Microsoft will release five critical and three important vulnerabilities previewed last week as part of its April rollout of security bulletins.
@50147 All of the vulnerabilities this month are end-user initiated, said Eric Schultze, chief technology officer at Shavlik Technologies LLC, in Roseville, Minn. Also notable about April's patches is that they impact Vista and Windows Server 2008 -- the first for the server since its release in late February.
In its monthly Microsoft patch notice, Microsoft said the five critical vulnerabilities, which could leave users open to remote code executions, target Office Project, Windows vis-à-vis Graphics Device Interface (GDI), VBScript and JScript scripting engines, and Internet Explorer.
Regarding the Windows desktop and server platforms, the critical vulnerability involving GDI -- MS08-021 -- will affect Windows 2000 SP4, Windows XP SP2, Windows XP Professional x64 SP2, Windows Server 2003 SP1 and 2 plus the x64-bit edition, Vista and Vista SP1, plus Windows Server 2008.
Schultze deems this particular vulnerability as the worst on the list for April. It is an image file bug that enables an attacker to take control of a system while a user is "visiting an evil website, opening an evil document or reading an evil email."
Schultze said it's the third such graphic file attack since January 2006.
The three important security bulletins touch on Windows through a spoofing vulnerability in Windows DNS clients, a vulnerability in the Windows kernel where a local attacker could gain access to an affected system, and a vulnerability in Office Visio.
An updated version of the Windows Malicious Software Removal Tool is available on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.