Microsoft released four "critical" security bulletins for September's Patch Tuesday, including a massive update for Microsoft Windows GDI+ that affects multiple products.
All four bulletins address vulnerabilities that permit hackers to remotely execute code. Of the four, the GDI+ bulletin is the largest. GDI+ is a graphics device interface that provides two-dimensional vector graphics, imaging and typography to applications and programmers. It is also the source of five vulnerabilities covered in this month's update.
According to Microsoft, the flaws can be exploited if a victim either views a malicious image file using affected software or browses a Web site that contains the content. The vulnerabilities affect multiple products, including all supported editions of Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008, as well as all supported editions of SQL Server 2005. A complete list is available in the advisory.
"The graphics engine is part of all operating systems, and is also included with Microsoft Office and Microsoft SQL Server products, among others," said Eric Schultze, CTO of Shavlik Technologies. "You may need to install multiple patches on your system to address this issue, where each patch updates a different component on your computer."
Unfortunately, Schultze continued, Microsoft hasn't made it easy to determine what patches are needed on each system-making it more likely that some systems will go unpatched for some portion of affected products. The bulletin also doesn't make it very clear which patches will be patched with WSUS (Windows Server Update Services) and which will need to be done manually, he said.
In addition to the update for GDI+, there are bulletins for Windows Media Player 11, Windows Media Encoder 9 and Microsoft Office. The Windows Media Player bulletin covers a sampling rate vulnerability a hacker could exploit via a specially crafted audio file streamed from a Windows Media server using Windows Media Player 11. The Windows Media Encoder issue is a buffer overrun vulnerability that affects editions of Microsoft Windows 2000, XP and Vista. Windows Server 2003 and Windows Server 2008 are also affected.
The final bulletin fixes a remote code execution vulnerability in the way Microsoft Office handles URLs using the OneNote protocol handler (onenote://). The flaw could allow a hacker to take control of a vulnerable system if a user clicks on a malicious OneNote URL.
"With four critical updates, this is a relatively light Patch Tuesday in terms of volume," noted Don Leatham, director of solutions and strategy at Lumension Security. "However, given that the four critical bulletins deal with all the majority of current Microsoft operating systems, organizations should not be lax when rolling out this month's patches."