MS Patch Tuesday: 8 critical security holes patched

Microsoft shipped four high-priority security bulletins today with patches for at least eight code execution vulnerabilities affecting millions of Windows computer users.

The September Patch Tuesday updates, all rated "critical," correct security flaws in the Windows Media Player, the Windows Media Encoder, Microsoft Office and the Microsoft Windows GDI+ (graphics device interface).

The GDI+ bulletin (MS08-052) documents five different vulnerabilities in the way that GDI+ handles the viewing of malformed images.  It is rated critical for all supported versions of Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 and also affects several OS components, Microsoft warned.

The risks from a successful attack are very high:

These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content.

[ SEE: Critical WMP, MS Office bugs on Patch Tuesday swat list ]Microsoft also shipped a fix (MS08-053) for a remote code execution vulnerability in the WMEX.DLL ActiveX control installed by the Windows Media Encoder 9 Series.

The vulnerability could allow remote code execution if a user views a specially crafted Web page. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The Windows Media Encoder bulletin is rated "critical" on supported/affected editions of Microsoft Windows 2000, Windows XP and Windows Vista.   On Windows Server 2003 and Windows Server 2008, it carries a "moderate" severity rating.

The Windows Media Player 11 (WMP) software is also updated (MS08-054) to fix a remote code execution vulnerability in the way that audio-only files streamed from a Windows Media Server in a server-side playlist are handled.

An attacker could exploit the vulnerability by constructing a specially crafted audio file that could allow remote code execution when streamed from a Windows Media server using Windows Media Player 11. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

The fourth bulletin (MS08-055) fixes a protocol handler flaw in the way that Microsoft Office handles URLs using the OneNote protocol handler (onenote://).

The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft's response to this issue provides a neat behind-the-scenes look at the company's response process.

On the SWI team blog, Jonathan Ness explained that an external researcher reported the OneNote vulnerability as an "information disclosure" problem that required an "important" bulletin/fix.

However, as part of Microsoft's response process, the product teams are required to audit the code to look for additional problem areas:

When we dug into the vulnerability during our 'hacking-for-variations' investigation, we found that OneNote used mso.dll to process parameters passed in via the protocol handler. More investigation turned up a buffer overrun vulnerability in mso.dll that could be triggered by passing arguments to the onenote:// protocol handler. Now the case's severity rating was bumped up from Important to Critical with the effect being changed from Information Disclosure up to Remote Code Execution.

Ness said the the vulnerable MSO.dll is used by almost all versions of Office and some developer tools for shared Office functionality which means that the the MS08-055 shipped a patch for all computers with OneNote 2007 installed (the external information disclosure report) and also all computers that have Office 10, 11, or 12 (due to the internal find).

See our previous coverage of protocol handler security issues:

Command injection flaw found in IE: Or is it Firefox?

Microsoft should block that IE-to-Firefox attack vector

Mozilla caught napping on URL protocol handling flaw

Protocol abuse adds to Firefox, Windows security woes

Mozilla fixes its end of URL protocol handling saga

* Image source: Paul Keller's Flickr photostream (Creative Commons 2.0)