Microsoft issues security bulletins that patched seven vulnerabilities, including two tagged "critical," in Windows, Internet Explorer, Media Player, and PowerPoint.
Microsoft on Tuesday unveiled security bulletins that patched seven vulnerabilities, including two tagged "Critical," in Windows, Internet Explorer, Media Player, and PowerPoint. The month's fixes were the most posted by the Redmond, Wash.-based developer since October 2005.
Of the seven bulletins, two were marked "Critical," Microsoft's most dire warning in its four-step system, while the other five were labeled "Important," the next-most serious alert.
At first glance, some security experts thought Windows users dodged a bullet.
"When Microsoft said last week that it would release seven patches, people were holding their breath," said Alain Sergile, the technical product manager for Internet Security Systems' X-force research group. "You had to figure with that many, the chances were great that there would be a very dangerous vulnerability. But after looking at these, I think we can let out a sigh of relief."
Or not. Within minutes, Sergile updated ISS's take on the day's patches after meeting with his researchers, and had a different spin. "After coming up with some proof-of-concept code, we now think the Windows Media Player vulnerability is extremely easy to exploit," he said.
So easy, in fact, that Sergile predicted spyware and adware purveyors would quickly turn to this new vulnerability to plant malicious code in surreptitious "drive-by downloads," as they did earlier this year using the Windows Metafile (WMF) bug.
Sergile's concern revolved around one of the two Critical bulletins, MS06-005, which patched a nine-month-old bug in Windows Media Player, Microsoft's audio, video, and streaming utility.
A problem in Media Player's parsing of .bmp image files can let an attacker gain complete control of a PC, said Microsoft, by enticing users to a malicious Web site, sending them an image via e-mail, or tucking one into a Word document. Versions 7.1, 9, and 10 are at risk, with those versions running under Windows XP SP1 and SP2, Windows 2000 SP4, and Windows Server 2003 most in danger of being exploited.
eEye Digital Security was credited with reporting the vulnerability in early May 2005.
"As we saw last month with the flaws patched by Apple for its iTunes and QuickTime applications, attack methods are increasingly targeting applications that are widely used by consumers both on the job and for personal use," said Marc Maiffret, eEye's chief hacking officer, in a statement Tuesday. "Given the enormous installed base of the affected program, individuals and enterprises need to address this particular vulnerability immediately."
"I think this will probably follow the same trajectory as the WMF bug," said Sergile. "It won't be more than a matter of days before someone comes up with an exploit, and it will see widespread use to spread spyware."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.