Microsoft officials have announced two patches as part of its monthly releases for September — one rated critical, one important.
The critical flaw that Microsoft announced today addresses a remote code execution vulnerability when users open a JPEG
Security officials note the only way for the vulnerability to execute is for users to open the image file. This naturally extends to users who visit a site with the doctored image; clicking on the link to such a site automatically downloads and processes the image.
Windows XP, XP Service Pack 1 and Windows Server 2003 are the only operating systems vulnerable to the attack by default, though Windows 98/98 SE/ME/NT 4.0/2000 can host the vulnerability that will subsequently affect specific software programs. A short list of affected software includes: IE 6, Service Pack 1, .NET Framework versions 1.0 and 1.1, Office 2002/2003, Visual Studio .NET 2002/2003, Picture It! and Digital Image Pro, the Microsoft Platform SDK.
A complete list of affected software and update downloads is available here
.
The patches come days after internetnews.com reported that Microsoft gives premium customers advance notice about its security bulletins before it publicly releases the information.
The second patch addresses a remote code executable vulnerability, which targets Microsoft
Office, FrontPage, Publisher and Works Suite users who convert WordPerfect
5.0 code. Users with administrative privileges who visit a
Web site with the malware can inadvertently hand complete control over to an intruder, but only if the user performs several actions; visiting the site itself won’t compromise a user’s machine. The only way for the vulnerability to be exploited via e-mail is if the user opened the attachment accompanying the e-mail.
The exploit does not work on WordPerfect 6.x documents or Office 2003 users who’ve downloaded and installed Service Pack 1. A complete list of affected programs and the fix can be found here.
As previously reported, the two patches released Tuesday do not address the highly critical “drag-and-drop” flaw that was found in Internet Explorer (IE) last month.
Microsoft will host a free Web cast Wednesday to discuss the technical details of the September security bulletins. More information is available here.