December 12, 2006 12:37 PM PST

Microsoft patches zero-day Windows Media flaw

Related Stories

Second zero-day flaw found in Word

December 11, 2006

No fix yet for zero-day flaw in Word

December 7, 2006

Attack code out for Visual Studio flaw

November 1, 2006
Microsoft on Tuesday released seven security updates with patches for 11 security vulnerabilities, most of which affect the Windows operating system.

The software maker originally planned to release only six security bulletins as part of its monthly patch cycle. However, it added a seventh to deliver a fix for two flaws that affect the Windows Media Format, including one zero-day bug, a company representative said in a statement.

Microsoft also provided a patch for a zero-day vulnerability that affects Visual Studio 2005 developer tools. This security hole was disclosed last month and, contrary to the Windows Media issue, has already been used in cyberattacks, the company said.

However, there were no fixes Tuesday for a pair of known flaws in Microsoft Word that are also being exploited in malicious software.

"While we see Microsoft making an attempt to patch zero-day vulnerabilities, they are still struggling to keep up with the continuous influx of zero-day attacks," said Amol Sarwate, a research manager at vulnerability management company Qualys. "Microsoft is making a genuine effort. However, users are still exposed to attacks via the unpatched Word vulnerabilities."

Particulars of patches
The Windows Media issues are addressed in bulletin MS06-078, one of three "critical" security updates published by Microsoft on this "Patch Tuesday." The other high-risk vulnerabilities lie in Internet Explorer and in Visual Studio 2005.

Somebody could exploit the Windows Media flaws by tricking a user into opening a rigged media file or stream, Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," it said.

Four vulnerabilities in Internet Explorer expose Windows PCs to a similar risk. Somebody could exploit the holes in the Web browser creating a malicious Web site, Microsoft said. None of the IE flaws had been previously disclosed, it said.

Deemed less serious by Microsoft are problems that affect the Windows Simple Network Management Protocol service, the Windows Client-Server Run-time Subsystem and the Windows Remote Installation Services, the company said. These were all rated "important"--one notch less serious than Microsoft's highest rating of "critical."

A vulnerability in the Outlook Express mail client was also tagged as "important."

Though Microsoft rates the SNMP flaw "important," it should still be considered very serious for business users, said Gunter Ollmann, director of IBM Internet Security Systems' X-Force unit.

"Although SNMP is not a default service, it is the de facto standard for monitoring critical business assets," Ollmann said in an e-mailed statement. "Because SNMP uses user datagram protocol, which doesn't require a handshake, internal attackers can spoof an identity and gain complete control of the network."

Microsoft offers a summary of its patches on its Web site. The fixes will be delivered via Automatic Updates in Windows and are available on Microsoft's Web site.

See more CNET content tagged:
SNMP, Windows Media Format, flaw, Microsoft Visual Studio 2005, patch management

14 comments

Join the conversation!
Add your comment
excuse
They used it as an excuse to make everyone upgrade to windows media player 11! Jackasses! I didn't want 11!
Posted by mattumanu (599 comments )
Reply Link Flag
update
I just got off the phone with Microsoft. It turns out that windows media player itself is being sent an update today as well as the usual security updates. If you click to accept the update through WMP, you get WMP 11 as well as the security update for the vunerability.

If you go to windows update you get only the security update. Microsoft messed this up. Why they are sending out updates for WMP on the same day as patch tuesday is beyond me.
Posted by mattumanu (599 comments )
Link Flag
Objection over-ruled
Perhaps you should read what you are installing before you click yes, instead of blaiming Microsoft for your laziness. And what do you have to loose with upgrading Windows Media Player afterall? If version 10 is less secure than version 11 it makes all sense they are asking people to upgrade.
Posted by Ryo Hazuki (378 comments )
Link Flag
Objection over-ruled
Perhaps you should read what you are installing before you click yes, instead of blaiming Microsoft for your laziness. And what do you have to loose with upgrading Windows Media Player afterall? If version 10 is less secure than version 11 it makes all sense they are asking people to upgrade.
Posted by Ryo Hazuki (378 comments )
Link Flag
Which One?
There were two you know?

Which ONE did they patch and why didn't they patch the other one and why did it take them so long to patch this one?

Those are the things that make NEWS newsworthy!!!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Patch another one, just like the other one, you've been hanging onto it
and now your gonna get hit.

Sang to the tune of Don't Bogart Me.
Posted by slim-1 (229 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.