Microsoft Patches 7 Bugs; Exploits Expected Soon - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:19 PM

Microsoft Patches 7 Bugs; Exploits Expected Soon

Microsoft issues security bulletins that patched seven vulnerabilities, including two tagged "critical," in Windows, Internet Explorer, Media Player, and PowerPoint.

Microsoft on Tuesday unveiled security bulletins that patched seven vulnerabilities, including two tagged "Critical," in Windows, Internet Explorer, Media Player, and PowerPoint. The month's fixes were the most posted by the Redmond, Wash.-based developer since October 2005.

Of the seven bulletins, two were marked "Critical," Microsoft's most dire warning in its four-step system, while the other five were labeled "Important," the next-most serious alert.

At first glance, some security experts thought Windows users dodged a bullet.

"When Microsoft said last week that it would release seven patches, people were holding their breath," said Alain Sergile, the technical product manager for Internet Security Systems' X-force research group. "You had to figure with that many, the chances were great that there would be a very dangerous vulnerability. But after looking at these, I think we can let out a sigh of relief."

Or not. Within minutes, Sergile updated ISS's take on the day's patches after meeting with his researchers, and had a different spin. "After coming up with some proof-of-concept code, we now think the Windows Media Player vulnerability is extremely easy to exploit," he said.

So easy, in fact, that Sergile predicted spyware and adware purveyors would quickly turn to this new vulnerability to plant malicious code in surreptitious "drive-by downloads," as they did earlier this year using the Windows Metafile (WMF) bug.

Sergile's concern revolved around one of the two Critical bulletins, MS06-005, which patched a nine-month-old bug in Windows Media Player, Microsoft's audio, video, and streaming utility.

A problem in Media Player's parsing of .bmp image files can let an attacker gain complete control of a PC, said Microsoft, by enticing users to a malicious Web site, sending them an image via e-mail, or tucking one into a Word document. Versions 7.1, 9, and 10 are at risk, with those versions running under Windows XP SP1 and SP2, Windows 2000 SP4, and Windows Server 2003 most in danger of being exploited.

eEye Digital Security was credited with reporting the vulnerability in early May 2005.

"As we saw last month with the flaws patched by Apple for its iTunes and QuickTime applications, attack methods are increasingly targeting applications that are widely used by consumers both on the job and for personal use," said Marc Maiffret, eEye's chief hacking officer, in a statement Tuesday. "Given the enormous installed base of the affected program, individuals and enterprises need to address this particular vulnerability immediately."

"I think this will probably follow the same trajectory as the WMF bug," said Sergile. "It won't be more than a matter of days before someone comes up with an exploit, and it will see widespread use to spread spyware."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 3
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
How COVID is Changing Technology Futures
Jessica Davis, Senior Editor, Enterprise Apps,  7/23/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
Register for InformationWeek Newsletters
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll