The vulnerabilities relate to how the operating system renders the Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats, Microsoft said Tuesday in its MS05-053 security bulletin. Two of them could allow a remote intruder to gain complete control over a Windows PC, Microsoft warned in the bulletin, the sole one in its monthly patch cycle.
Microsoft has tagged the security bulletin "critical," its most serious rating. The software maker urges Windows users to install the security update that accompanied the alert as soon as possible to protect against any attacks via the security bugs.
To exploit the flaws, an attacker could craft a malicious image and trick a Windows user to look at it on a malicious Web site or in an HTML e-mail, for example, according to Microsoft. This type of vulnerability could be a conduit for the installation of spyware, Trojan horses, bots or other harmful programs on an unsuspecting user's machine.
While two of the vulnerabilities disclosed on Tuesday could allow an outsider to commandeer a Windows PC, the third is limited in scope and would crash only an application used to view a malformed file, Microsoft said.
Bugs in file format handling are increasingly being uncovered. That's because image formats are complicated, and applications have to support many image file types, experts said. Microsoft in August warned of a similar flaw, which is related to an error in the way Internet Explorer handles JPEG images.
"We will continue to see this type of vulnerabilities in every major application for the foreseeable future," said Neel Mehta, a team leader at Internet Security Systems. "It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications."
Mehta doesn't expect the latest Windows flaws to be exploited in a widespread attack. "We're not bracing for any major worm or malware outbreak, but we do expect them to be used in targeted attacks," Mehta said. "There is user interaction required, there has to be someone sitting at the other end in order to be compromised."
Of the three vulnerabilities, the most serious affects all current Windows operating systems. The two other flaws are found in Windows 2000, Windows XP with Service Pack 1 and Windows Server 2003, but don't exist in Microsoft's latest desktop and server products, Windows XP with SP 2 and Windows Server 2003 with SP1, Microsoft said.
Microsoft is not aware of any malicious code that exploits the two flaws that could allow a PC to be fully compromised, the software maker said. However, code that exploits the third flaw and can crash an application running on Windows has been posted to the Internet, Microsoft said.
Microsoft released only one security bulletin on this November "Patch Tuesday." Mehta suggested that people take the time to catch up on patches. "Because it is quiet, it does give people an opportunity to catch up and make sure they are protected," he said. People who have signed up for Microsoft's update service should receive the patch download automatically.
nt
