Like one of Cupid's arrows, Microsoft shot right to the hearts of Windows managers this Valentine's Day with seven new security updates. But administrators won't likely receive them with love and affection.
Two of the flaws have critical implications, one in an area the software giant is accustomed to patching -- Internet Explorer.
According to Mark Allen, manager of the Information and Data Management team at Shavlik Technologies LLC, in Roseville, Minn., the flaws that carry the greatest risk for enterprise customers are addressed in two bulletins for Windows Media Player, MS06-005 and MS06-006.
MS06-005 repairs a remote code execution vulnerability in Media Player. According to Microsoft's TechNet Web site, the flaw exists because of the way the player processes bitmap files (.bmp). An attacker could construct a malicious bitmap file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message. The bulletin notes that significant user interaction is required to exploit this vulnerability.
MS06-06, ranked important rather than critical, is for a flaw in the Media Player plug-in for non-Microsoft Internet browsers. The problem is with the way the Media Player plug-in handles a malformed EMBED element. An attacker could exploit the vulnerability by constructing a malicious EMBED element that could potentially allow remote code execution if a user visited a malicious Web site.
The other critically ranked patch, MS06-004 addresses a remote code execution vulnerability in Internet Explorer. Similar to a problem patched earlier this year, the flaw is in the way IE handles Windows Metafile (WMF) images.
An attacker could exploit the vulnerability by constructing a specially crafted WMF image that could allow remote code execution if a user visited a malicious Web site, opened or previewed an e-mail message or opened a specially crafted attachment in e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Microsoft also noted that the MS06-004 was separate from IE vulnerabilities addressed in previous patches, including the much-hyped WMF flaw in January that was patched by the early release of MS06-001.
This time around, Microsoft Windows 2000 Service Pack 4 is the only software impacted by the IE flaw, so the implications are not as far reaching, Allen said.
"I think that will be less important to most enterprise desktops because most enterprise customers have upgraded their Windows 2000 desktop client images to IE 6.0 or are already using Windows XP, which isn't vulnerable," he said in an e-mail.
One missing patch
Missing from the updates was a patch for a vulnerability in IE that was publicized on Monday. Microsoft was alerted to the flaw, which was discovered by a college student six months ago. The vulnerability involves dragging and dropping objects between folder views and Web pages. No patch was issued for the problem on Tuesday.
Despite the lower profile of this month's flaws, Allen said he thought they needed quick attention.
"We see a lot of spyware installer sites use exploits in Windows Media Player or Internet Explorer to get those spyware payloads installed in the first place," Allen said. "So those are definitely where I would want to commit the bulk of my patch testing and deployment resources."
Four ranked important
Microsoft also released four other updates ranked important:
MS06-007, which addresses a denial-of-service vulnerability. The flaw could allow an attacker to send a specially crafted IGMP packet to an affected system. An attacker could cause the affected system to stop responding.
MS06-008 addresses a vulnerability in the Windows Web Client Service that could allow an attacker to take complete control of an affected system. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
A fix for Microsoft Office and Windows, MS06-009, addresses a privilege elevation vulnerability in the Korean Input Method Editor (IME). This vulnerability could allow a malicious user to take complete control of an affected system. For an attack to be successful, an attacker must be able to interactively logon to the affected system.
And, a patch that affects Microsoft Office, MS06-010, addresses an information disclosure vulnerability in PowerPoint. An attacker who successfully exploits this vulnerability could remotely attempt to access objects in the Temporary Internet Files Folder (TIFF) by name.
The month's updates are the largest number of simultaneous bulletins since October 2005 when Microsoft issued 10 patches at once.
A new edition of Microsoft's malicious software removal tool was also released with the bulletins. The update removes Win32/Alcan, Win32/Badtrans, Win32/Eyeveg and Win32/Magistr as well as Win32/MyWife.E.