Windows Patch Aimed at Picture-File Vulnerability

Microsoft on Tuesday issued three security bulletins that address a total of eight vulnerabilities, one of them rated critical. Two are rated important.

"This month's critical vulnerability affects the Windows kernel and can allow an attacker to gain complete control of a user's machine simply by the user viewing a Web site infected with a malicious .WMF or .EMF picture file," said Alfred Huger, vice president of development at Symantec Security Response.

Huger said it would also be possible for a user to fall victim to this vulnerability by opening an HTML e-mail or an e-mail attachment containing the same type of malicious files.

"What's more is that it is possible for an attacker to disguise .WMF and .EMF files as other common picture file types, such as a .JPG, in order to fool users who are exercising greater caution around viewing lesser-known file types," Huger added.

A Plagued Component

One of the three bulletins this month addresses a couple of the most plagued components of Microsoft's operating system -- GDI and GDI+. The graphics-rendering components in Windows have been patched numerous times in the past few years.

"With GDI, simply opening a tainted graphic file could cause malware to run with administrative privileges, leaving the target machine open to remote malware execution," said Andrew Storms, director of security operations at nCircle. "Attack scenarios will likely use e-mail to lure users to Web sites hosting specially crafted image files. Unsuspecting users going about their normal business on the Web are likely to suddenly find themselves infected."

Microsoft's DNS server has been patched a number of times in the past -- most recently in mid-2008 when Dan Kaminsky orchestrated a multi-vendor same-day release to address fundamental issues in the way DNS functions. Before that, Storms noted, Microsoft DNS was updated in 2007 to fix a...