Microsoft’s Security Valentines

What do you get Windows users for Valentine’s Day? If you are
Microsoft, you come bearing more than a half-dozen
security patches.

As part of its traditional “patch Tuesday,” the software giant has released seven fixes for its media player and other Windows applications.

Windows Media Player is the subject of one critical bulletin, while four bulletins –- one critical –- focus on flaws in the Windows operating system. Two Microsoft Office
security issues are labeled “important.”

Critical, the highest level of severity for the bulletins, means
vulnerabilities can be exploited remotely. A rating of “important”
refers to flaws creating denial-of-service or impacting security.

Two Windows Media Player patches were released. The first patch
rated a “critical” fix, warns of the possibility a malformed
bitmap (.bmp) file could permit remote code execution, resulting in
complete system takeover.

While critical, the exploit requires
“significant user interaction” to work, according to Microsoft.

eEye Digital Security, which alerted
Microsoft to the problem in October, called for quick action.

immediately resolved, this flaw allows attackers to take complete
control of an affected system,” according to a statement. Perpetrators could exploit this vulnerability by installing malicious programs, or changing and deleting data.

Another Windows Media Player patch is an alert to users of
the Windows Media Player plugin with non-Microsoft Web browsers, such as
Mozilla Firefox, Netscape or Opera.

The vulnerability would allow
attackers to take control of a Windows XP or Windows Server 2003 system.

The Windows Media Player flaw is just the latest sign attacks are
targeting consumer applications rather than the Windows operating

Recent patches mark a “changing trend” in Windows
vulnerabilities, Steve Manzuik, eEye’s security product manager, told More media formats are coming under the watch of
malicious hackers, said Manzuik.

Flaws in Windows Metafile (WMF) images again surfaced.

This time, Microsoft released a cumulative patch for
Internet Explorer. Microsoft said IE 5.01 users could fall victim to remote
exploitation through memory corruption by Windows Metafile (WMF) images.

On the same day Microsoft released a patch for IE, Isreal-based
Beyond Security announced the Web browser contained a flaw in its
drag-and-drop function. The error reportedly could trigger malicious code. Microsoft’s only response has been at its Security Response
Center blog.

In what Microsoft terms “a newly-discovered and privately-reported vulnerability,” another fix protects Windows XP and Windows Server 2003 systems from
denial-of-service attacks,

Another Windows
operating system patch centers on how Windows XP and
Windows Server 2003 processes WebClient requests. The security flaw
might allow remote execution of code.

For Microsoft Office users, two patches were released in response to
security flaws in PowerPoint 2000 and the Korean Method Editor.

Microsoft also said it updated the Windows Malicious Removal Tool to
encompass last week’s Kama Sutra worm.

News Around the Web