Three Critical Security Updates From Microsoft

Microsoft published three security updates this month, all of which are considered to be critical. As you know, the update for Windows metafiles (WMF), "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919) ," was made available early this month due to the nature of the problem. Two new updates were also released.

Next Generation Security (NGS) Software discovered vulnerabilities in Exchange and Outlook. Intruders could cause remote code to run on an affected due to the way Exchange and Outlook process messages with Transport Neutral Encapsulation Format (TNEF) MIME attachments. This particular problem presents a double-whammy since it affects both the mail server and email client, and a successful exploit could allow a remote intruder to take complete control of an affected system. Microsoft's bulletin, "Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)," explains that Exchange Server 5.x, Exchange Server 2000, Outlook 2000, Outlook 2002, and Outlook 2003 are all vulnerable.

eEye Digital Security discovered a vulnerability in the way Windows handles Embedded Open Type fonts, typically used in Web pages and HTML-based email. The vulnerability could be used by a malicious Web site developer to execute arbitrary code on an affected system. The vulnerability could also be triggered by a specially crafted email message. In either case a successful exploit might allow an intruder to take complete control of an affected system. Due to its nature this particular problem affects all Windows platforms going back to Windows 98.

Microsoft's bulletin, "Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)," suggests a couple of workarounds if you can't load the patch right away. The first workaround is to only view email as plain text, which is pretty good advice even without the existence of such a vulnerability. The second workaround is to configure Internet Explorer's Font Download setting to either Prompt or Disable. Because of the potential severity of this particular vulnerability along with the ease with which it could be exploited it might be best to disable font downloads until you can load the patch.

So there you have it: Three very serious problems that warrant your considerable and immediate attention.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.