Microsoft releases seven software patches

Microsoft issued seven software patches Tuesday, including fixes for critical security flaws in Internet Explorer (IE) and Windows Media Player.

Microsoft released seven software patches on Tuesday, including fixes for critical security flaws in Internet Explorer (IE) and Windows Media Player.

Of the two critical patches released Tuesday, update MS06-004 (http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx) provides a fix for a vulnerability in the way IE handles Windows Metafile (WMF) images, used by some CAD (computer-aided designs). The flaw could allow an attacker to construct a WMF image that could allow remote code execution if a user viewed a malicious Web site, e-mail or e-mail attachment. If successful, an attacker could take control of an affected system. The update is critical for users of Internet Explorer 5.01 Service Pack 4 running on Microsoft Windows 2000 Service Pack 4, said the bulletin.

This WMF-related vulnerability is not as severe as the WMF flaw Microsoft patched last month because it affects such a narrow scope of users, said Michael Sutton, director of VeriSign's iDefense Labs unit in Reston, Virginia.

"We're not aware of any public exploit code for it at this time," he said.

The other critical update, MS06-005 (http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx), is for a vulnerability in the way Windows Media Player processes bitmap (.bmp) files. An attacker could exploit this flaw by creating a malicious .bmp file that could allow remote code execution if a user viewed a malicious Web site or e-mail message. This vulnerability could also allow an attacker to take control of an affected system. The update is deemed critical for users of Windows XP SP1 and SP2 and Windows Server 2003, Windows 98/SE/ME and Windows 2000 SP4.

The Windows Media Player flaw poses more of a ripe target for attackers, Sutton said. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that. It's not difficult to create a Web page that uses Windows Media Player to display an image instead of the default application. I think it's a ripe target for exploitation if we see public exploit code for it," Sutton said.

The patches this week reflected an overall trend in client-side vulnerabilities, said Sutton.

But researchers said this latest round of vulnerability patches isn't that ominous.

"These are seven of the most boring patches I've ever seen," said Russ Cooper, senior information security analyst at Cybertrust Inc. in Herndon, Va., and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven bulletins tonight so they can get home with flowers and chocolates."

"There's definitely no super serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research for software security firm nCircle, in San Francisco.

The remaining five patches, which Microsoft deems less critical, are tagged as 'important' fixes.

Among those is MS06-007 (http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx), a fix for a denial-of-service vulnerability in TCP/IP that could allow an attacker to send a specially crafted IGMP (Internet Group Management Protocol) that could cause an affected system to stop responding.

Also among the 'important' bulletins were two updates for remote code execution vulnerabilites in Windows.

One is a patch for Windows Media Player, MS06-006 (http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx), which fixes a vulnerability in the Windows Media Player plug-in for Internet browsers other than IE. An attacker could exploit the vulnerability and gain control of an affected system by constructing a malicious EMBED element that could potentially allow remote code execution if a user visited a malicious Web site.

The other remote code execution vulnerability, MS06-008 (http://www.microsoft.com/technet/security/Bulletin/MS06-008.mspx), fixes a flaw in the Windows Web Client Service. For an attacker to take complete control of an affected system by exploiting this flaw, the attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability, according to the bulletin.

Another fix, MS06-009 (http://www.microsoft.com/technet/security/Bulletin/MS06-009.mspx), addresses a privilege elevation vulnerability (which allows a user to gain unauthorized privileges on a machine or network) in the Windows and Office Korean Input Method Editor. For an attacker to take complete control of an affected system via this vulnerability, an attacker must be able to interactively log on to the affected system, said the bulletin.

Lastly, MS06-010 (http://www.microsoft.com/technet/security/Bulletin/MS06-010.mspx) fixes a vulnerability in PowerPoint that could allow a remote attacker to access objects in the Temporary Internet Files Folder (TIFF).

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Shelley Solheim

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?