New Microsoft OSes Hit by Patch Tuesday Shrapnel

The company's batch of Patch Tuesday updates come with fixes for "critical" remote code execution flaws affecting Windows Vista and Windows Server 2008.

Two of Microsoft's newest operating systems-Windows Vista and Windows Server 2008-are vulnerable to serious remote code execution attacks, according to a warning from the software giant.

The "critical" warning comes April 8 as part of Microsoft's April batch of Patch Tuesday updates, which include eight security bulletins covering at least 10 documented software vulnerabilities.

The biggest eye-opener is the "high-risk" severity of the patches that apply to Windows Vista and Windows Server 2008, the two operating systems touted by Microsoft as its most secure ever.

One of the bulletins-MS08-021-is rated "critical" across the board for all supported versions of Windows, from Windows 2000 through Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

The bulletin provides cover for at least two known flaws that could allow malicious hackers remote access to "take complete control of an affected system" if a user opens a specially crafted EMF or WMF image file.

According to Microsoft's documentation, both vulnerabilities were found in the way the Windows GDI (graphics device interface) handles integer calculations and filename parameters in EMF and WMF files. The Windows GDI allows applications to use graphics and formatted text on both the video display and the printer.

Windows Vista and Windows Server 2008 are also affected by another batch of bugs affecting the company's flagship IE (Internet Explorer) browser. The company slapped a high-priority tag on both MS08-023 and MS08-024, which address flaws in ActiveX controls and a remote code execution flaw in IE's handling of data streams.

One of the IE updates includes a kill bit for a known bug in an Active X control in the Yahoo Music Jukebox product.

A fourth "critical" bulletin-MS08-022-was also released to provide a fix for a remote code execution vulnerability in the way that the VBScript and JScript scripting engines decode script in Web pages.

"This vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running specially crafted script," Microsoft warned.

This VBScript and Jscript bug affects Windows 2000, Windows XP and Windows Server 2003 systems.

This month's updates also include a fix for a "critical" code execution hole in Microsoft Project, the enterprise-facing project management program. This bug, which allows a hacker to rig Project files to take "complete control" of affected systems, was reported to Microsoft by the Republic of Korea's National Cyber Security Center.

The company also shipped separate patches for two "important" vulnerabilities in Microsoft Office Visio, a DNS spoofing attack flaw affecting Windows 2000 through Windows Vista computers, and a kernel vulnerability that could allow remote code execution attacks on all versions of Windows.

Just hours after Microsoft released its updates, Immunity, a private penetration testing company, released exploit code for the Windows kernel vulnerability.