Critical Patches Follow Windows WMF Trouble

A day Microsoft intended for normally-scheduled security updates turned into a fire-dousing exercise after last week’s patch of an exploit in its Windows Metafile (WMF) image processor.

While security experts are now minimizing the impact of a WMF vulnerability (especially now that it’s been patched since last Thursday), Microsoft issued a similar warning as part of its monthly security patches released today, only this time about Web fonts.

One of today’s security bulletins, rated critical (MS06-002), is similar to last Thursday’s WMF warnings because the vulnerability affects all users of Internet Explorer surfing the Web.

“This is much like WMF,” said Johannes Ullrich, Chief Research Officer for SAN. Ullrich recommends users install the patch without delay.

The patch is similar to the WMF vulnerability that Microsoft updated outside of its regular patching cycle last week. In the latest patch, an embedded fonts threat requires a user be enticed to visit a Web site, according to Alain Sergile, Technical Product Manager of Internet Security Systems X Force research.

Athough embedded Web fonts present a vulnerability easier to exploit, The other bulletin (MS06—002), addresses a vulnerability in Microsoft Office and Microsoft Exchange with much wider possible impact. This, too, was rated critical as part of Microsoft’s monthly security bulletin notices, otherwise known as Patch Tuesday.

The patch in this bulletin is because vulnerabilities in Microsoft Office and Microsoft Exchange could, if exploited, allow attackers to take control of a PC with or without user participation, according to Microsoft.

The security concern centers on Microsoft’s use of proprietary e-mail code. The vulnerability is made even more important since Microsoft Exchange Server 5.0 Service Pack 2 and Microsoft Exchange Server 5.5 Service Pack 4 are targeted, according to Ullrich. Microsoft Exchange Server 2003 is not affected, according to Redmond.

Microsoft initially planned today to release a patch for the WMF vulnerabilities discovered in December. However, pressure from companies and security experts prompted the patch to appear last week. While the WMF bug yesterday was described as potentially enabling malicious instructions, researchers scaled back their concerns and alerts today.

“At this point, it is only a nuisance,” Oliver Friedrichs, Senior Manager for Symantec’s Security Response, told internetnews.com. Upon first learning of the report, Symantec recommended users disable the Windows Picture and Fax Viewer, applications that are launched when Internet Explorer processes Web site graphics. After analyzing the WMF file format, Symantec followed that it thinks end users need not worry.

While some feared the vulnerability might enable malicious commands to be executed, the bugs cannot be exploited beyond causing computers to crash, according to Friedrichs.

Avaya, which sells communications equipment, warned its customers systems running on Windows 2000 were vulnerable to the WMF bug. Microsoft offers security patches only for Windows 2000 SP4 or newer.

“As it turns out, these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit,” wrote Lennart Wistrand, Microsoft’s security program manager in a blog entry at the Microsoft Security Response Center.

Friedrichs agrees with Wistrand that the remaining WMF vulnerabilities can be addressed through the usual patching process.

Although Microsoft points to the quick reaction in face of the WMF threat as a sign of its improved stance on security, Ullrich describes the response as “very disappointing.”

“Microsoft took their time addressing a public exploit,” said Sergile.

MS06-002 for Internet Explorer Web Fonts
MS06-003 for Exchange and Outlook

MS06-002 for Internet Explorer Web Fonts
MS06-003 for Exchange and Outlook

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web