Microsoft yesterday released a security update intended to fix eight critical vulnerabilities in as many as 42 Windows apps and components, including IE6, Media Player, Office, SQL Server and Visual Studio. The patch was made available before they could be discovered and exploited by malicious hackers, or at least before any were reported. The flaws were all found within GDI+, Microsoft's Graphics Device Interface subsystem.
The vulnerability could allow remote code execution "if a user [views] a specially crafted image file using affected software or [browses] a Web site that contains specially crafted content," according to Security Bulletin MS08-052, issued Sept.9. Many image file formats are affected, including bitmaps (.bmp), Windows Metafiles (.wmf), Enhanced Metafiles (.emf), Vector Markup Language (.vml) and .gif. A user need only view a Web page containing a malicious image to be infected. The exploit is particularly dangerous to users with administrative privileges, the bulletin said. GDI+, introduced with Windows XP, is also used in Vista and Windows server editions, and just about every Microsoft application and Windows component is affected. Therefore the company recommends that the patch be applied immediately.
The patches cover only Microsoft software, and not that of companies that have licensed GDI+ for their applications, which would need to issue patches of their own.
Microsoft also issued critical bulletins MS08-53, a patch for Microsoft Media Encoder 9, MS08-54, for Media Player, and MS-08-55, that repairs a flaw in Office OneNote 2007.