Microsoft Corp. said users should immediately install patches it released Tuesday to fix two new vulnerabilities affecting multiple products. The flaws, one of them critical, could let an attacker take complete control of affected machines to launch malicious code, change or delete data or create new accounts with full privileges.
"If Microsoft says something is critical, you should test and deploy the patches as quickly as possible," said David Gnall, technical architect for Windham, N.H.-based Internosis, which specializes in Microsoft-based IT services. "In this case, you're talking about a critical vulnerability in Windows. That means the core, the operating system, is threatened."
MS04-028 fixes a "critical" buffer overrun vulnerability in the processing of .jpeg image formats that could allow remote code execution on an affected system.
"If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing or deleting data; or creating new accounts with full privileges," the bulletin said. "Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges."
Affected products include Microsoft Windows, Office, Graphics Application and Developer Application.
"The vulnerability could only be exploited by an attacker who persuaded a user to open a specially-crafted file or to view a directory that contains the specially-crafted image," a Microsoft spokeswoman said. "There is no way for an attacker to force a user to open a malicious file."
Nevertheless, Gnall warned, "Once you have that administrative access, when you're able to get to the server, you can cause serious havoc."
The security hole described in MS04-027 is rated "important" and affects various Microsoft Office products. The patch fixes a remote code execution vulnerability in the WordPerfect 5.x converter that is provided as part of the software.
Like the vulnerability MS04-028 outlines, an attacker could use this one to take over an affected computer, launch malicious code and compromise data. But, Gnall noted, this threat isn't as far reaching because it threatens specific software, not the entire operating system. The security bulletin said user interaction is required to exploit this vulnerability.
To help users determine if they're running one or more affected products that contain a vulnerable version of the .jpeg parsing component on their system, Microsoft has created a special detection tool available at its security update and download center.
This article originally appeared on SearchSecurity.com.