Microsoft released seven software patches yesterday, including fixes for critical security flaws in Internet Explorer (IE) and Windows Media Player.
Of the two critical patches released Tuesday, update MS06-004 provides a fix for a vulnerability in the way IE handles Windows Metafile (WMF) images. The flaw could allow an attacker to construct a WMF image that would permit remote code execution if a user viewed a malicious website, email or email attachment. If successful, an attacker could take control of an affected system. The update is critical for users of IE 5.01 Service Pack 4.0 running on Microsoft Windows 2000 Service Pack 4.0, according to the bulletin.
This WMF-related vulnerability is not as severe as the WMF flaw Microsoft patched last month because it affects a narrower scope of users, said Michael Sutton, director of VeriSign's iDefense Labs unit in Virginia.
"We're not aware of any public exploit code for it at this time," he said.
The other critical update, MS06-005, is for a vulnerability in the way Windows Media Player processes bitmap (.bmp) files. An attacker could exploit this flaw by creating a malicious .bmp file that could allow remote code execution if a user viewed a malicious website or email message. This vulnerability could also allow an attacker to take control of an affected system. The update is deemed critical for users of Windows XP SP1 and SP2 and Windows Server 2003, Windows 98/SE/ME and Windows 2000 SP 4.0.
The Windows Media Player flaw presents a riper target for attackers, Sutton said. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that. It's not difficult to create a web page that uses Windows Media Player to display an image instead of the default application. I think it's a ripe target for exploitation if we see public exploit code for it," Sutton said.
The patches this week reflected an overall trend in client-side vulnerabilities, said Sutton.
But researchers said this latest round of vulnerability patches isn't ominous.
"These are seven of the most boring patches I've ever seen," said Russ Cooper, senior information security analyst at Cybertrust and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven bulletins tonight so they can get home with flowers and chocolates."
"There's definitely no super-serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research at software security firm nCircle, in San Francisco.
The remaining five patches, which Microsoft deems less critical, are tagged as 'important' fixes.
Among those is MS06-007, a fix for a denial-of-service vulnerability in TCP/IP that could allow an attacker to send a specially crafted IGMP (Internet Group Management Protocol) that could cause an affected system to stop responding.
Also among the 'important' bulletins were two updates for remote code execution vulnerabilites in Windows.
One is a patch for Windows Media Player, MS06-006, which fixes a vulnerability in the Windows Media Player plug-in for internet browsers other than IE. An attacker could exploit the vulnerability and gain control of an affected system by constructing a malicious Embed element that could potentially allow remote code execution if a user visited a malicious website.
The other remote code execution vulnerability, MS06-008, fixes a flaw in the Windows Web Client Service. For an attacker to take complete control of an affected system by exploiting this flaw, the attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability, according to the bulletin.
Another fix, MS06-009, addresses a privilege elevation vulnerability (which allows a user to gain unauthorised privileges on a machine or network) in the Windows and Office Korean Input Method Editor. For an attacker to take complete control of an affected system via this vulnerability, an attacker must be able to interactively log on to the affected system, said the bulletin.
Lastly, MS06-010 fixes a vulnerability in PowerPoint that could allow a remote attacker to access objects in the Temporary Internet Files Folder.