Microsoft Ships First Vista Security Patches

Beta testers running the Windows Vista December CTP and Windows Vista Beta 1 are urged to apply the patches, which provide protection from the WMF/Graphics Rendering Engine vulnerability.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Microsoft Corp. has shipped the first critical security update for Windows Vista, the next version of its flagship operating system.

Over the weekend, the company released patches for beta testers running the Windows Vista December CTP (Community Technology Preview) and Windows Vista Beta 1, and warned that the new operating system was vulnerable to a remote code execution flaw in the Graphics Rendering Engine.

A Microsoft spokesperson told eWEEK that the Vista patches address the same vulnerability that led to the WMF (Windows Metafile) malware attacks earlier this month.

Microsofts out-of-cycle security update for the WMF vulnerability makes no mention of Windows Vista being vulnerable, but with the release of this weekends patches it is clear that the poorly designed "SetAbortProc," the function that allows printing jobs to be cancelled, was ported over to Vista.

/zimages/1/28571.gifMore WMF flaws have been flagged. Click here to read more.

Microsoft also moved swiftly to dismiss speculation in some quarters that the WMF flaw was a "back door" placed in Windows intentionally by the Redmond, Wash., software maker.

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

On the MSRC (Microsoft Security Response Center) blog, program manager Stephen Toulouse said the SetAbortProc functionality was a component of the graphics rendering environment needed for applications to register a callback to cancel printing, before the WMF file format even existed.

/zimages/1/28571.gifTo read about spyware protection in the upcoming Vista operating system, click here.

"Remember, those were the days of cooperative multitasking, and the only way to allow the user to cancel a print job would be to call back to them, usually via a dialog. Around 1990, WMF support was added to Windows 3.0 as a file-based set of drawing commands for GDI to consume," Toulouse said.

"The SetAbortProc functionality, like all the other drawing commands supported by GDI, was ported over (all in assembly language at this point) by our developers to be recognized when called from a WMF. This was a different time in the security landscape and these metafile records were all completely trusted by the OS. To recap, when it was introduced, the SetAbortProc functionality served an important function," he added.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.