Microsoft Fixes Eight Flaws With Four Critical Patches
This month's patch load plugged a total of five security holes in GDI+, as well as other glitches found in Microsoft Office, Windows Media Player and Windows Media Encoder. The updates affected numerous versions of Windows, including Vista, XP, Windows 2000, Windows Server 2003, and Windows Server 2008.
Security experts say that aligning with current security trends, all four of Microsoft's fixes this month resolve vulnerabilities delivered via the Web browser.
"The attackers can host malicious content, bad images, bad links, all of which can be pulled through your Web browser," said Tom Stracener, senior security analyst for Cenzic. "These are serious flaws that attackers could use to attack the client side. This is really a trend we've seen in our trend report."
Of the four security updates Microsoft issued, security experts say that the patch for Windows GDI+, an imaging and graphics library, addressed one of the most serious flaws by fixing a total of five imaging vulnerabilities that could leave a user susceptible to malicious code executed on their computers by a remote attacker. The vulnerability could be exploited if an attacker successfully enticed a user to open an infected image file, or if a user opened up malicious content while browsing the Web. Generally, users are lured to open a malicious Web pages and attachments through some kind of phishing message or social engineering tactic.
"This is a critical patch from a client side standpoint. It could attack you or me just browsing the Web," said Stracener. "That's a very serious vulnerability."
Stracener said, however that the underlying GDI+ problem could be more significant due to the fact that the error could affect anyone who installed an application requiring ms.net.
Another widespread flaw fixed by this month's patch load included an update for an error Windows Media Player, enabling an attacker to launch malicious code to the victims' computers by enticing them to open a maliciously crafted audio file streamed from a Windows Media server. If the exploit was successful, the attacker could completely take control of a machine by installing new programs, deleting or altering data and creating new accounts with full access privileges.
"Things like this could be used to create worms," said Stracener. "The problem just spreads."
The September patch load also included a fix for a vulnerability that can be exploited if a user clicks a maliciously constructed OneNote URL. An exploit could also be launched if a user with an unpatched system visited a malicious Web page that silently opened a dangerous URL in OneNote. As in many malicious attacks, the victim would likely be enticed to click a malicious link with some kind of social engineering message delivered through e-mail.
In addition, the September security bulletin also addressed a vulnerability found in Windows Media Encoder 9 Series, stemming from an ActiveX flaw, which could be exploited if a remote attacker lured a user to view a malicious Web page.
While Microsoft officials maintain that there currently are no known active exploits for these vulnerabilities, security experts assert that users should update their systems as soon as possible before attackers reverse engineer the code and launch remote attacks.
"These are updates that the ordinary Internet user should apply," said Stracener. "If they don't, then there is fertile ground for attackers to install malware on their machines."