Microsoft releases seven software patches

Microsoft issued seven software patches Tuesday, including fixes for critical security flaws in Internet Explorer (IE) and Windows Media Player.

Microsoft released seven software patches on Tuesday, including fixes for critical security flaws in Internet Explorer (IE) and Windows Media Player.

Of the two critical patches released Tuesday, update MS06-004 (http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx) provides a fix for a vulnerability in the way IE handles Windows Metafile (WMF) images, used by some CAD (computer-aided designs). The flaw could allow an attacker to construct a WMF image that could allow remote code execution if a user viewed a malicious Web site, e-mail or e-mail attachment. If successful, an attacker could take control of an affected system. The update is critical for users of Internet Explorer 5.01 Service Pack 4 running on Microsoft Windows 2000 Service Pack 4, said the bulletin.

This WMF-related vulnerability is not as severe as the WMF flaw Microsoft patched last month because it affects such a narrow scope of users, said Michael Sutton, director of VeriSign's iDefense Labs unit in Reston, Virginia.

"We're not aware of any public exploit code for it at this time," he said.

The other critical update, MS06-005 (http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx), is for a vulnerability in the way Windows Media Player processes bitmap (.bmp) files. An attacker could exploit this flaw by creating a malicious .bmp file that could allow remote code execution if a user viewed a malicious Web site or e-mail message. This vulnerability could also allow an attacker to take control of an affected system. The update is deemed critical for users of Windows XP SP1 and SP2 and Windows Server 2003, Windows 98/SE/ME and Windows 2000 SP4.

The Windows Media Player flaw poses more of a ripe target for attackers, Sutton said. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that. It's not difficult to create a Web page that uses Windows Media Player to display an image instead of the default application. I think it's a ripe target for exploitation if we see public exploit code for it," Sutton said.

The patches this week reflected an overall trend in client-side vulnerabilities, said Sutton.

But researchers said this latest round of vulnerability patches isn't that ominous.

"These are seven of the most boring patches I've ever seen," said Russ Cooper, senior information security analyst at Cybertrust Inc. in Herndon, Va., and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven bulletins tonight so they can get home with flowers and chocolates."

"There's definitely no super serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research for software security firm nCircle, in San Francisco.

The remaining five patches, which Microsoft deems less critical, are tagged as 'important' fixes.

Among those is MS06-007 (http://www.microsoft.com/technet/security/Bulletin/MS06-007.mspx), a fix for a denial-of-service vulnerability in TCP/IP that could allow an attacker to send a specially crafted IGMP (Internet Group Management Protocol) that could cause an affected system to stop responding.

Also among the 'important' bulletins were two updates for remote code execution vulnerabilites in Windows.

One is a patch for Windows Media Player, MS06-006 (http://www.microsoft.com/technet/security/Bulletin/MS06-006.mspx), which fixes a vulnerability in the Windows Media Player plug-in for Internet browsers other than IE. An attacker could exploit the vulnerability and gain control of an affected system by constructing a malicious EMBED element that could potentially allow remote code execution if a user visited a malicious Web site.

The other remote code execution vulnerability, MS06-008 (http://www.microsoft.com/technet/security/Bulletin/MS06-008.mspx), fixes a flaw in the Windows Web Client Service. For an attacker to take complete control of an affected system by exploiting this flaw, the attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability, according to the bulletin.

Another fix, MS06-009 (http://www.microsoft.com/technet/security/Bulletin/MS06-009.mspx), addresses a privilege elevation vulnerability (which allows a user to gain unauthorized privileges on a machine or network) in the Windows and Office Korean Input Method Editor. For an attacker to take complete control of an affected system via this vulnerability, an attacker must be able to interactively log on to the affected system, said the bulletin.

Lastly, MS06-010 (http://www.microsoft.com/technet/security/Bulletin/MS06-010.mspx) fixes a vulnerability in PowerPoint that could allow a remote attacker to access objects in the Temporary Internet Files Folder (TIFF).

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Shelley Solheim

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?