Microsoft released just one patch Tuesday to seal three critical security holes in Windows. One expert recommends IT administrators use the extra breathing room to play catch-up on any patching they have left following last month's mammoth update.
"A lot of companies still haven't patched against October's flaws, and they should use this quiet time to take care of it," said Neel Mehta, team leader for Atlanta-based Internet Security Systems' (ISS) X-Force.
This month's patch fixes glitches in how the Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced Metafile (EMF) images. Attackers could exploit one of the EMF flaws to cause a denial of service and exploit the others to "take complete control of an affected system" and "install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said. "We recommend that customers apply the update immediately."
The security holes affect the following versions of Windows:
- 2000 Service Pack 4
- XP Service Pack 1 and XP Service Pack 2
- XP Professional x64 Edition
- Server 2003 and Server 2003 Service Pack 1
- Server 2003 for Itanium-based systems and Server 2003 with SP1 for Itanium-based systems
- Server 2003 x64 Edition
Mehta doubts attackers will bother to mount a massive attack using these security holes. But they could exploit the flaws to launch more targeted attacks against specific enterprises. Since all the vulnerabilities are in the Windows operating system, such attacks could be very damaging, he said.
"I don't think these will be used in a widespread way because user interaction is required," he said. "Someone has to click a malicious link, e-mail or Web site. You have to have some sense of a target." But, he added, "This could make for sophisticated attacks against targeted groups that would most likely be launched to steal valuable information. Fortune 500 companies and financial institutions could be most at risk. But in the end, anyone can be a target."
Cupertino, Calif.-based antivirus firm Symantec said in a statement that attacks could be launched using "a malicious file on a Web site, an embedded file in a Microsoft Office document [or in] an HTML e-mail."
Dave Cole, director of product management for Symantec Security Response, said in the statement, "The variety of ways to initiate a possible attack makes this issue particularly potent. Symantec recommends that users apply the update as quickly as possible and refrain from opening unknown attachments or clicking on suspicious links that arrive via e-mail on instant messages."
The firm added, however, that e-mail program settings can limit how HTML e-mails might be used in an attack. "For example, Outlook 2002 (with Office XP SP1 and later) and Outlook Express 6 (with IE 6.0 SP1 and later) allow messages to be viewed in plain text format, which will prevent an HTML e-mail attack."
This article originally appeared on SearchSecurity.com.