Microsoft today fixed a hole that could hand over control of your PC to an attacker if you view one poisoned image on a Web site or in an HTML e-mail. Similar flaws have been heavily targeted by online crooks in the past.
The flaw, MS09-006, involves the way the Windows kernel handles WMF and EMF (Windows Metafile and Enhanced Metafile) images. Simply viewing such an image on an unpatched PC would allow an attacker to execute any command, such as downloading and installing malware, and the risk is rated critical for Windows 2000, XP, Server 2003, Vista and Server 2008.
Mike Reavey, a Microsoft Security Response Center director, says in an explanatory video that this flaw is “probably of interest to all customers using Windows,” but that it “probably won’t be reliably exploited.” However, similar-sounding prior flaws with metafiles were widely targeted, and neither Reavey nor the bulletin says why this one might be any different. So play it safe and be sure to get this patch via automatic updates, and get more info from Microsoft’s bulletin.
A second fix (MS09-007) in Microsoft’s Patch Tuesday patch batch fixes a problem in the Microsoft Windows SChannel authentication component for Web sites. The hole could allow a bad guy to pretend to be a real user if the crook got his hands on the public portion of the user’s authentication certificate, where normally a public and private component are required. The spoofing risk is only rated important, not critical, for Windows 2000, XP, Server 2003, Vista and Server 2008.
The third security fix for this month affects DNS and WINS servers. IT admins will need to apply the patch or risk DNS cache poisoning, an attack that has been successfully used in the past to force entire networks to visit a malicious Web site. See the MS09-008 bulletin for more info, and as with the other two patches, get the fix by running automatic updates.