Microsoft patches critical top-to-bottom bugs in Windows

Also sets 'kill bit' for Yahoo software, but denies connection to acquisition effort

Microsoft Corp. today posted eight security updates -- more than half marked "critical" -- that patch 10 bugs in Windows, Office and Internet Explorer.

Of the 10 vulnerabilities plugged today, Microsoft labeled seven as critical, the highest rating in its four-step threat-scoring system. Of the remainder, two were pegged as "important" and one as merely "moderate."

Analysts agreed that the most serious vulnerabilities disclosed today were the two plugged by MS08-021, a critical update for every currently supported version of Windows, including the just-released Vista Service Pack 1 (SP1) and the even newer Windows Server 2008. "That's right across the board," said Tyler Reguly, a security research engineer at nCircle Network Security Inc.

"All versions of Windows are affected," echoed Amol Sarwate, manager of Qualys Inc.'s vulnerability research lab. "You don't need to have any special software on your PC to be vulnerable."

The MS08-021 update, said Microsoft in the advisory accompanying the release, fixes two flaws in Windows' GDI, or graphics device interface, one of the core components of the operating system. Attackers can use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) image files to trigger the bugs and "take complete control of an affected system," said Microsoft.

"Users who simply view an image online or in e-mail could be compromised," said Sarwate.

Both Sarwate and Reguly noted that there are similarities between the two new GDI vulnerabilities and ones revealed in late 2005, which were extensively used by attackers for months afterward. In fact, Microsoft patched that earlier GDI vulnerability -- which was also exploited by malicious WMF and EMF files -- "out-of-cycle," or outside of its normal second-Tuesday-of-the-month update schedule.

"They are similar in scope," said Sarwate. "A malformed image file can execute code on any version of Windows." He also said that he expects attackers to make use of the vulnerability, adding, "This is wormable."

Although MS08-021 was tops on both researchers' lists, Microsoft also issued critical updates for an Office-affiliated application called Project, as well as Internet Explorer, VBScript and Jscript. It also released a patch for an ActiveX control used by Windows' Help system.

The last -- labeled MS08-023 by Microsoft -- caught the attention of both researchers, not because it patches Microsoft's own ActiveX but because it also sets the "kill bit" for a third-party program, Yahoo Inc.'s Music Jukebox.

Both Reguly and Sarwate said that was a first for Microsoft. "They're setting kill bits for third-party applications, software that doesn't come with Windows," said Reguly. "I wonder if this means that they'll work with others in the future to make broader use of the Windows Update engine."

Microsoft has only rarely issued fixes for flaws in other vendors' programs, and then only when that software was bundled with Windows. One of the few examples was nearly two years ago, when Microsoft patched Adobe System Inc.'s Flash Player using Windows Update.

"I don't know why they have this fix," added Sarwate. "This is the first time they've published anything like this. It could be that they're doing what they can, so users don't have to go to Yahoo for a fix."

Multiple vulnerabilities in the ActiveX controls used by Yahoo Music Jukebox were made public in early February, just one incident among several that fingered Microsoft's ActiveX technology as flawed. Yahoo released an updated Jukebox to patch the buggy controls later in February.

Microsoft denied any connection between the fix to Yahoo's music player program and the company's attempt to acquire the Internet portal and search firm.

"Microsoft addressed this vulnerability in Yahoo's ActiveX control by issuing a kill bit because Yahoo came to the company directly with a request that a kill bit be issued for Yahoo's Music Jukebox," Tim Rains, a Microsoft spokesman, said via e-mail Tuesday.

Other notable updates in today's patch release, said Reguly, include MS08-022, a critical fix for a bug in VBScript and Jscript. "All I can say here is, 'It's about time,'" said Reguly.

In February, Microsoft had promised a patch for the VBScript/JScript vulnerability. But it yanked the update at the last minute and offered no explanation. Although some expected to see it in the next round of updates, which were issued March 11, the patch was a no-show then as well.

Another long-awaited patch, this one for a spoofing vulnerability in Windows DNS (Domain Name System) clients, was documented in MS08-020, a bulletin marked as important. This bug, which was originally patched in 1999, resurfaced last year when a researcher pointed out that it had crept back into later versions of Windows.

All told, the eight updates provide plenty of work for system and security administrators, said Reguly. "They're going to be fairly busy the next couple of days."

April's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Copyright © 2008 IDG Communications, Inc.

Shop Tech Products at Amazon