Microsoft issues seven security patches
IDG News Service -
Microsoft Corp. today released seven software patches, including fixes for security flaws in Internet Explorer (IE) and Windows Media Player that were given critical severity ratings by the company.
But security researchers said that the latest monthly batch of patches from Microsoft isn't particularly ominous.
"These are seven of the most boring patches I've ever seen," said Russ Cooper, a senior information security analyst at Cybertrust Inc. in Herndon, Va., and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven [patches] tonight."
"There's definitely no super-serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research at nCircle Network Security Inc., a security software vendor in San Francisco.
One of the critical patches provides a fix for a vulnerability in the way that IE handles Windows Metafile (WMF) images. However, the flaw affects only IE 5.01 Service Pack 4 running on Windows 2000 systems that have the SP4 version of the operating system installed, Microsoft said in a security bulletin.
The vulnerability could enable an attacker to construct a WMF image that would support the remote execution of code on systems if users viewed a malicious Web site, e-mail or e-mail attachment, according to Microsoft. If successful, an attacker could take control of an affected system.
Because the new vulnerability affects such a narrow scope of users, it isn't as severe as the WMF flaw that Microsoft patched early last month, ahead of the company's regular monthly patch release in January, said Michael Sutton, director of VeriSign Inc.'s iDefense Labs unit in Reston, Va. "We're not aware of any public exploit code for it at this time," Sutton said.
The other critical vulnerability affects the way that Windows Media Player processes bitmap (.bmp) files, Microsoft said. An attacker could exploit that flaw by creating a malicious .bmp file that could be used to execute code remotely or take control of systems if users visited a malicious Web site or viewed a specially crafted e-mail message.
Microsoft deemed the Media Player flaw to be critical for users of Windows XP SP1 and SP2 as well as Windows Server 2003, Windows 2000 SP4 and other earlier versions of the operating system.
The Media Player flaw could pose more of a ripe target for attackers than the WMF one does, Sutton cautioned. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that," he said. "It's not difficultto create a Web page that uses Windows Media Player to display an image instead of the default application."
The remaining five patches affect products such as PowerPoint and the Windows Web Client and were all rated as "important" fixes by Microsoft.
Reprinted with permission from
Story copyright 2009 International Data Group. All rights reserved.
Security
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
