Microsoft released nine security updates Tuesday for flaws in Internet Explorer, Excel and other programs within the Windows OS. Attackers could exploit the most serious flaws to hijack targeted machines and launch malicious code, the software giant warned.
Six updates address critical flaws, which Microsoft typically describes as those an attacker could exploit to take complete control of an affected system to install programs; view, change, or delete data; or create new accounts. The rest of this month's updates are rated important.
Amol Sarwate, manager of vulnerability research for Redwood Shores, Calif.-based security firm Qualys, said IT administrators should put the most urgency on deploying MS07-046, which fixes a flaw in how Windows' Graphics Rendering Engine handles specially crafted images.
Microsoft said an attacker could exploit the flaw by constructing a specially crafted image that could potentially allow remote code execution if a user opened a specially crafted attachment in email, and that a successful attacker could take complete control of an affected system. All supported editions of Windows are affected except for Windows 2003 Server Service Pack 2 and Windows Vista.
"This is a flaw that affects the core of the Windows Graphics Library, so it should really be on the top of the list," he said, adding that IT shops should also patch the latest Internet Explorer and Excel flaws as soon as possible, since those programs are so widely used.
Sarwate said this month's security updates reflect a continuing trend toward more Web-centric vulnerabilities, with more cracks being discovered in image files, media players and browsers. Agreeing with him is Dave Marcus, security research and communications manager for McAfee Avert Labs.
"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," he said in an emailed statement. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."
In addition to MS07-046, the "critical" security updates are:
MS07-042, which fixes a flaw attackers could exploit by luring Internet Explorer users to a specially crafted Web page. Specifically, the vulnerability could be exploited by attacking Microsoft XML Core Services. The flaw affects all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2003, and the 2007 Microsoft Office System.
MS07-043, which fixes a flaw in Object Linking and Embedding (OLE) attackers could exploit to run malicious code on targeted machines. This flaw affects all supported editions of Windows 2000, Windows XP, Microsoft Office 2004 for Mac, and Visual Basic 6. "This security update addresses the vulnerability by adding a check on memory requests within OLE automation," Microsoft said in its advisory.
MS07-044, which fixes flaws in Microsoft Excel. Attackers could exploit the flaw to launch malicious code if a user opens a specially crafted Excel file, Microsoft said. The update is critical for supported editions of Microsoft Office 2000, and important for supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, and Excel Viewer 2003. Microsoft addressed the problem by modifying the way that the program handles specially crafted Excel files.
MS07-045, a cumulative update for Internet Explorer that fixes flaws attackers could exploit to launch malicious code when a user views a specially crafted Web page with the browser. "The security update addresses two vulnerabilities by setting the kill bit for ActiveX controls, and addresses a third vulnerability by modifying the way Internet Explorer handles certain strings in CSS files," Microsoft said.
MS07-050, which fixes a flaw in the Vector Markup Language (VML) implementation in Windows. "The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer," Microsoft said. The update affects supported releases of Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 7.
The "important" security updates are:
MS07-047, which fixes two flaws in Windows Media Player. "These vulnerabilities could allow code execution if a user viewed a specially crafted file in Windows Media Player," Microsoft said.
MS07-048, which fixes several Windows Gadgets flaws. "If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget, added a malicious contacts file in the Contacts Gadget or clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system," Microsoft said.
MS07-049, which fixes a flaw in Microsoft Virtual PC and Microsoft Virtual Server that could allow a guest operating system user to run code on the host or another guest operating systems. Microsoft noted that only guest operating system users who are granted administrative permissions to the guest operating system would be able to exploit this vulnerability. The update affects all supported releases of Microsoft Virtual PC 2004, Microsoft Virtual Server 2005, Microsoft Virtual Server 2005 R2, Microsoft Virtual PC for Mac Version 6.1, and Microsoft Virtual PC for Mac Version 7.