Microsoft patches eight critical vulnerabilities in four patches

Share this article:
Microsoft on Tuesday delivered four fixes for eight critical vulnerabilities, including one bulletin that will have to be distributed multiple times by businesses.

That patch, MS08-052, addresses five graphics-processing vulnerabilities in GDI+, a Windows application program interface for C/C++ programmers.

The flaws are present not only in Windows but also Internet Explorer, .NET Framework, Office, SQL Server and Visual Studio, according to the bulletin. That means administrators must ship individual copies of the patch to each of those affected software components.

“Every Windows XP and later machine on the planet needs to be patched,” Eric Schultze, CTO of patch management software provider Shavlik Technologies, told on Tuesday. “A lot of systems will be impacted with this one.”

Ben Greenbaum, senior research manager at Symantec Security Response, said in prepared remarks that users' machines could be infected if they visit a malicious website that allows users to upload images. He added that organizations also need to check their third-party applications to ensure those are updated with the fix.

“At least one of these vulnerabilities is highly similar to one that we have seen before, so hackers may be able to use old code or at the very least apply knowledge gained from previous attacks as a starting point for creating new malicious code,” Greenbaum said.

The monthly security update also resolved a vulnerability in Windows Media Player that could be exploited when a user is tricked into streaming a malicious audio file. A related patch corrected a flaw in Windows Media Encoder 9, which could permit remote code execution as well.

A final fix remediates a protocol-handling bug in Office's OneNote, a note-taking and information management program. Schultze said these types of flaws are dangerous and could become more common if developers fail to conduct proper input validation of programs.

“I think once researchers start spending more time with protocol handlers, they'll find more ways to exploit them,” he said.
Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.