Microsoft patches eight critical vulnerabilities in four patches

Share this article:
Microsoft on Tuesday delivered four fixes for eight critical vulnerabilities, including one bulletin that will have to be distributed multiple times by businesses.

That patch, MS08-052, addresses five graphics-processing vulnerabilities in GDI+, a Windows application program interface for C/C++ programmers.

The flaws are present not only in Windows but also Internet Explorer, .NET Framework, Office, SQL Server and Visual Studio, according to the bulletin. That means administrators must ship individual copies of the patch to each of those affected software components.

“Every Windows XP and later machine on the planet needs to be patched,” Eric Schultze, CTO of patch management software provider Shavlik Technologies, told on Tuesday. “A lot of systems will be impacted with this one.”

Ben Greenbaum, senior research manager at Symantec Security Response, said in prepared remarks that users' machines could be infected if they visit a malicious website that allows users to upload images. He added that organizations also need to check their third-party applications to ensure those are updated with the fix.

“At least one of these vulnerabilities is highly similar to one that we have seen before, so hackers may be able to use old code or at the very least apply knowledge gained from previous attacks as a starting point for creating new malicious code,” Greenbaum said.

The monthly security update also resolved a vulnerability in Windows Media Player that could be exploited when a user is tricked into streaming a malicious audio file. A related patch corrected a flaw in Windows Media Encoder 9, which could permit remote code execution as well.

A final fix remediates a protocol-handling bug in Office's OneNote, a note-taking and information management program. Schultze said these types of flaws are dangerous and could become more common if developers fail to conduct proper input validation of programs.

“I think once researchers start spending more time with protocol handlers, they'll find more ways to exploit them,” he said.
Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.