Microsoft fixes 14 flaws in biggest patch day since Feb.

'Repeat offenders' -- once-patched pieces patched again -- abound, says researcher

In the biggest one-day security update since February, Microsoft Tuesday issued nine bulletins that patched 14 vulnerabilities in Office, Internet Explorer (IE), and every edition of Windows. Eight of the fixes were pegged as critical, the company's highest risk rating.

Faced with an overload of vulnerabilities -- including some in components that Microsoft has patched in the past -- researchers squabbled over which should get priority.

"I think six of these are equally important," said Andrew Storms director of security operations at nCircle Network Security.

"The GDI vulnerability is the most critical," said Amol Sarwate, the manager of Qualys' vulnerability research lab.

"MS07-042 affects everything," said Don Leatham, the director of solutions and strategies at PatchLink.

The only update that all three agreed should be moved to the top of the list was the one that patched a bug in Windows Graphics Rendering Engine (GDI). According to Microsoft's MS07-046 advisory, the GDI bug not only affects Windows 2000, XP and 2003 Server, but a successful attack could give the hacker complete control of the PC.

"This affects a core Windows subsystem, and all versions except for Windows Vista," said Sarwate. "Unlike most other vulnerabilities, this one doesn't need an application, like Internet Explorer; all that's needed is a [malformed] image file. The only good news here is that this does not affect Vista."

PatchLink's Leatham called out the GDI bug as one of two he said should be patched immediately, and rang the alarm even louder than Sarwate. "This has the potential to be as dangerous as the WMF vulnerability [from late 2005]," he said. "Microsoft makes it sound as if the typical exploit would come as some sort of e-mail attachment, but the GDI is used by about every single Microsoft application out there.

"Hackers will look at this like Nirvana, something this low level that they can use to target about every workstation in an enterprise," warned Leatham.

The WMF (Windows Metafile) vulnerability, which raised a ruckus at the end of 2005 when hackers began widely exploiting the zero-day bug, was patched in early 2006 by one of the rare out-of-cycle fixes that Microsoft has issued. Even today, the WMF exploit impact on Windows users remains among the largest ever.

Eight other bulletins, however, will vie for administrators' attention. Some, said Storms, Sarwate and Leatham, should get that attention before the others. Among the fixes they pointed to:

-- Storms: "The idea of virtualization is a really big thing in IT today, and everyone who does it in the enterprise has the same concern: can the guest OS [in a virtual machine] affect the host OS?" For that reason, he put the spotlight on MS07-049, even though the update was rated important. "The number one concern running virtualization software in the enterprise is 'How much can we trust the guest OS?'" he said. The bug patched today could let users with administrative privileges on the guest OS run code on the host operating system, or even on another VM's guest OS, reported Microsoft.

-- Sarwate: "MS07-045 affects all versions of Internet Explorer. This vulnerability is in the Cascade Style Sheets [CSS], which are the building blocks of any site. According to Microsoft's advisory, IE's parsing of certain strings in CSS is flawed; attackers could exploit it by enticing users to a malicious Web page, resulting in a full PC hijack.

-- Leatham: "MS07-042 affects everything." The vulnerability, which exists in multiple versions of XML Core Services, the component that provides interoperability between several scripting languages, including JScript, Visual Studio and XML applications, affects every supported version of Windows, including Vista. Microsoft rated the bug as critical across the board. "There's so much going on with XML in enterprises," said Leatham. "That's why this is so dangerous."

Microsoft also patched flaws in Excel -- yet another vulnerability in a Microsoft Office document format -- Windows Media Player, Windows' Vector Markup Language (VML) and three of the Microsoft-made gadgets bundled with Vista.

"This is a good batch," said nCircle's Storms, but not in a nice way. "There are a lot of 'Criticals' here, and on the trends and patterns side, a lot of what I call 'repeat offenders.'" By that, Storms meant new patches that Microsoft has had to lay atop code or components patched one or more times before. "Excel is a repeat offender, so is GDI. VML is too, and XML Code Services."

As usual, Microsoft's monthly updates have been posted to Microsoft Update and Windows Update services, and can also be retrieved through Windows Server Update Services (WSUS). The necessary files can also be downloaded directly from Microsoft's Web site.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?