September Patch To Fix Windows GDI Exploit and More

Redmond on Tuesday rolled out four critical fixes, as expected, for as many as eight remote code execution exploits for various Windows applications.

The four fixes are designed to plug up potential flaws in the Windows Media Player, the Windows Media Encoder, Microsoft Office and the Microsoft Windows GDI+ (graphics device interface).

Fix No. 1 deals specifically with Windows Media Player 11, the popular streaming video, audio and digital content streamer. The issue affects Windows XP Service Pack 2 and Windows XP Service Pack 3, all versions of Vista and Windows Server 2008. Microsoft's fix resolves a privately reported hole in the Windows Media Player program where a hacker could configure a malicious audio, video or digital content file for entry into a system to gain carte blanche access to programs.

The second fix addresses Windows GDI+ and "several" privately disclosed bugs in the program, according to Redmond.

The Windows GDI+ graphics engine is part of all of Microsoft's operating systems, and is also included with Microsoft Office and Microsoft SQL Server products, among others, according to security pros. This particular fix applies to Windows XP, Vista and multiple versions of Windows Server 2003 and 2008. It also touches Internet Explorer 6 and Microsoft .NET Framework versions 1.0, 1.1 and 2.0 on Windows 2000 SP4.

The Windows GDI+ bug is one that's caught the eye of analysts in this month's patch.

"There are four advisories and eight vulnerabilities this month, but it comes down to GDI+, GDI+, GDI+... that is what is going to be on everyone's mind," said Tyler Reguly, security engineer at San Francisco-based nCircle. "I'm sure a number of people are going to be thinking back to a similar vulnerability from December 2005. At least this time, it's not in the wild."

But Reguly added that it won't take long before the exploit is in the wild and that "everyone needs to patch this vulnerability quickly."

Tom Stracener, senior security analyst for Cenzic Inc., concurred and said that he's watching this fix closely. Based on Cenzic's application security research, vulnerabilities in media players tend to range between two percent to five percent of the application vulnerability volume during any given quarter.

"Attackers often exploit client-side media player vulnerabilities because so many Web applications allow users to host media content," Stracener said. "The .NET security vulnerabilities will be key to patch for any organization that deploys applications written in this development environment."

Meanwhile, the third fix is for the Windows Media Encoder 9 Series, a program designed to help digital content developers capture, convert and edit both live and prerecorded audio, video or still images. The corresponding OS versions pertaining to this patch are Windows 2000 SP4, all editions of XP, Vista, Windows Server 2003 and Windows Server 2008.

The exploit of Windows Media Encoder 9 Series is most effective when deployed by a user with administrative rights. The attack is carried out via an erroneously crafted Web page with malicious code.

The last critical fix addresses wide-reaching remote code execution vulnerabilities in several versions of Microsoft Office. The patch fixes Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, plus Microsoft Office 2007. Also repaired is Microsoft Office OneNote 2007, a note-taking application for meetings.

September's Patch Tuesday generally addresses user-driven exploits in the enterprise space. IT admins should patch accordingly, explained Eric Schultze, chief technology officer at St. Paul Minn.-based Shavlik Technologies.

"In other words, focus on patching your end-user machines first, rather than the servers in your datacenter," Schultze said. "Since these exploits require users to perform actions on their computers, like visiting a Web site, servers in a datacenter are less prone to be exploited, as user's aren't typically browsing the Internet from these servers."

Additionally, as Redmond has been doing since early spring, the software giant encourages administrators, users and tech enthusiast to check out its knowledgebase article to catch up on this month's new releases.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.