News
Microsoft Security Fixes Target Windows Desktop
Microsoft has released its September security patches, fixing critical flaws in the GDI+ software used by Windows
By Robert McMillan, IDG News Service (San Francisco Bureau)
September 10, 2008 — IDG News Service —
Microsoft has released four sets of security updates for its products, fixing critical flaws in the Windows desktop.
The software maker's monthly set of security updates, released Tuesday, mostly fixes problems in the underlying operating system, but also includes a patch for a component of the OneNote note-taking software that is used by Microsoft Office.
In all, eight bugs are squashed in the four sets of patches, but the most critical problem is addressed in the MS08-052 update, according to Andrew Storms, director of security operations with security vendor nCircle. This update fixes five bugs in the Graphics Device Interface+ (GDI+) software used by Windows programs to draw images on computer screens and printers.
GDI+ was first released as part of the Windows XP operating system, and this latest security fix gets top priority because it is so widely used, security experts say. "If you are running XP, 2003 or 2008, you are going to need an update," Storms said via instant message.
Five months ago, hackers targeted a flaw in the older version of GDI, used by Windows 2000 systems. In these attacks, criminals placed maliciously crafted images on Web sites, which were designed to exploit the GDI flaw and install unauthorized software on the victim's machine.
Although Microsoft has not heard of anyone taking advantage of these latest GDI+ bugs in an attack, now that the software patches are available, hackers can probably reverse-engineer one of the flaws and develop new code that exploits the bugs, Storms said.
In its other Windows updates, Microsoft fixed vulnerabilities in the Windows Media Encoder 9, which is not included in the default Windows configuration, and Windows Media Player 11. Media Player 11 is the latest version of the audio and video player that ships with Windows. The Windows Media Encoder 9 is downloaded as part of the beta code for the Advanced Windows Media Plug-In for Adobe Premier 6.5, Microsoft said.
Although several of September's bugs look like they could be used to create some nasty attacks, they primarily affect Windows desktops rather than servers, said Eric Schultze, chief technology officer at Shavlik Technologies. "So your servers sitting in the data center, you're way less at risk with those," he said. "Worry most abut the computers where people are sitting in front of the keyboard."
Other stories by Robert McMillan
Copyright 2009 IDG News Service, International Data Group Inc. All rights reserved.
Microsoft
Privacy and Data Protection Practices
In this Webcast, Larry Ponemon and Compuware will present the results of their benchmark study and discuss what these organizations are doing to safeguard their information assets and comply with the plethora of industry regulations.
Comparing Research in Motion and Microsoft Mobile Solutions
Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.
- All in the Prep...Protecting Data with DLP
- Privacy and Data Protection Practices in the Financial Services Industry
- Simplifying Risk Management: Is Your Company Measuring Up?
- Insight from an Auditor: Ensuring a Successful PCI Audit
- A Holistic Approach to Compliance Makes Business Sense
- A 2010 Priority - The Real Value of Application Security
Stay current with insightful news and analysis on information security, business continuity, physical security, loss prevention and more with CSO newsletters!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
