November 8, 2005 11:44 AM PST

Image-handling flaws put Windows PCs at risk

Three security flaws in the way Windows handles certain graphics files could create an opening for spyware and Trojan horse attacks, Microsoft has warned.

The vulnerabilities relate to how the operating system renders the Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats, Microsoft said Tuesday in its MS05-053 security bulletin. Two of them could allow a remote intruder to gain complete control over a Windows PC, Microsoft warned in the bulletin, the sole one in its monthly patch cycle.

Microsoft has tagged the security bulletin "critical," its most serious rating. The software maker urges Windows users to install the security update that accompanied the alert as soon as possible to protect against any attacks via the security bugs.

To exploit the flaws, an attacker could craft a malicious image and trick a Windows user to look at it on a malicious Web site or in an HTML e-mail, for example, according to Microsoft. This type of vulnerability could be a conduit for the installation of spyware, Trojan horses, bots or other harmful programs on an unsuspecting user's machine.

While two of the vulnerabilities disclosed on Tuesday could allow an outsider to commandeer a Windows PC, the third is limited in scope and would crash only an application used to view a malformed file, Microsoft said.

Bugs in file format handling are increasingly being uncovered. That's because image formats are complicated, and applications have to support many image file types, experts said. Microsoft in August warned of a similar flaw, which is related to an error in the way Internet Explorer handles JPEG images.

"We will continue to see this type of vulnerabilities in every major application for the foreseeable future," said Neel Mehta, a team leader at Internet Security Systems. "It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications."

Mehta doesn't expect the latest Windows flaws to be exploited in a widespread attack. "We're not bracing for any major worm or malware outbreak, but we do expect them to be used in targeted attacks," Mehta said. "There is user interaction required, there has to be someone sitting at the other end in order to be compromised."

Of the three vulnerabilities, the most serious affects all current Windows operating systems. The two other flaws are found in Windows 2000, Windows XP with Service Pack 1 and Windows Server 2003, but don't exist in Microsoft's latest desktop and server products, Windows XP with SP 2 and Windows Server 2003 with SP1, Microsoft said.

Microsoft is not aware of any malicious code that exploits the two flaws that could allow a PC to be fully compromised, the software maker said. However, code that exploits the third flaw and can crash an application running on Windows has been posted to the Internet, Microsoft said.

Microsoft released only one security bulletin on this November "Patch Tuesday." Mehta suggested that people take the time to catch up on patches. "Because it is quiet, it does give people an opportunity to catch up and make sure they are protected," he said. People who have signed up for Microsoft's update service should receive the patch download automatically.

2 comments

Join the conversation!
Add your comment
I swear...
...when will News.com quit reporting old hat and hit on something UNIQUE and NEWSWORTHY? Something like, "MS Scores with Unexploitable Text Files," would really be UNIQUE.
Posted by `WarpKat (275 comments )
Reply Link Flag
C|NET is constrained by...
...the minor issue that they're obliged to report fact not fiction. :p
Posted by i_made_this (302 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.