Microsoft releases seven software patches

Microsoft issued seven software patches Tuesday, including fixes for critical security flaws in Internet Explorer (IE) and Windows Media Player.

Microsoft released seven software patches on Tuesday, including fixes for critical security flaws in Internet Explorer (IE) and Windows Media Player.

Of the two critical patches released Tuesday, update MS06-004 ( provides a fix for a vulnerability in the way IE handles Windows Metafile (WMF) images, used by some CAD (computer-aided designs). The flaw could allow an attacker to construct a WMF image that could allow remote code execution if a user viewed a malicious Web site, e-mail or e-mail attachment. If successful, an attacker could take control of an affected system. The update is critical for users of Internet Explorer 5.01 Service Pack 4 running on Microsoft Windows 2000 Service Pack 4, said the bulletin.

This WMF-related vulnerability is not as severe as the WMF flaw Microsoft patched last month because it affects such a narrow scope of users, said Michael Sutton, director of VeriSign's iDefense Labs unit in Reston, Virginia.

"We're not aware of any public exploit code for it at this time," he said.

The other critical update, MS06-005 (, is for a vulnerability in the way Windows Media Player processes bitmap (.bmp) files. An attacker could exploit this flaw by creating a malicious .bmp file that could allow remote code execution if a user viewed a malicious Web site or e-mail message. This vulnerability could also allow an attacker to take control of an affected system. The update is deemed critical for users of Windows XP SP1 and SP2 and Windows Server 2003, Windows 98/SE/ME and Windows 2000 SP4.

The Windows Media Player flaw poses more of a ripe target for attackers, Sutton said. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that. It's not difficult to create a Web page that uses Windows Media Player to display an image instead of the default application. I think it's a ripe target for exploitation if we see public exploit code for it," Sutton said.

The patches this week reflected an overall trend in client-side vulnerabilities, said Sutton.

But researchers said this latest round of vulnerability patches isn't that ominous.

"These are seven of the most boring patches I've ever seen," said Russ Cooper, senior information security analyst at Cybertrust Inc. in Herndon, Va., and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven bulletins tonight so they can get home with flowers and chocolates."

"There's definitely no super serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research for software security firm nCircle, in San Francisco.

The remaining five patches, which Microsoft deems less critical, are tagged as 'important' fixes.

Among those is MS06-007 (, a fix for a denial-of-service vulnerability in TCP/IP that could allow an attacker to send a specially crafted IGMP (Internet Group Management Protocol) that could cause an affected system to stop responding.

Also among the 'important' bulletins were two updates for remote code execution vulnerabilites in Windows.

One is a patch for Windows Media Player, MS06-006 (, which fixes a vulnerability in the Windows Media Player plug-in for Internet browsers other than IE. An attacker could exploit the vulnerability and gain control of an affected system by constructing a malicious EMBED element that could potentially allow remote code execution if a user visited a malicious Web site.

The other remote code execution vulnerability, MS06-008 (, fixes a flaw in the Windows Web Client Service. For an attacker to take complete control of an affected system by exploiting this flaw, the attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability, according to the bulletin.

Another fix, MS06-009 (, addresses a privilege elevation vulnerability (which allows a user to gain unauthorized privileges on a machine or network) in the Windows and Office Korean Input Method Editor. For an attacker to take complete control of an affected system via this vulnerability, an attacker must be able to interactively log on to the affected system, said the bulletin.

Lastly, MS06-010 ( fixes a vulnerability in PowerPoint that could allow a remote attacker to access objects in the Temporary Internet Files Folder (TIFF).

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Shelley Solheim

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?