Microsoft Releases Seven New Patches
This month's list of bulletins deemed "critical" include an error in Windows Media Format Runtime, cumulative security updates for Internet Explorer and vulnerabilities in DirectShow, a component of DirectX.
All three critical patches address vulnerabilities that have significant potental for remote attackers to install malicious software on the machine of an unsuspecting victim. Altogether, seven patches issued this month cover at least 11 vulnerabilities, which security experts say still falls within the range of normal.
"That's not a terribly high number," said Ben Greenbaum, senior manager of Symantec Security Response. "It seems like a high number if you're an administrator, but compared to the releases over the past year, this is not incredibly high."
Of this month's list of scheduled patches, the cumulative update for Internet Explorer is considered one of the most serious because of the browser's broad distribution and its potential to affect a significant number of users on a variety of platforms, security personnel say.
The error occurs when Explorer accesses an object that has not been correctly initialized or deleted. An attacker could then trick an unsuspecting user into visiting a malicious Web site that would execute malicious code in the context of the logged-in user.
"It addresses a core application that will be used by many people on multiple operating systems," said Greenbaum, while recommending "a critical update for any user to apply as soon as possible."
The vulnerability in Windows Media Format Runtime, also on the top of Microsoft's critical list, has the potential to do widespread damage as well, experts say. The patch addresses the client-side vulnerability affecting Runtime when handling some Advanced Systems Format files. An attacker could subsequently exploit the error by luring an unsuspecting user into downloading or viewing a Web page or e-mail with malicious ASF content, resulting in the execution of malicious code. However, security experts warn that a user might not have to download anything at all in order for an attacker to successfully install malware.
"[Attackers] can actually set it to execute code when played in a browser," said Dave Marcus, security and information manager at McAfee Avert Labs. "That's certainly very dangerous. It's one that users, partners and enterprises should certainly pay attention to."
All of the patches labeled critical and two designated as important affect Vista, which was touted as Microsoft's most secure operating system when it was released. Of the 11 vulnerabilities addressed this month, nine affect Vista either directly or through applications running on that system. While the number of errors seems high, security researchers assert that Vista, like any new operating system, is still in the process of working out the bugs.
"They've established a monthly cycle to get fixes out in a standard, measurable manner," said Marcus. "Vista has a few more vulnerabilities than XP had. It's not necessarily that much worse. There's certainly a lot less malware."
Security researchers anticipate that Vista will likely see more repairs in the upcoming year as more users deploy the operating system and more attackers exploit its popularity.
"[Less malware] speaks to the fact that fewer people have deployed Vista. There's just a lot fewer people who are using it," said Marcus. "It really comes down to that."
Four patches, which addressed flaws in numerous versions of Windows, were given an important rating -- a designation that ranks one step below critical. Repairs deemed important were issued for vulnerabilities in Windows Message Queuing service, Windows SMB, Windows Vista Kernel and Windows Macrovision Driver.
"We generally recommend that customers first look to see if they have countermeasures that address the vulnerabilities," said Marcus. "We never recommend that people run out and download and patch in a bad manner. That can do more harm than good."