Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Microsoft patches image, DNS flaws
Published: 2009-03-10

Microsoft closed eight vulnerabilities on Tuesday, including a single critical flaw in the way that the Windows kernel handles image files.

The three patches closed three holes in the Windows kernel, a vulnerability in the library that handles Secure Sockets Layer (SSL) encryption, and four security issues in the DNS and WINS server software included with some versions of the Windows operating system. The most serious vulnerability appeared to be a flaw in the way that the Windows kernel's graphic device interface (GDI) handled certain image files, according to the software giant's advisory, which gave the flaw a Critical rating.

IBM's X-Force research team also flagged the security issue as a serious one.

"This vulnerability provides numerous attack vectors — it can be hosted on a Web page, sent in an email, or even exploited locally," Holly Stewart, X-Force Threat Response Manager for IBM Internet Security Systems, said in a statement sent to SecurityFocus. "Even though the use of malicious images has been in practice for some time, many end users still do not consider images, documents and other seemingly 'friendly' file formats to be malicious."

While Microsoft rated the exploitability of the two of the kernel handling vulnerabilities a "3 - Functioning exploit code unlikely" and the other issue a "2 - Inconsistent exploit code likely." None of the eight vulnerabilities were considered to be consistently exploitable, according to Microsoft's bulletin summary.

The three flaws in the domain name system (DNS) server and a fourth flaw in the WINS server could allow spoofed network address information to be returned, allowing poisoning and redirection attacks, Microsoft stated in its advisory. All four flaws were rated Important by the firm.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus