Microsoft Patches Critical Windows Vulnerability in Graphics Device Interface

Microsoft releases three security bulletins covering vulnerabilities in Windows for Patch Tuesday. One of the bulletins, rated critical, fixes an input validation situation related to GDI that could be exploited to run arbitrary code.

Microsoft released three security bulletins March 10 for Patch Tuesday, including a patch for a critical vulnerability in the Windows kernel affecting the graphics device interface.

According to Microsoft, the Windows kernel does not properly validate input passed from user mode through the kernel component of GDI. The vulnerability could allow hackers to run arbitrary code, and can be exploited by hackers via a malicious EMF or WMF image file.

"This vulnerability provides numerous attack vectors-it can be hosted on a Web page, sent in an e-mail or even exploited locally," said IBM X-Force Threat Response Manager Holly Stewart. "Even though the use of malicious images has been in practice for some time, many end users still do not consider images, documents and other seemingly 'friendly' file formats to be malicious."

The GDI bug is addressed in MS09-006, which fixes a total of three security issues, the other two being handle validation and invalid pointer vulnerabilities. With the exception of the kernel handle vulnerability-which an attacker would have to log on locally to exploit-all of the critical bugs addressed by the bulletin have workarounds that can be used in lieu of a patch. So far, Microsoft has received no reports of attacks on the vulnerabilities.

The other two bulletins plug security gaps rated "important." One fixes a spoofing issue in the Microsoft Windows SChannel authentication component when using certificate-based authentication that can be exploited to authenticate to a server with only an authorized user's digital certificate.

The final bulletin addresses spoofing vulnerabilities affecting Windows DNS Server and Windows WINS Server that could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems.

Missing from March's bulletin is a fix for the zero-day vulnerability affecting Microsoft Office Excel the company issued an advisory on in late February. So far, Microsoft has only reported seeing limited, targeted attacks using the vulnerability. However, the company has publicized workarounds for users concerned about exploitation.

For starters, Microsoft advises customers to use MOICE (Microsoft Office Isolated Conversion Environment) when opening files from unknown or untrusted sources. Users can also leverage Microsoft Office File Block policy to block the opening of Office 2003 and earlier documents from unknown or untrusted senders as well.

"While Excel is used extensively in normal times, its use is now particularly high due to tax season," said John Moyer, CEO of rights management vendor BeyondTrust. "Organizations should pay close attention to the unpatched critical Excel vulnerability in the wild."