Microsoft is now out with its September patch Tuesday release, fixing no less than four critical vulnerabilities. The patch issues affect Microsoft Windows, Windows Media Encoder and Microsoft Office.
While faulty image formats are patched in this update, Microsoft is also patching other media related issues this time as well. If left unpatched, the vulnerabilities could potentially allow an attacker to trigger an application crash or to execute arbitrary code.
Microsoft’s Windows Media Player is at risk from a flaw that could allow for remote code execution. According to Microsoft’s advisory, there was a vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server.
Windows Media Player is an integrated component of the Microsoft Windows operating system thoughout most of the world. In Europe, the European Union has forced Microsoft to make Windows available without the Windows Media Player.
Media player attacks are actually now becoming increasingly common, according to at least one security research firm. Typically, attackers have targeted vulnerabilities in Apple’s QuickTime.
“Recently hackers have been exploiting vulnerabilities in media players to execute code and install malware on end-users machines,” Tom Stracener, senior security analyst for Cenzic, said in an e-mail to InternetNews.com.
“Based on Cenzic’s Quarterly Application Security Trend Reports, vulnerabilities in media players in general tend to range between 2 percent to 5 percent of the application vulnerability volume during any given quarter. Attackers often exploit client-side media player vulnerabilities because so many Web applications allow users to host media content.”
As part of the September Patch Tuesday update, Microsoft is also updating for vulnerability in image media as well. A flaw in Microsoft Windows GDI+ (Graphical Drawing Interface) could allow for remote code execution if a user viewed a maliciously crafted image file.
Lastly, Microsoft is patching for a remote code execution vulnerability in Office OneNote.
According to Microsoft’s advisory on the issue, “the vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
The September Patch Tuesday patch count of only four critical vulnerablities is a steep decline from the 11 vulnerabilities reported by Microsoft in August.
