Microsoft Patches 7 Bugs; Exploits Expected Soon

Of the seven bulletins, two were marked "Critical," Microsoft's most dire warning in its four-step system, while the other five were labeled "Important," the next-most serious alert.

At first glance, some security experts thought Windows users dodged a bullet.

"When Microsoft said last week that it would release seven patches, people were holding their breath," said Alain Sergile, the technical product manager for Internet Security Systems' X-force research group. "You had to figure with that many, the chances were great that there would be a very dangerous vulnerability. But after looking at these, I think we can let out a sigh of relief."

Or not. Within minutes, Sergile updated ISS's take on the day's patches after meeting with his researchers, and had a different spin. "After coming up with some proof-of-concept code, we now think the Windows Media Player vulnerability is extremely easy to exploit," he said.

So easy, in fact, that Sergile predicted spyware and adware purveyors would quickly turn to this new vulnerability to plant malicious code in surreptitious "drive-by downloads," as they did earlier this year using the Windows Metafile (WMF) bug.

Sergile's concern revolved around one of the two Critical bulletins, MS06-005, which patched a nine-month-old bug in Windows Media Player, Microsoft's audio, video, and streaming utility.

A problem in Media Player's parsing of .bmp image files can let an attacker gain complete control of a PC, said Microsoft, by enticing users to a malicious Web site, sending them an image via e-mail, or tucking one into a Word document. Versions 7.1, 9, and 10 are at risk, with those versions running under Windows XP SP1 and SP2, Windows 2000 SP4, and Windows Server 2003 most in danger of being exploited.

eEye Digital Security was credited with reporting the vulnerability in early May 2005.

"As we saw last month with the flaws patched by Apple for its iTunes and QuickTime applications, attack methods are increasingly targeting applications that are widely used by consumers both on the job and for personal use," said Marc Maiffret, eEye's chief hacking officer, in a statement Tuesday. "Given the enormous installed base of the affected program, individuals and enterprises need to address this particular vulnerability immediately."

"I think this will probably follow the same trajectory as the WMF bug," said Sergile. "It won't be more than a matter of days before someone comes up with an exploit, and it will see widespread use to spread spyware."

The second Critical flaw fixed Tuesday was, in fact, a follow-up to a bug in the Windows Metafile (WMF) format which was fixed for other versions of IE and Windows in early January. This new bug, however, is not the same as the one fixed last month, nor, claimed Microsoft, is it a fix for other WMF problems noted by researchers in January.

Those were downplayed by Microsoft at the time as "performance issues."

"These are different and separate issues," Microsoft said in the MS06-004 security bulletin.

Mike Murray, director of research at vulnerability management vendor nCircle, agreed with Sergile that the Media Player bug was dangerous. "Absolutely, no question," he said, "this is going to be used.

"It may not have the same legs as the WMF vulnerability, but it's still good for spreading spyware and malware. That's the problem. We've given [attackers] so many different ways to do their work. Every month a new weapon's given to them."

However, unlike Sergile, Murray also saw the Windows 2000 WMF bug as a real threat. "I don't think the number of users of Windows 2000 is necessarily that small. I wouldn't be surprised to see this hit a lot of people."Like MS06-005, Microsoft's MS06-006 bulletin also dealt with Windows Media Player, but concerned the plug-in version used by non-Microsoft browsers. Firefox and Netscape, for instance (but not Opera), can be attacked using this vulnerability, said iDefense, the Reston, Va.-based security firm that discovered the bug and reported it to Microsoft in August 2005.

If patching wasn't possible, iDefense recommended that users assign media file extensions to a player other than Microsoft's.

The other four bulletins rolled out by Microsoft Tuesday -- MS06-007, MS06-008, MS06-009, and MS06-010 -- were all rated as "Important," and covered everything from Windows' Internet Group Management Protocol (IGMP) and its Web Client service to a Korean language pack and PowerPoint 2000, the presentation maker included with Office 2000.

"What I think is really interesting about this month's batch is the diversity of the vulnerabilities," said nCircle's Murray. "A year ago, all we would have seen would have been the regular IE patch, maybe one for Media Player or another for a server product. But this month, there's a Korean language fix, one for Web Client, and another for PowerPoint.

"It's a really diverse month.

"What this shows is that Microsoft has done a good job over the last couple of years, at least concerning the main stuff. That's forcing people to look farther and wider for vulnerabilities. Researchers have to go to new lengths to find interesting vulnerabilities."