Microsoft has released nine security updates for flaws
in
Internet Explorer, Excel and other programs within the Windows
OS. Attackers could exploit the most serious flaws to hijack
targeted machines and launch malicious code, the software company
warned.
Six updates address critical flaws, which Microsoft typically
describes as those an attacker could exploit to take complete
control of an affected system to install programs; view, change, or
delete data; or create new accounts. The rest of this month's
updates are rated important.
Amol Sarwate, manager of vulnerability research for security
firm Qualys,
said IT administrators should put the most urgency on deploying
MS07-046, which fixes a flaw in how the
Windows Graphics Rendering Engine handles specially crafted
images.
Microsoft said an attacker could exploit the flaw by
constructing a specially crafted image that could potentially allow
remote code execution if a user opened a specially crafted
attachment in email, and that a successful attacker could take
complete control of an affected system. All supported editions of
Windows are affected except for Windows 2003 Server Service Pack 2
and Windows Vista.
"This is a flaw that affects the core of the Windows Graphics
Library, so it should really be on the top of the list," he said,
adding that IT shops should also patch the latest Internet Explorer
and Excel flaws as soon as possible, since those programs are so
widely used.
Sarwate said this month's security updates reflect a continuing
trend toward more Web-centric vulnerabilities, with more cracks
being discovered in image files, media players and browsers.
Agreeing with him is Dave Marcus, security research and
communications manager for McAfee Avert Labs.
"Many of the vulnerabilities addressed by Microsoft's fixes
could be exploited if a Windows user simply visits a malicious Web
site," he said in an emailed statement. "Microsoft's patches again
underline the trend of malware writers seeking out the Web browser
as a means of attack and reinforce the need of safe browsing
habits."
In addition to MS07-046, the "critical" security updates
are:
MS07-042, which fixes a flaw attackers could
exploit by luring Internet Explorer users to a specially crafted
Web page. Specifically, the vulnerability could be exploited by
attacking Microsoft XML Core Services. The flaw affects all
supported editions of Windows 2000, Windows XP, Windows Vista,
Microsoft Office 2003, and the 2007 Microsoft Office System.
MS07-043, which fixes a flaw in Object
Linking and Embedding (OLE) attackers could exploit to run
malicious code on targeted machines. This flaw affects all
supported editions of Windows 2000, Windows XP, Microsoft Office
2004 for Mac, and Visual Basic 6. "This security update
addresses the vulnerability by adding a check on memory requests
within OLE automation," Microsoft said in its advisory.
MS07-044, which fixes flaws in Microsoft
Excel. Attackers could exploit the flaw to launch malicious code
if a user opens a specially crafted Excel file, Microsoft said.
The update is critical for supported editions of Microsoft
Office 2000, and important for supported editions of Microsoft
Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac,
and Excel Viewer 2003. Microsoft addressed the problem by
modifying the way that the program handles specially crafted
Excel files.
MS07-045, a cumulative update for Internet
Explorer that fixes flaws attackers could exploit to launch
malicious code when a user views a specially crafted Web page
with the browser. "The security update addresses two
vulnerabilities by setting the kill bit for ActiveX controls,
and addresses a third vulnerability by modifying the way
Internet Explorer handles certain strings in CSS files,"
Microsoft said.
MS07-050, which fixes a flaw in the Vector
Markup Language (VML) implementation in Windows. "The
vulnerability could allow remote code execution if a user viewed
a specially crafted Web page using Internet Explorer," Microsoft
said. The update affects supported releases of Internet Explorer
5.01, Internet Explorer 6, and Internet Explorer 7.
The "important" security updates are:
MS07-047, which fixes two flaws in Windows
Media Player. "These vulnerabilities could allow code execution
if a user viewed a specially crafted file in Windows Media
Player," Microsoft said.
MS07-048, which fixes several Windows
Gadgets flaws. "If a user subscribed to a malicious RSS feed in
the Feed Headlines Gadget, added a malicious contacts file in
the Contacts Gadget or clicked on a malicious link in the
Weather Gadget, an attacker could potentially run code on the
system," Microsoft said.
MS07-049, which fixes a flaw in Microsoft
Virtual PC and Microsoft Virtual Server that could allow a guest
operating system user to run code on the host or another guest
operating systems. Microsoft noted that only guest operating
system users who are granted administrative permissions to the
guest operating system would be able to exploit this
vulnerability. The update affects all supported releases of
Microsoft Virtual PC 2004, Microsoft Virtual Server 2005,
Microsoft Virtual Server 2005 R2, Microsoft Virtual PC for Mac
Version 6.1, and Microsoft Virtual PC for Mac Version 7.