What do you get Windows users for Valentine's Day? If you are
Microsoft, you come bearing more than a half-dozen security patches.
As part of its traditional "patch Tuesday," the software giant
has released seven fixes for its media player and other Windows
Windows Media Player is the subject of one critical bulletin,
while four bulletins –- one critical –- focus on flaws in the
Windows operating system. Two Microsoft Office security issues are
Critical, the highest level of severity for the bulletins, means
vulnerabilities can be exploited remotely. A rating of "important"
refers to flaws creating denial-of-service or impacting security.
Two Windows Media Player patches were released. The first patch
rated a "critical" fix, warns of the possibility a malformed bitmap
(.bmp) file could permit remote code execution, resulting in
complete system takeover.
While critical, the exploit requires "significant user
interaction" to work, according to Microsoft.
eEye Digital Security, which alerted Microsoft to the problem in
October, called for quick action.
"Unless immediately resolved, this flaw allows attackers to take
complete control of an affected system," according to a statement.
Perpetrators could exploit this vulnerability by installing
malicious programs, or changing and deleting data.
Another Windows Media Player patch is an alert to users of the
Windows Media Player plugin with non-Microsoft Web browsers, such as
Mozilla Firefox, Netscape or Opera.
The vulnerability would allow attackers to take control of a
Windows XP or Windows Server 2003 system.
The Windows Media Player flaw is just the latest sign attacks are
targeting consumer applications rather than the Windows operating
Recent patches mark a "changing trend" in Windows
vulnerabilities, Steve Manzuik, eEye's security product manager,
told internetnews.com. More media formats are coming under the watch
of malicious hackers, said Manzuik.
Flaws in Windows Metafile (WMF) images again surfaced.
This time, Microsoft released a cumulative patch for Internet
Explorer. Microsoft said IE 5.01 users could fall victim to remote
exploitation through memory corruption by Windows Metafile (WMF)
On the same day Microsoft released a patch for IE, Isreal-based
Beyond Security announced the Web browser contained a flaw in its
drag-and-drop function. The error reportedly could trigger malicious
code. Microsoft's only response has been at its Security Response
In what Microsoft terms "a newly-discovered and
privately-reported vulnerability," another fix protects Windows XP
and Windows Server 2003 systems from denial-of-service attacks,
Another Windows operating system patch centers on how Windows XP
and Windows Server 2003 processes WebClient requests. The security
flaw might allow remote execution of code.
For Microsoft Office users, two patches were released in response
to security flaws in PowerPoint 2000 and the Korean Method Editor.
Microsoft also said it updated the Windows Malicious Removal Tool
to encompass last week's Kama Sutra worm.