That patch, MS08-052, addresses five graphics-processing vulnerabilities in GDI+, a Windows application program interface for C/C++ programmers.
The flaws are present not only in Windows but also Internet Explorer, .NET Framework, Office, SQL Server and Visual Studio, according to the bulletin. That means administrators must ship individual copies of the patch to each of those affected software components.
“Every Windows XP and later machine on the planet needs to be patched,” Eric Schultze, CTO of patch management software provider Shavlik Technologies, told SCMagazineUS.com on Tuesday. “A lot of systems will be impacted with this one.”
Ben Greenbaum, senior research manager at Symantec Security Response, said in prepared remarks that users' machines could be infected if they visit a malicious website that allows users to upload images. He added that organizations also need to check their third-party applications to ensure those are updated with the fix.
“At least one of these vulnerabilities is highly similar to one that we have seen before, so hackers may be able to use old code or at the very least apply knowledge gained from previous attacks as a starting point for creating new malicious code,” Greenbaum said.
The monthly security update also resolved a vulnerability in Windows Media Player that could be exploited when a user is tricked into streaming a malicious audio file. A related patch corrected a flaw in Windows Media Encoder 9, which could permit remote code execution as well.
A final fix remediates a protocol-handling bug in Office's OneNote, a note-taking and information management program. Schultze said these types of flaws are dangerous and could become more common if developers fail to conduct proper input validation of programs.
“I think once researchers start spending more time with protocol handlers, they'll find more ways to exploit them,” he said.