Microsoft releases three security bulletins covering vulnerabilities in Windows for Patch Tuesday. One of the bulletins, rated critical, fixes an input validation situation related to GDI that could be exploited to run arbitrary code.
released three security bulletins March 10 for Patch Tuesday,
including a patch for a critical vulnerability in the Windows kernel
affecting the graphics device interface.
According to Microsoft, the
Windows kernel does not properly validate input
passed from user mode
through the kernel component of GDI. The
vulnerability could allow hackers to run arbitrary code, and can be
exploited by hackers via a malicious EMF or WMF image file.
"This vulnerability provides numerous attack vectors-it can be hosted
on a Web page, sent in an e-mail or even exploited locally," said IBM
X-Force Threat Response Manager Holly Stewart. "Even though the use of
malicious images has been in practice for some time, many end users still do
not consider images, documents and other seemingly 'friendly' file formats to
The GDI bug is addressed in MS09-006,
which fixes a total of three security issues, the other two being handle
validation and invalid pointer vulnerabilities. With the exception of the
kernel handle vulnerability-which an attacker would have to log on locally to
exploit-all of the critical bugs addressed by the bulletin have workarounds
that can be used in lieu of a patch. So far, Microsoft has received no reports
of attacks on the vulnerabilities.
The other two bulletins plug security gaps rated "important." One fixes a
spoofing issue in the Microsoft Windows SChannel
when using certificate-based authentication that can be exploited to
authenticate to a server with only an authorized user's digital certificate.
The final bulletin addresses spoofing
vulnerabilities affecting Windows DNS Server and Windows WINS Server
could allow a remote attacker to redirect network traffic intended for systems
on the Internet to the attacker's own systems.
Missing from March's bulletin is a fix for the zero-day vulnerability
affecting Microsoft Office Excel the company issued an advisory on in late
February. So far, Microsoft has only reported seeing limited, targeted attacks
using the vulnerability. However, the company has publicized workarounds for
users concerned about exploitation.
For starters, Microsoft advises customers to use MOICE (Microsoft Office
Isolated Conversion Environment) when opening files from unknown or untrusted
sources. Users can also leverage Microsoft Office File Block policy to block
the opening of Office 2003 and earlier documents from unknown or untrusted
senders as well.
"While Excel is used extensively in normal times, its use is now
particularly high due to tax season," said John Moyer, CEO
of rights management vendor BeyondTrust. "Organizations should pay
close attention to the unpatched critical Excel vulnerability in the wild."