Microsoft issued critical updates Tuesday, addressing multiple client-side remote code execution flaws in its Graphics Device Interface (GDI+) that could affect multiple systems and third party applications.
Microsoft said multiple vulnerabilities in its GDI+ engine could be exploited by an attacker using multiple media file types, including Vector Markup Language (VML), Windows Metafile (WMF), Enhanced Metafile (EMF), .gif and bitmap (BMP). In MS08-052, Microsoft warned that third-party applications are also affected by the vulnerability if they support GDI+. The GDI flaw affects Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server and Visual Studio.
Patching experts said the GDI flaws could be difficult for IT administrators to find and repair. It's not easy to tell if all instances of GDI+ have been addressed, said Eric Schultze, chief technology officer of Shavlik Technologies LLC in Roseville, Minn. In some cases administrators may need to deploy up to seven patches, he said.
"It's so broad and I don't think that the Microsoft [tools] will identify and patch all these different instances, so some of them might have to be done manually," Schultze said.
Schultze said the flaws should be a priority since it would be easy for an attacker to create a malicious Web banner, for example, and victimize dozens of users. The flaw was also reported by five different groups of people prior to the patch release, indicating that an exploit could have leaked out, Schultze said.
GDI flaw assistance:
Microsoft provides guidance on GDI flaws: Microsoft's Bill Sisk explains why five remote code execution vulnerabilities in GDI+ affect multiple systems and third-party applications.
As a result of the patch releases, Symantec Corp. raised its ThreatCon to Level 2 and advised customers to apply the patches immediately. Symantec said the GDI+ flaws were especially important to deploy.
"Attackers are routinely using vulnerabilities like these to gain control of endpoint systems as part of large scale fraud campaigns," said Ben Greenbaum, senior research manager, Symantec Security Response. "At least one of these vulnerabilities is highly similar to one that we have seen before, so hackers may be able to use old code or at the very least apply knowledge gained from previous attacks as a starting point for creating new malicious code."
Microsoft also plugged a remote code execution vulnerability in an ActiveX control in Windows Media Encoder 9. MS08-053 plugs a hole that could be exploited by an attacker by tricking users to view a malicious website. The flaw affects both SQL Server as well as Windows since Windows Media Encorder 9 can be installed on both, Microsoft said.
MS08-054" addresses a flaw in Windows Media Player 11, which could be remotely exploited by an attacker to gain access to critical files. The flaw, located in a real-time streaming protocol, could be exploited by tricking a user to open a specially crafted audio file from a Windows Media Server. Earlier versions of Windows Media Player are not vulnerable.
MS08-055 addressed a flaw in Microsoft OneNote, a note taking and information management program, that could be remotely exploited by an attacker. Microsoft said an attacker has to trick a user into clicking a malicious link in an email. The update affects versions of Microsoft Office.