Microsoft issues security bulletins that patched seven vulnerabilities, including two tagged "critical," in Windows, Internet Explorer, Media Player, and PowerPoint.
Microsoft on Tuesday unveiled security bulletins that patched seven vulnerabilities, including two tagged "Critical," in Windows, Internet Explorer, Media Player, and PowerPoint. The month's fixes were the most posted by the Redmond, Wash.-based developer since October 2005.
Of the seven bulletins, two were marked "Critical," Microsoft's most dire warning in its four-step system, while the other five were labeled "Important," the next-most serious alert.
At first glance, some security experts thought Windows users dodged a bullet.
"When Microsoft said last week that it would release seven patches, people were holding their breath," said Alain Sergile, the technical product manager for Internet Security Systems' X-force research group. "You had to figure with that many, the chances were great that there would be a very dangerous vulnerability. But after looking at these, I think we can let out a sigh of relief."
Or not. Within minutes, Sergile updated ISS's take on the day's patches after meeting with his researchers, and had a different spin. "After coming up with some proof-of-concept code, we now think the Windows Media Player vulnerability is extremely easy to exploit," he said.
So easy, in fact, that Sergile predicted spyware and adware purveyors would quickly turn to this new vulnerability to plant malicious code in surreptitious "drive-by downloads," as they did earlier this year using the Windows Metafile (WMF) bug.
Sergile's concern revolved around one of the two Critical bulletins, MS06-005, which patched a nine-month-old bug in Windows Media Player, Microsoft's audio, video, and streaming utility.
A problem in Media Player's parsing of .bmp image files can let an attacker gain complete control of a PC, said Microsoft, by enticing users to a malicious Web site, sending them an image via e-mail, or tucking one into a Word document. Versions 7.1, 9, and 10 are at risk, with those versions running under Windows XP SP1 and SP2, Windows 2000 SP4, and Windows Server 2003 most in danger of being exploited.
eEye Digital Security was credited with reporting the vulnerability in early May 2005.
"As we saw last month with the flaws patched by Apple for its iTunes and QuickTime applications, attack methods are increasingly targeting applications that are widely used by consumers both on the job and for personal use," said Marc Maiffret, eEye's chief hacking officer, in a statement Tuesday. "Given the enormous installed base of the affected program, individuals and enterprises need to address this particular vulnerability immediately."
"I think this will probably follow the same trajectory as the WMF bug," said Sergile. "It won't be more than a matter of days before someone comes up with an exploit, and it will see widespread use to spread spyware."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.