In the first month following the release of Windows Vista Service Pack 1 and Windows Server 2008, Microsoft is already serving up a number of fixes for both operating systems, as it has issued eight security bulletins covering a total of 10 vulnerabilities.
Five of the eight are labeled as Critical, the most important of fixes, while three are labeled Important, the next level of severity. Two patches affect Office, four affect Windows across all versions and the final two are related to Internet Explorer.
One of the more significant fixes, as noted by security firm McAfee, is MS08-021, which fixes two vulnerabilities in Windows that would allow an attacker to take control of a PC through specially crafted Windows metafiles, using the WMF or EMF formats.
McAfee noted that similar vulnerabilities were exploited in cyber attacks two years ago, forcing Microsoft at the time to rush out a fix (MS06-001) outside of its monthly patch cycle.
There were also three Internet-oriented fixes, two Critical and one Important. MS08-023 addresses a vulnerability in an ActiveX control, which could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.
MS08-024 resolves a vulnerability in Internet Explorer, which could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.
Finally, MS08-020 fixes a vulnerability in Windows which could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.
“Today’s Microsoft patches underline the risk of surfing the Web unprotected,” said Dave Marcus, security research and communications manager at McAfee Avert Labs in an e-mailed statement. “Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site, a favorite attack method among cybercriminals.”
The patch collection also addresses a critical vulnerability in Microsoft Office that would allow for taking complete control of an affected system if a user opens a specially crafted Microsoft Office Project file. Another addresses a similar vulnerability in Visio files.
Finally two Windows patches will fix vulnerabilities that would allow taking control of an affected system.
More information on the eight fixes can be found at Microsoft’s Security Update Archive.
Instead of adding a new set of malware threats to the monthly release, as it has in the past, Microsoft has updated the Malicious Software Removal Tool itself this month. It can be downloaded, along with the patches, through Windows Update.
Microsoft will hold a Technet webcast on Wednesday, April 9, 2007 at 11:00 AM PDT to discuss this month’s fixes.