Microsoft releases seven software patches

Microsoft Corp. released seven software patches on Tuesday, including fixes for critical security flaws in Internet Explorer (IE) and Windows Media Player.

Of the two critical patches released Tuesday, update MS06-004 (http://www.microsoft.com/technet/security/Bulletin/MS06-004.mspx) provides a fix for a vulnerability in the way IE handles Windows Metafile (WMF) images, used by some CAD (computer-aided designs). The flaw could allow an attacker to construct a WMF image that could allow remote code execution if a user viewed a malicious Web site, e-mail or e-mail attachment. If successful, an attacker could take control of an affected system. The update is critical for users of Internet Explorer 5.01 Service Pack 4 running on Microsoft Windows 2000 Service Pack 4, said the bulletin.

This WMF-related vulnerability is not as severe as the WMF flaw Microsoft patched last month because it affects such a narrow scope of users, said Michael Sutton, director of VeriSign Inc.'s iDefense Labs unit in Reston, Virginia.

"We're not aware of any public exploit code for it at this time," he said.

The other critical update, MS06-005 (http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx), is for a vulnerability in the way Windows Media Player processes bitmap (.bmp) files. An attacker could exploit this flaw by creating a malicious .bmp file that could allow remote code execution if a user viewed a malicious Web site or e-mail message. This vulnerability could also allow an attacker to take control of an affected system. The update is deemed critical for users of Windows XP SP1 and SP2 and Windows Server 2003, Windows 98/SE/ME and Windows 2000 SP4.

The Windows Media Player flaw poses more of a ripe target for attackers, Sutton said. "Even though Windows Media Player is not something generally used to render images, it has the capability of doing that. It's not difficult to create a Web page that uses Windows Media Player to display an image instead of the default application. I think it's a ripe target for exploitation if we see public exploit code for it," Sutton said.

The patches this week reflected an overall trend in client-side vulnerabilities, said Sutton.

But researchers said this latest round of vulnerability patches isn't that ominous.

"These are seven of the most boring patches I've ever seen," said Russ Cooper, senior information security analyst at Cybertrust Inc. in Herndon, Va., and editor of the NTBugtraq mailing list. "I think they were being nice to us on Valentine's Day so no one would be bogged down applying seven bulletins tonight so they can get home with flowers and chocolates."

"There's definitely no super serious, freak-out vulnerability," agreed Mike Murray, director of vulnerability research for software security firm nCircle, in San Francisco.

The remaining five patches, which Microsoft deems less critical, are tagged as 'important' fixes.