September Patch Tuesday: a critical day for media files at Microsoft

Stephen Withers
Wednesday, 10 September 2008 03:24

Your IT - Home IT

Patch Tuesday has come around all too quickly, and Microsoft has released four critical updates. Once again, the handling of media files has proved fertile ground for vulnerability hunters.

Of the four, the GDI+ issue is perhaps the most pernicious, as all that's necessary to exploit it is the display of a maliciously crafted image by software that uses GDI+.

Since this includes Internet Explorer and Office, all an attacker would need to do is add the image to a web page (think of all the popular sites that display user-generated content) or insert it into a Word document that is then spammed out to potential victims.

When the image is displayed, code within the exploit file would be executed with the same rights as the current user.

The updates address several vulnerabilities in GDI+, and relate to Windows XP, Vista, Server 2003, Server 2008, Internet Explorer 6, and Windows 2000 with any of .NET Framework 1.0, 1.1 or 2.0. Also affected are Office XP, 2003 and 2007, plus Visio 2002, PowerPoint Viewer 2003, Works 8 and Digital Image Suite 2006.

If that wasn't enough, there are additional patches for SQL Server 2000 and 2005; Visual Studio 2003, 2003, 2005 and 2008; Report Viewer 2005 and 2008; Visual FoxPro 8.0 and 9.0; the Microsoft Platform SDK Redistributable: GDI+; and Forefront Client Security 1.0.

Windows Media Player is also at risk - please read on.