDI), one of three core Windows subsystems, that could allow a hacker to take over someone's computer if a user opens certain kinds of image files, according to Microsoft.

Eric Schultze, chief technology officer of security and patch-management company Shavlik Technologies, said the GDI patch is the most important because it fixes vulnerabilities that could create "a trifecta of problems" across all versions of Windows, from Windows 2000 to the latest Windows Server 2008 release. "If you visit an evil Web site, read an evil e-mail or open an evil document, you can get hacked," he said.

Schultze said the GDI issue has come up twice before, "dating back to January 2006," which means that this is Microsoft's third attempt at fixing the problems. "Hackers have come up with different variants" to attack the same vulnerabilities, he said.

Of the five patches marked critical, Schultze recommended that users also immediately install two others -- MS08-022, which affects Windows, and MS08-024, which affects both Windows and IE.

MS08-022 patches a vulnerability in VBScript and JScript scripting engines in Windows that originally was supposed to be patched in January, but Microsoft pulled the patch at the last minute because it wasn't ready, Schultze said. MS08-24 patches a vulnerability found in all versions of IE.

Amol Sarwate, manager of the Vulnerability Research Lab at security service provider Qualys, agreed that MS08-021 and MS08-022 are among the top three most important patches, but considers critical patch MS08-023 more important than MS08-022. MS08-023 fixes an ActiveX vulnerability that affects both Windows and Internet Explorer.

The IDG News Service is a Network World affiliate.

Whitepapers

• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology
• Vulnerability Management For Dummies

View more SECURITY whitepapers

Webcasts

• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports