Managing risk assessment and security-updates can sometimes feel like walking a tight rope, balancing the extent of testing versus speed to deploy the security update. Often when I sit with customers, many questions are laid on the table. What percentage of systems does the technology/product affect? Is the issue on the client side, server side or both? Is there exploit code in the wild? The list goes on. I hope this month's column...
makes it more like walking across a bridge, rather than a tight rope, by answering as many questions as possible.
With this in mind, I will cover each of the bulletins released for the month of September and provide some guidance around GDI+.
This security update addresses five remote code execution vulnerabilities in GDI+. For the attack vector, a user's machine can be compromised if she or he opens a specially crafted file. The file types include Vector Markup Language (VML), Windows Metafile (WMF), Enhanced Metafile (EMF), .gif and bitmap (BMP).
So what is GDI+? Graphics Device Interface and then some. It basically gives a developer dynamic ways to display graphics to the screen or printer (graphics being quite central to one's computing experience). My explanation is very rudimentary. If you want a better understanding of the technology, please see our GDI+ reference or pick up a book from your local bookstore. There are plenty of authors to choose from.
Since GDI+ can be implemented across a swath of products, and has been by Microsoft, chances are the technology has been implemented in a number of third-party applications as well. Thus, in your risk assessment, third-party applications should also be an area of focus. See the Microsoft bulletin for more details on third-party applications.
Which brings me to a point of key importance: There may be scenarios where more than one update needs to be installed on a system. For example, a version of an operating system you are running is vulnerable, so you update the system. If you have a vulnerable application installed on that same system, you will also need to install the security update for the application to that system.
I encourage you to review the bulletin carefully, since there are other considerations to keep in mind when planning your deployment strategy.
Lastly, test, test, test! It's not a pleasant experience to come in on a Monday morning and find that a key application isn't working properly. With that said, here at Microsoft we have been testing, testing, testing, and then some. We have absolute quality in the front of our minds, so we have a very high confidence level in the quality of the update. However, with the plethora of diverse computing environments around the globe, it goes without saying that we can't cover it all.
At the same time, it's important to get his security update deployed in a timely manner because of the aforementioned vulnerabilities.
This security update addresses a remote code execution vulnerability in Windows Media Encoder 9, specifically ActiveX control wmex.dll, which the encoder installs. This vulnerability could be exploited if a user views a malicious website.
Windows Media Encoder 9 is not shipped with any version of Windows, but is bundled with the Advanced Windows Media Plug-In for Adobe Premier 6.5 (Beta). In addition, Windows Media Encoder 9 can be installed on clients and servers.
Systems that are running Internet Explorer 7 in its default setting are not affected. Please see the MS08-053 bulletin for additional details.
This is a vulnerability in Windows Media Player that could allow remote code execution if a user opens a specially crafted audio file from a Windows Media Server. Specifically, Windows Media Player 11 incorrectly handles specially crafted audio-only files streamed from a Windows Media Server in a server-side playlist (SSPL). This vulnerability only affects Windows Media Player 11 and encompasses clients and servers.
There is a work-around that can be implemented while testing this update. The file wmpeffects.dll can be unregistered. Please see the Microsoft bulletin for more details.
This is a vulnerability in Microsoft OneNote that could allow remote code execution if a user clicks a specially crafted OneNote URL, which is typically spread through email. Versions of Microsoft Office are affected by this vulnerability. However, OneNote 2007 must be installed on the system for Microsoft Office to be affected. Typically, Microsoft Office is installed on client systems.
As you have seen, the bulletin addressing GDI+ should be given very close attention. So with that in mind, I would suggest not reading the bulletin right before bedtime.
Although I have given this bulletin quite a bit of attention, it by no means indicates that the other security updates are of lesser importance. These updates are also a good way to defend against threats. The Windows Media Encoder 9 addresses a vulnerability that allows remote execution if a user visits a malicious website.
On the other hand, if you don't have this technology in your environment, you can move on to assess Windows Media Player 11 and OneNote for applicability.
On a final note, our number one priority is to protect customers and make the security ecosystem at large more secure -- there are security researchers that feel the same way. With this in mind, as I like to mention when applicable, none of the vulnerabilities addressed in the bulletins were irresponsibly disclosed. I would like to give a warm thank you to those who worked with us on this release. As usual, they are listed at the bottom of each bulletin.
Also, please take a moment and register for our regular monthly security bulletin webcast, which will be held on Wednesday, Sept. 10, at 11 a.m. PDT.
Christopher Budd and Adrian Stone of the Microsoft Security Response Center will review information about each bulletin to further aid in your planning and deployment. Immediately following the review session, they will answer your questions with information from our assembled panel of experts. If you aren't able to view the live webcast, it will also be available on demand.
Please take a moment and mark your calendars for the October 2008 monthly bulletin. The release is scheduled for Tuesday Oct. 14 and the advance notification is scheduled for Thursday, Oct. 9. Look for the October edition of this column on release day with information to help you with your planning and deployment of the most recent security bulletins.