Moderate Patch Tuesday Yields Two Critical Fixes

Published: February 15, 2006

by Alex Woodie

Microsoft issued patches for seven security vulnerabilities in its products yesterday, including two for critical problems in Windows Media Player and Internet Explorer, and another very important flaw that affects systems running non-Microsoft browsers, such as Firefox. When it comes to Microsoft products likely to be run on Windows Server operating systems, there were just a handful of fixes. However, there are still un-patched Windows vulnerabilities floating out there, waiting for hackers to take advantage of them.

It is unlikely that Windows Server shops will be disrupted a whole lot by the critical flaws fixed by Microsoft this week, which offer less potential abuse than the Windows Metafile (WMF) flaw offered and led Microsoft to issue a security patch early. Just the same, Windows shops should get their patches on early and often, because security isn't a game.

The first critical vulnerability is fixed with MS06-004, and it has to do with a flaw in how Internet Explorer handles WMF images, although it's not related to the WFM flaw that Microsoft fixed in January. This new WMF flaw could enable an attacker to gain total control over an affected system if the victim opens a maliciously crafted WMF image through a Web browser or e-mail software. The only system affected by this flaw is Internet Explorer 5.01 Service Pack 4 running on Windows 2000 SP4.

The second critical vulnerability is found in Windows Media Player, which is fixed with MS06-005. The Windows Media Player flaw could enable an attacker to gain total control over an affected system if the victim opens a maliciously crafted bitmap (.bmp) image through a Web browser or e-mail software.

A wide range of computers are affected by the Windows Media Player flaw, including those running versions 7.1, 9, and 10 of Windows Media Player across Windows 98, Windows 2000, Windows XP, and Windows Server 2003. However, the potential harm done by this flaw is tempered somewhat because "significant user interaction is required to exploit this vulnerability," Microsoft says. This vulnerability, like many security flaws in Microsoft products these days, was found by eEye Digital Security, a Southern California company that does research security issues and develops security software.

Another problem with the Windows Media Player is fixed with MS06-006. This vulnerability, which, for some reason, Microsoft gives only an "important" rating, despite the fact that it could allow an attacker to gain total control over an affected system, affects users running the Windows Media Player Plug-in with non-Microsoft Web browsers, such as Mozilla's Firefox (perhaps that's the reason it didn't rate a critical ranking, because Firefox "only" has a 10 percent share). This flaw affects the latest releases of Windows 2000, Windows XP, and Windows Server 2003, including X64 editions of Windows XP and Windows Server 2003 (although not the Itanium version). Workstations and terminal servers are at greatest risk, Microsoft says. iDefense, a Reston, Virginia, security research company that's a subsidiary of VeriSign, pointed out this flaw to Microsoft.

A denial of service threat in Windows XP and Windows Server 2003 is tempered with MS06-007, which patches an important flaw in the way that Windows handles Internet Group Management Protocol (IGMP) packets. Datacom found this flaw and reported its privately to Microsoft, which says it's not aware of any attacks exploiting this vulnerability.

A newly discovered Web Client vulnerability that could allow an attacker to gain total control over affected systems is fixed with MS06-008. This vulnerability could be exploited by somebody sending specially crafted messages to affected systems using the Web Client service, which is an implementation of the WebDAV protocol that enables Win32 applications to create, read, and write files on Internet file servers. Microsoft deems this patch important for Windows XP, including SP1 and SP2, but gives it only a "moderate" rating for Windows Server 2003 and its SP1 variant because the Web Client is deactivated by default on these systems. This vulnerability was privately reported to Microsoft by EADS/CRC , and there are no known exploits using this flaw.

Korean-speaking Windows shops are at greatest risk of the newly reported flaw in the Korean Input Method Editor (IME) that could allow an attacker to gain total control over an affected system. This flaw, which is fixed with MS06-009, has to do with a problem in the Korean language IME, which is a piece of software that allows the Korean characters to be built using a standard 101-key keyboard. This flaw affects Windows XP, Windows Server 2003, and all 64-bit variations of these operating systems, in addition to various members of the Office 2003 suite. An outfit by the name of VMCraft found this flaw, Microsoft says.

February's final fix, MS06-010, deals with a problem in PowerPoint 2000 that could allow an attacker to access files in the temporary internet files folder. This flaw, which Microsoft gives an important rating, is only present in the version of PowerPoint distributed with Microsoft Office 2000 SP3. It was privately reported to Microsoft by ITsec Security Services, and there are no known cases of this flaw having ever been used, Microsoft says.

While these flaws won't be bugging anybody, there are still plenty of security problems in Microsoft products that could. eEye Digital Security is currently tracking four flaws in Microsoft products that have been publicly disclosed for at least 60 days. Microsoft has not issued fixes for these flaws. eEye gives three of these flaws a high severity rating.