Like Cupid's arrow, Microsoft shot right to the hearts of Windows managers this Valentine's day by offering them seven new security updates. But administrators may not receive them with stars their eyes. Two of the flaws have critical implications, one in an area the software giant is used to patching now: Internet Explorer.
According to Mark Allen, manager of the Information and Data Management team with Shavlik Technologies in Roseville, Minn., the flaws that carry the greatest risk for enterprise customers are addressed in two bulletins for Windows Media Player,
MS06-005 patches a remote code execution vulnerability in Media Player. According to Microsoft's TechNet Web site, the flaw exists because of the way the player handles processing bitmap files. An attacker could construct a malicious bitmap file (.bmp) that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. The bulletin notes that significant user interaction is required to exploit this vulnerability.
MS06-06, ranked important rather than critical, is for a flaw in the Media Player plug-in for non-Microsoft Internet browsers. The problem is with the way the Media Player plug-in handles a malformed EMBED element. An attacker could exploit the vulnerability by constructing a malicious EMBED element that could potentially allow remote code execution if a user visited a malicious Web site.
The other critically-ranked patch, MS06-004 addresses a remote code execution vulnerability in Internet Explorer. Similar to a problem patched earlier this year, the flaw is in the way IE handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could potentially allow remote code execution if a user visited a malicious Web site, opened or previewed an e-mail message, or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Microsoft also noted that the MS06-004 was separate from IE vulnerabilities addressed in previous patches, including the much-hyped WMF flaw in January that was patched by the early release of MS06-001.
This time around, Microsoft Windows 2000 Service Pack 4 is the only software impacted by the IE flaw, so the implications are not as far reaching, according to Allen.
"I think that will be less important to most enterprise desktops because most enterprise customers have upgraded their Windows 2000 desktop client images to IE6 or are already using Windows XP which isn't vulnerable," he said in an e-mail.
Missing from the updates was a patch for a vulnerability in IE publicized Monday. Microsoft was alerted to the flaw, which was discovered by a college student six months ago. The vulnerability involves dragging and dropping objects between folder views and Web pages. No patch was issued for the problem Tuesday.
Despite the lower profile of this month's flaws, Allen said he thought they needed quick attention. "We see a lot of spyware installer sites use exploits in Windows Media Player or Internet Explorer to get those spyware payloads installed in the first place," said Allen. "So those are definitely where I would want to commit the bulk of my patch testing and deployment resources."
Microsoft also released four other updates ranked "important":
MS06-007, which addresses a denial-of-service vulnerability. The flaw could allow an attacker to send a specially crafted IGMP packet to an affected system. An attacker could cause the affected system to stop responding.
MS06-008, which addresses a vulnerability in the Windows Web Client Service that could allow an attacker to take complete control of an affected system. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
A fix for Microsoft Office and Windows, MS06-009, addresses a privilege elevation vulnerability in the Korean Input Method Editor (IME). This vulnerability could allow a malicious user to take complete control of an affected system. For an attack to be successful an attacker must be able to interactively log on to the affected system.
And a patch that affects Microsoft Office, MS06-010, which addresses an information disclosure vulnerability in PowerPoint. An attacker who successfully exploited this vulnerability could remotely attempt to access objects in the Temporary Internet Files Folder (TIFF) by name.
The month's updates are the largest number of simultaneous bulletins since October when Microsoft issued 10 patches at once.
A new edition of Microsoft's malicious software removal tool was also released with the bulletins. The update removes Win32/Alcan, Win32/Badtrans, Win32/Eyeveg and Win32/Magistr, as well as Win32/MyWife.E.