Microsoft patches for GDI, DNS vulnerabilities
Microsoft on Tuesday pushed out three patches -- one deemed "critical" -- to resolve eight vulnerabilities.The critical bulletin addresses three flaws in the Windows kernel, the core of the operating system, including one that affects its Graphics Device Interface (GDI). If users are duped into visiting a malicious website hosting the exploit, they can be infected, said Andrew Storms, director of security operations at vulnerability management firm nCircle.
Storms added that because Microsoft has issued fixes for similar GDI issues in the past, many malware writers will be ready to pounce on the new flaw.
"There are a number of known exploit codes that might be able to be altered for these new bugs," he told SCMagazineUS.com on Tuesday. "A lot of eyeballs are going to go after that."
Security experts said the other major patch that administrators should pay attention to is a fix for four vulnerabilities in the Windows DNS and WINS (Windows Internet Naming Service) servers. Storms said successful exploitation could allow an attacker to poison a target's DNS cache -- although it would take some work.
"Someone on the network would have to guess the transaction ID [associated with individual DNS requests]," he said.
Microsoft graded this fix "important," saying it corrects flaws that could be exploited to permit spoofing attacks. But Eric Schultze, CTO of patch management software provider Shavlik Technologies, said he considers the patch critical.
"The DNS server's sole purpose is to hand out information about what websites were located where," he told SCMagazineUS.com. "This particular vulnerability allows an unauthenticated attacker to remotely modify all that data."
Tuesday's security update also includes a third patch to remedy a single vulnerability in SChannel, a Microsoft authentication protocol suite. The software giant labeled that fix "important."
Missing from the bundle was a fix for a zero-day Excel vulnerability, which has resulted in active attacks. That bug was announced in late February.
