Microsoft patches critical top-to-bottom bugs in Windows
Also sets 'kill bit' for Yahoo software, but denies connection to acquisition effort
Of the 10 vulnerabilities plugged today, Microsoft labeled seven as critical, the highest rating in its four-step threat-scoring system. Of the remainder, two were pegged as "important" and one as merely "moderate."
Analysts agreed that the most serious vulnerabilities disclosed today were the two plugged by MS08-021, a critical update for every currently supported version of Windows, including the just-released Vista Service Pack 1 (SP1) and the even newer Windows Server 2008. "That's right across the board," said Tyler Reguly, a security research engineer at nCircle Network Security Inc.
"All versions of Windows are affected," echoed Amol Sarwate, manager of Qualys Inc.'s vulnerability research lab. "You don't need to have any special software on your PC to be vulnerable."
The MS08-021 update, said Microsoft in the advisory accompanying the release, fixes two flaws in Windows' GDI, or graphics device interface, one of the core components of the operating system. Attackers can use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) image files to trigger the bugs and "take complete control of an affected system," said Microsoft.
"Users who simply view an image online or in e-mail could be compromised," said Sarwate.
Both Sarwate and Reguly noted that there are similarities between the two new GDI vulnerabilities and ones revealed in late 2005, which were extensively used by attackers for months afterward. In fact, Microsoft patched that earlier GDI vulnerability -- which was also exploited by malicious WMF and EMF files -- "out-of-cycle," or outside of its normal second-Tuesday-of-the-month update schedule.
"They are similar in scope," said Sarwate. "A malformed image file can execute code on any version of Windows." He also said that he expects attackers to make use of the vulnerability, adding, "This is wormable."
Although MS08-021 was tops on both researchers' lists, Microsoft also issued critical updates for an Office-affiliated application called Project, as well as Internet Explorer, VBScript and Jscript. It also released a patch for an ActiveX control used by Windows' Help system.
The last -- labeled MS08-023 by Microsoft -- caught the attention of both researchers, not because it patches Microsoft's own ActiveX but because it also sets the "kill bit" for a third-party program, Yahoo Inc.'s Music Jukebox.
Both Reguly and Sarwate said that was a first for Microsoft. "They're setting kill bits for third-party applications, software that doesn't come with Windows," said Reguly. "I wonder if this means that they'll work with others in the future to make broader use of the Windows Update engine."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts