By Shelley Solheim
FEBRUARY 14, 2006
IDG NEWS SERVICE
Microsoft Corp. today released seven software patches, including fixes
for security flaws in Internet Explorer (IE) and Windows Media Player
that were given a critical severity rating by the company.
But security researchers said that the latest monthly batch of patches
from Microsoft isn't particularly ominous.
"These are seven of the most boring patches I've ever seen," said Russ
Cooper, a senior information security analyst at Cybertrust Inc. in
Herndon, Va., and editor of the NTBugtraq mailing list. "I think they
were being nice to us on Valentine's Day so no one would be bogged
down applying seven [patches] tonight."
"There's definitely no super-serious, freak-out vulnerability," agreed
Mike Murray, director of vulnerability research at nCircle Network
Security Inc., a security software vendor in San Francisco.
One of the critical patches provides a fix for a vulnerability in the
way that IE handles Windows Metafile (WMF) images. However, the flaw
only affects IE 5.01 Service Pack 4 running on Windows 2000 systems
that have the SP4 version of the operating system installed, Microsoft
said in a security bulletin.
The vulnerability could enable an attacker to construct a WMF image
that would support the remote execution of code on systems if users
viewed a malicious Web site, e-mail or e-mail attachment, according to
Microsoft. If successful, an attacker could take control of an
Because the new vulnerability affects such a narrow scope of users, it
isn't as severe as the WMF flaw that Microsoft patched early last
month, ahead of the company's regular monthly patch release in
January, said Michael Sutton, director of VeriSign Inc.'s iDefense
Labs unit in Reston, Va. "We're not aware of any public exploit code
for it at this time," Sutton said.
The other critical vulnerability affects the way that Windows Media
Player processes bitmap (.bmp) files, Microsoft said. An attacker
could exploit that flaw by creating a malicious .bmp file that could
be used to execute code remotely or take control of systems if users
visited a malicious Web site or viewed a specially crafted e-mail
Microsoft deemed the Media Player flaw to be critical for users of
Windows XP SP1 and SP2 as well as Windows Server 2003, Windows 2000
SP4 and other earlier versions of the operating system.
The Media Player flaw could pose more of a ripe target for attackers
than the WMF one does, Sutton cautioned. "Even though Windows Media
Player is not something generally used to render images, it has the
capability of doing that," he said. "It's not difficult to create a
Web page that uses Windows Media Player to display an image instead of
the default application."
The remaining five patches affect products such as PowerPoint and the
Windows Web Client and were all rated as "important" fixes by
InfoSec News v2.0 - Coming Soon!