Microsoft plugs critical holes in Windows

NEWS

Microsoft on Tuesday issued patches for critical holes in all supported versions of Windows that could allow an attacker to take over a system by executing code remotely if the user viewed a maliciously crafted image file.

The patch for Windows 2000, XP, Vista, Server 2003 and Server 2008 plugs a vulnerability (MS09-006) that affects images created with the Enhanced MetaFile (EMF) or Windows MetaFile (WMF) display formats, according to Microsoft's advisory.

"An attacker can send you an email with an infected image in it or you can go to a website with an infected image or get it elsewhere, from a thumbdrive," said Wolfgang Kandek, chief technology officer of Qualys, which helps companies with security risk and compliance.

Attackers can also disguise .WMF and .EMF files as other image file types, such as .JPG, in order to sneak them past cautious users, said Alfred Huger, vice president of development at Symantec Security Response.

Also plugged on Patch Tuesday were two holes rated 'important', which affected the same systems and which could be used by an attacker to masquerade as someone else in a spoofing attack.

One of the important patches, which affects Windows 2000, Server 2003 and Server 2008, resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows DNS server and Windows WINS (Windows Internet Name Server). The holes could allow an attacker to redirect network traffic intended for systems on the internet to a malicious site, according to the advisory.

Read this

Security lessons not learned will haunt us in 2009

The second important patch, which affects all supported versions of Windows (MS09-007), resolves a vulnerability in the Secure Channel security package in Windows. It could allow an attacker to gain access to the certificate used by the end user for authentication. Customers are affected only when the public key component of the certificate used has been accessed by some other means, Microsoft said.

Kandek of Qualys said the risk is minimised by the fact that few corporations seem to use the technology involved very much.

Microsoft has yet to provide a fix for a security vulnerability in Excel from February, for which there have been zero-day exploits or a zero-day Word-Pad vulnerability from December.

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

ZDNet UK Live

ike fuelband is great for every healthminded person ! to work out! theres this website called textme4free.com that you can use to text anywhere in...

9 hours ago by bordero on Nike's FuelBand wristband gamifies exercise

> I'm told it's somewhat annoying when people have their Macs stolen > and Apple stores treat the thief as the owner, but there you go. Ouch,...

11 hours ago by BrownieBoy on AMD Ultrathins to challenge Intel Ultrabooks

@kevinmchapman. OK, I acknowledge that 'most' was a gratuitous throwaway comment as an afterthought and too presumptuous. As to proof, as you...

15 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint

@BrownieBoy > Works really well for thieves.... >> Nice attempt to deflect the argument by tossing in a point that's totally >> irrelevant, even...

16 hours ago by Jack Schofield on AMD Ultrathins to challenge Intel Ultrabooks

fantastic that the so called piracy bills have been withdrawn. however, these anti-democracy supporters are still in the shadows so lets be alert...

17 hours ago by raskolnikof on SOPA, Protect IP support wavers in face of online protest

Please God no; teach them anything you like - thinking rationally, the uses and misuses of data, what data is and what it's not - but leave the...

19 hours ago by Tony Douglas via Facebook on Kids are the future. Teach ’em to code.

@Jack, > Works really well for thieves.... Nice attempt to deflect the argument by tossing in a point that's totally irrelevant, even it were...

1 day ago by BrownieBoy on AMD Ultrathins to challenge Intel Ultrabooks

Make that 13 people now - I got refused today at Manchester airport. I thought I was up to date on this legislation - I knew of the EU ruling from...

2 days ago by bootlegger on UK airport body scans will not be opt out

Don't forget to check out apps like GoodReader or SlideShark either, they're indispensible for people on the go in presentation situations. Best...

2 days ago by tinycg on Four top iPad apps for people on the move

Well it seems there is something a number of us agree on. Why is the Ubuntu Unity launcher so ugly? I thought perhaps it was something to do with...

2 days ago by TerryRK on A tale of two distros: Ubuntu and Linux Mint

Duplicate comments are not made intentionally. Its very good to know that now you are keeping check on this problem because sometimes a commenter...

2 days ago by Freebies202 on Microsoft fixes blog comments, speeds up blogs with open source

"the very significant number of users" and "many (most) of us" - you have no evidence for these statements. It is a fact that most users are saying...

3 days ago by kevinmchapman on A tale of two distros: Ubuntu and Linux Mint