Microsoft Update Fixes Critical Image Flaw
Altogether, the March patch bundle addressed critical vulnerabilities in the Windows kernel and errors ranked "important" in the DNS and WINS servers and Secure Channel that could enable hackers to commit identity theft by redirecting users to spoofed Web sites.
However, the March patch bundle did not include a fix for an actively exploited Microsoft Office Excel vulnerability that allowed hackers to launch malware attacks via infected spreadsheet files.
The one critical update included in the patch bundle, affecting all versions of Windows, resolves several vulnerabilities in the Windows kernel, the most serious of which could allow hackers to launch malicious code by enticing a victim to view a specially crafted EMF or WMF image file without any user intervention. Other vulnerabilities repaired by the update could leave the user susceptible to a denial of service attack.
"We know that attackers can reverse-engineer these patches very quickly and very easily. That is the most important one," said Wolfgang Kandek, CTO of security company Qualys. "Your machine can be controlled by the attacker. [The error] should be addressed as quickly as possible."
Another security update, given the less-severe ranking of "important," resolved security issues in the Windows DNS server and the Windows WINS server that could allow a remote attacker to redirect Web traffic to his or her own malicious Web site. Once users open the page, attackers could then capture users' passwords, credit card or bank account information for identity theft activities. Victims could also unknowingly download a Trojan or worm onto their systems if the attackers infuse the spoofed page with malicious code, security experts say.
However, while the DNS and WINS server vulnerabilities could provide a crucial step to a remote attack, security experts say that the flaw was designated "important" due to the fact that an individual would be required to have authentication or access to the server to launch an attack.
"It's not exploitable 100 percent of the time," said Amol Sarwate, vulnerability research lab manager with security vendor Qualys. "[Attackers] need to be really close to your DNS server or in your network."
The other "important" patch repaired a glitch in the Windows Secure Channel security package that could allow hackers to spoof a Web site by gaining access to the authentication credentials used by the end user.
"Customers are only affected when the public key component of the certificate used for authentication has been obtained by the attacker through other means," Microsoft said in its advisory.
So far, there are no active exploits for the flaws, but security experts recommend that users patch their systems with the available updates as soon as possible to avoid an expected onslaught of reverse-engineered attacks.
Meanwhile, Microsoft has yet to fix a critical vulnerability occurring in Microsoft Office Excel 2007 and earlier that is triggered when users open a malicious Excel spreadsheet. Once the spreadsheet is opened, a malicious binary and valid Excel document are dropped, masking the fact that Excel has either crashed or become infected with malware.
Kandek said that it is likely Microsoft researchers are still testing the patch before they make it available to the public. "They might be still testing it. Excel is a very important piece of software for many applications," he said. "Ideally, I would like to see [a patch], and I would like to see it as soon as possible."