The new year has started with a light patch day.
Microsoft released only one security bulletin in its first Patch Tuesday of 2010. Does this signal the beginning of the end for security vulnerabilities in the company's products? Probably not, but administrators can be grateful for the light load this month.
Microsoft Security Bulletin MS10-001 discusses a security vulnerability that affects all of its operating systems. However, Microsoft notes this flaw is only "critical" for Windows 2000 systems. For all other OSes the software maker rates this as a low-severity issue.
At issue is the Embedded OpenType Font Engine (EOT). EOT allows Web and document designers to display fonts exactly as they are intended to look. EOT fonts may be found on websites and banner advertising as well as in Microsoft Office documents, like as those created in Word or PowerPoint.
If a user uses Internet Explorer to browse a website that includes a malformed Embedded OpenType Font or opens an Office document containing the evil font, malicious code can execute on that user's computer. The code would run under the current user's security context. If a user was logged in as an administrator, the malicious code could take any action it wanted to on the system, including reformatting the hard disk, planting Trojan horses or comprising the settings of other security applications on the system. If a user was logged on as a user account, the malicious code would only be able to access files, data and settings to which the logged on user has access.
This is not the first time there have been security issues with the EOT. Security bulletin MS09-029 from July 2009 addressed a flaw in the way that EOT fonts were parsed by the font engine. This vulnerability was considered "critical" on all OSes. Today's release deals with a variant of handling EOT files, specifically, the decompression of specially crafted files that contain EOT fonts. Installing the patches referenced in the MS10-001 bulletin will correct this problem and remedy the issues discussed last July.
Microsoft stated that although Windows XP, Windows Server 2003, Vista, Windows Server 2008 and Windows 7 contain the affected components, these operating systems are not at risk because they don't use the code in a way that would compromise a system. Therefore, the recommendation is to install this patch right away on Windows 2000 systems and consider updating other systems as time permits.
Microsoft did not release a patch today for a publicly known security vulnerability that could cause a denial of service to all Windows computers. Microsoft says it's still working on a patch for this issue and that it hasn't seen any public reports of users being affected by this flaw.
On other fronts, Adobe is planning to release a set of security patches() for Adobe Acrobat and Adobe Reader Versions 8 and 9. These patches will address a publicly known security vulnerability that allows an attacker to take control of computers when their users view malformed PDF documents. Adobe had issued a workaround that is available in the absence of the security patch.
|ABOUT THE AUTHOR:|
Eric Schultze is an independent security consultant who most recently designed Microsoft patch management solutions at Shavlik Technologies. Prior to Shavlik, Schultze worked at Microsoft, where he helped manage the security bulletin and patch-release process. Schultze likes to forget that he used to work as an internal auditor on Wall Street.