COLUMN

Microsoft provides guidance on GDI flaws

By Bill Sisk 09 Sep 2008 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Managing risk assessment and security-updates can sometimes feel like walking a tight rope, balancing the extent of testing versus speed to deploy the security update. Often when I sit with customers, many questions are laid on the table. What percentage of systems does the technology/product affect? Is the issue on the client side, server side or both? Is there exploit code in the wild? The list goes on. I hope this month's column makes it more like walking across a bridge, rather than a tight rope, by answering as many questions as possible.

There may be scenarios where more than one update needs to be installed on a system. Bill Sisk response communication manager, Microsoft Security Response Center (MSRC)

With this in mind, I will cover each of the bulletins released for the month of September and provide some guidance around GDI+.

MS08-052
This security update addresses five remote code execution vulnerabilities in GDI+. For the attack vector, a user's machine can be compromised if she or he opens a specially crafted file. The file types include Vector Markup Language (VML), Windows Metafile (WMF), Enhanced Metafile (EMF), .gif and bitmap (BMP).

So what is GDI+? Graphics Device Interface and then some. It basically gives a developer dynamic ways to display graphics to the screen or printer (graphics being quite central to one's computing experience). My explanation is very rudimentary. If you want a better understanding of the technology, please see our GDI+ reference or pick up a book from your local bookstore. There are plenty of authors to choose from.

Since GDI+ can be implemented across a swath of products, and has been by Microsoft, chances are the technology has been implemented in a number of third-party applications as well. Thus, in your risk assessment, third-party applications should also be an area of focus. See the Microsoft bulletin for more details on third-party applications.

Which brings me to a point of key importance: There may be scenarios where more than one update needs to be installed on a system. For example, a version of an operating system you are running is vulnerable, so you update the system. If you have a vulnerable application installed on that same system, you will also need to install the security update for the application to that system.

About Inside MSRC: As part of a special partnership with SearchSecurity.com, Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates. Also see: Inside MSRC: Microsoft issues guidance on DNS server update Inside MSRC: Bluetooth, Internet Explorer issues explained Inside MSRC: Microsoft explains Word, Publisher flaws

I encourage you to review the bulletin carefully, since there are other considerations to keep in mind when planning your deployment strategy.

Lastly, test, test, test! It's not a pleasant experience to come in on a Monday morning and find that a key application isn't working properly. With that said, here at Microsoft we have been testing, testing, testing, and then some. We have absolute quality in the front of our minds, so we have a very high confidence level in the quality of the update. However, with the plethora of diverse computing environments around the globe, it goes without saying that we can't cover it all.

At the same time, it's important to get his security update deployed in a timely manner because of the aforementioned vulnerabilities.

MS08-053
This security update addresses a remote code execution vulnerability in Windows Media Encoder 9, specifically ActiveX control wmex.dll, which the encoder installs. This vulnerability could be exploited if a user views a malicious website.

Windows Media Encoder 9 is not shipped with any version of Windows, but is bundled with the Advanced Windows Media Plug-In for Adobe Premier 6.5 (Beta). In addition, Windows Media Encoder 9 can be installed on clients and servers.

Systems that are running Internet Explorer 7 in its default setting are not affected. Please see the MS08-053 bulletin for additional details.

MS08-054
This is a vulnerability in Windows Media Player that could allow remote code execution if a user opens a specially crafted audio file from a Windows Media Server. Specifically, Windows Media Player 11 incorrectly handles specially crafted audio-only files streamed from a Windows Media Server in a server-side playlist (SSPL). This vulnerability only affects Windows Media Player 11 and encompasses clients and servers.

There is a work-around that can be implemented while testing this update. The file wmpeffects.dll can be unregistered. Please see the Microsoft bulletin for more details.

MS08-055
This is a vulnerability in Microsoft OneNote that could allow remote code execution if a user clicks a specially crafted OneNote URL, which is typically spread through email. Versions of Microsoft Office are affected by this vulnerability. However, OneNote 2007 must be installed on the system for Microsoft Office to be affected. Typically, Microsoft Office is installed on client systems.

Conclusion
As you have seen, the bulletin addressing GDI+ should be given very close attention. So with that in mind, I would suggest not reading the bulletin right before bedtime.

Although I have given this bulletin quite a bit of attention, it by no means indicates that the other security updates are of lesser importance. These updates are also a good way to defend against threats. The Windows Media Encoder 9 addresses a vulnerability that allows remote execution if a user visits a malicious website.

On the other hand, if you don't have this technology in your environment, you can move on to assess Windows Media Player 11 and OneNote for applicability.

On a final note, our number one priority is to protect customers and make the security ecosystem at large more secure -- there are security researchers that feel the same way. With this in mind, as I like to mention when applicable, none of the vulnerabilities addressed in the bulletins were irresponsibly disclosed. I would like to give a warm thank you to those who worked with us on this release. As usual, they are listed at the bottom of each bulletin.

Also, please take a moment and register for our regular monthly security bulletin webcast, which will be held on Wednesday, Sept. 10, at 11 a.m. PDT.

Christopher Budd and Adrian Stone of the Microsoft Security Response Center will review information about each bulletin to further aid in your planning and deployment. Immediately following the review session, they will answer your questions with information from our assembled panel of experts. If you aren't able to view the live webcast, it will also be available on demand.

Please take a moment and mark your calendars for the October 2008 monthly bulletin. The release is scheduled for Tuesday Oct. 14 and the advance notification is scheduled for Thursday, Oct. 9. Look for the October edition of this column on release day with information to help you with your planning and deployment of the most recent security bulletins.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary