Microsoft patches will put IT on hunt for affected systems

Microsoft Tuesday released four critical patches targeting vulnerabilities mostly in Windows-based server and client operating systems, including one that affected 42 versions of various Microsoft software products.

“Admins will have a difficult time finding which patches are needed for which machines to get 100% coverage,” says Eric Schultze, CTO of Shavlik Technologies. “It creates a challenge for them.”

The breadth of MS08-052 made it the worst of the four bulletins Microsoft released on its monthly Patch Tuesday because it touches so many pieces of software and because it attacks deep within Windows.

“Fifty-two addresses five vulnerabilities and affects the core operating system,” says Amol Sarwate, manager of the vulnerabilities research lab at Qualys. “It affects .bmp, .wmf, and .gif [image] file formats, and an attacker could either send such files as e-mail attachments or have a victim view a malicious Web page.”

Users need only surf to a Web page with a malformed image in order to be hacked.

MS08-052 modifies the way Microsoft Windows GDI+ handles viewing of malformed images. GDI+ is a class-based API for C/C++ programmers. It enables applications to use graphics and formatted text on both the video display and a printer.

MS08-052 affects multiple versions (see "Microsoft patches affect scores of systems") of Internet Explorer; the .Net Framework; Windows XP and Vista; Windows Server; Office XP, 2003, 2007; Visio; SQL Server, Visual Studio and other Microsoft software.

Shavlik’s Shultze also points out that third-party vendors license GDI+ from Microsoft, so corporate administrators could see their other software vendors issuing patches if those vendors have used a vulnerable version of GDI+.

“Those third-party products are not going to be covered by these patches,” Schultze says.

Among the other patches Microsoft issued is MS08-055, which addresses a vulnerability in Office OneNote 2007. To be hacked, a user would have to click on a specially crafted OneNote URL.

Experts say MS08-053 and MS08-054 are more low-key.

MS08-053 addresses vulnerability in the Windows Media Encoder 9 Series that would allow an attacker to take advantage of a specially crafted Web page. MS08-054 addresses an issue with Windows Media Player 11 and the way it handles audio files streamed from a server-side playlist.