Microsoft issues seven security patches

IDG News Service - Microsoft Corp. today released seven software patches, including fixes for security flaws in Internet Explorer (IE) and Windows Media Player that were given critical severity ratings by the company.
But security researchers said that the latest monthly batch of patches from Microsoft isn't particularly ominous.
"These are seven of the most boring patches I've ever seen," said Russ Cooper, a senior information security analyst at Cybertrust Inc. in Herndon, Va., and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven [patches] tonight."
"There's definitely no super-serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research at nCircle Network Security Inc., a security software vendor in San Francisco.
One of the critical patches provides a fix for a vulnerability in the way that IE handles Windows Metafile (WMF) images. However, the flaw affects only IE 5.01 Service Pack 4 running on Windows 2000 systems that have the SP4 version of the operating system installed, Microsoft said in a security bulletin.
The vulnerability could enable an attacker to construct a WMF image that would support the remote execution of code on systems if users viewed a malicious Web site, e-mail or e-mail attachment, according to Microsoft. If successful, an attacker could take control of an affected system.
Because the new vulnerability affects such a narrow scope of users, it isn't as severe as the WMF flaw that Microsoft patched early last month, ahead of the company's regular monthly patch release in January, said Michael Sutton, director of VeriSign Inc.'s iDefense Labs unit in Reston, Va. "We're not aware of any public exploit code for it at this time," Sutton said.
The other critical vulnerability affects the way that Windows Media Player processes bitmap (.bmp) files, Microsoft said. An attacker could exploit that flaw by creating a malicious .bmp file that could be used to execute code remotely or take control of systems if users visited a malicious Web site or viewed a specially crafted e-mail message.
Microsoft deemed the Media Player flaw to be critical for users of Windows XP SP1 and SP2 as well as Windows Server 2003, Windows 2000 SP4 and other earlier versions of the operating system.
The Media Player flaw could pose more of a ripe target for attackers than the WMF one does, Sutton cautioned. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that," he said. "It's not difficultto create a Web page that uses Windows Media Player to display an image instead of the default application."
The remaining five patches affect products such as PowerPoint and the Windows Web Client and were all rated as "important" fixes by Microsoft.