Patch Tuesday patches eight critical vulns.

In Wednesday's IT Blogwatch, we wonder how important the patches were on Patch Tuesday—critically important, it turns out—but Apple scores 18 vulnerabilities to Microsoft's paltry eight. Not to mention fun with Google Images...

Gregg Keizer reports:

Microsoft Corp. today patched eight vulnerabilities, all rated critical, in four security updates for Windows, Office, Windows Media Player, Internet Explorer 6, SQL Server and other programs.
...
MS08-052 ... the one most crucial to apply immediately, fixes a total of five vulnerabilities in the GDI+ component of Windows. GDI+ (Graphics Device Interface) debuted in Windows XP and is a core part of Windows Vista and the current server-side operating systems, Windows Server 2003 and Windows Server 2008 ... Hackers could exploit the GDI+ bugs by sending specially-crafted image files in a variety of formats -- including EMF, GIF, WMF and BMG -- to a user via e-mail, or by convincing users to visit sites that contain malicious image files ... attackers might be able to recycle older code to craft an attack.

Dan Goodin adds:

[The] updates ... patch at least eight vulnerabilities in the various Windows operating systems and Office programs. If you use either, you'll want to install them sooner rather than later.
...
The GDI engine contains five separate vulnerabilities that could allow an attacker to install malware on a system when it loads a specially crafted image file. For whatever reason, GDI flaws seem to be the vulnerability of choice of attackers. Earlier this year, after Microsoft repaired a previous image-rendering bug, exploits found their way onto the net two days later. Four years ago, a toolkit exploiting a similar GDI flaw was released shortly after it was patched. Take note: There seems to be a pattern here of reverse engineering these types of updates to create in-the-wild attack code.

Microsoft also patched a bug in multiple versions of Office that could lead to remote code execution when a user clicks on a maliciously crafted OneNote protocol handler. The remaining two bulletins fix flaws in Windows Media Player and Windows Media Encoder, both of which could also allow an attacker to remotely install malware on a victim's machine.
...
Lest Apple users feel left out, that company has issued a raft of its own security fixes, and some of those look equally important.

Larry Seltzer takes a bite:

Apple issued a series of updates today to the iPod Touch, QuickTime and iTunes, covering 18 different vulnerabilities. It's not the first time Apple has released a big update on Microsoft's regularly-scheduled Patch Tuesday, perhaps hoping for lesser headlines.

7 of the vulnerabilities are in the iPod Touch ... in the application sandbox, in the graphics system, in the Webkit HTML engine, and in networking code.

9 vulnerabilities are in Quicktime ... All of them data parsing bugs ("...reading data from a maliciously-crafted .blah file could lead to abnormal program termination and remote code execution..."). Several of the vulnerabilities are only on the Windows version of the program.

Finally, the new iTunes 8.0 fixes 2 security vulnerabilities. One is only on the Mac and is merely a misleading notification dialog box related to the Apple Firewall. The other vulnerability is Windows-only.

Whither Stephen Withers? [Australia; now get on with it -Ed.]

Once again, the handling of media files has proved fertile ground for vulnerability hunters ... all an attacker would need to do is add the image to a web page (think of all the popular sites that display user-generated content) or insert it into a Word document that is then spammed out to potential victims. When the image is displayed, code within the exploit file would be executed with the same rights as the current user.
...
Not only does the update install a new version of the gdiplus.dll file, it also includes a Windows Side by Side Cache rule to prevent applications requesting and receiving an older version that still contains the flaw.
...
September's fourth flaw affects Office XP, 2003, and 2007, plus OneNote 2007 ... It only seems possible to exploit the issue if OneNote is actually installed ... [but] Microsoft recommends that all users of these programs apply the update, whether or not OneNote is installed.

Le Manh Tung and Nguyen Minh Duc claim to have found one of the bugs:

We have recently found a stack-based overflow bug in the library used by Windows Media Encoder, a software of Microsoft. This is an ActiveX control related vulnerability permitting hacker to perform a remote attack and take complete control of the affected system. Rating this vulnerability a very critical one, we have informed Microsoft with the case in detail.
...
The vulnerability is caused due to a boundary error in the IWMEncProfileManager interface of ActiveX control (wmex.dll) when handling the “GetDetailsString()” method. This can be exploited to cause a stack-based buffer overflow by passing an overly long string as argument to the affected method, making it possible for the attacker to execute arbitrary code on the user’s system.

Taking advantage of the flaw, a hacker may trick users into visiting his website which contains malicious code. Right after that, the code would be executed, giving him the privilege to make use of the affected system. However, hacker can only exploit successfully if the web browser in use is Internet Explorer due to the fact that this is an ActiveX control exploitation.

Ondrej Schmotzer looks back:

We've seen Microsoft patch vulnerabilities in Windows that we swear we'd seen before, and sometimes they all look so much alike that they tend to run together. But this one really is a classic: a buffer overrun triggered by a fake image file.

Who can forget the tumultuous days of 2004, when what was then considered a major threat to Windows loomed large: a way to easily trigger a buffer overrun in GDI , Microsoft's once-improved Graphics Device Interface library? While patches were finally distributed that September, it seemed the company's eventual solution -- a completely new graphics foundation, WPF -- couldn't come too soon.

And finally...

• What happens when you put "waterproof" into Google Images?

Buffer overflow:

• 4sysops: Is cloud computing a threat for Windows?
• Sean McGrath: Free Linux Laptop with every inkjet printer?
• Mike Masnick: EA Ignored The Warnings; Now Getting Slammed For Spore's DRM
• Full of I.T. : Breaking News: Want Hyper-V for free?
• Eric Krapf: Who's Ahead in Unified Communications?
• SmoothSpan: Sun Tries to Stay Ahead of Commoditization With Storage
• Michael Idinopulos: DMS and Collaboration Suite: Friends not Foes
• Data Center Knowledge: Can A Floating Data Center Weather A Hurricane?

Other Computerworld bloggers:

• John Brandon: Review: iTunes Genius is not so smart
• Ryan Faas: How does iTunes 8 Genius know what sounds good together?
• Frank Hayes: DEMOfall '08: More cool stuff
• Preston Gralla: Feds' super lawyer should sue over Google-Yahoo search deal
• John Brandon: Apple event: iTunes 8 is no Web Genius
• SJVN: London Stock Exchange suffers .NET Crash
• Seth Weintraub: September 9th Liveblog
• Eric Ogren: Virtualization news will be heavy in the next few weeks
• Shark Tank: How it's done
• Shark Bait: Following the script

Like this stuff? Subscribe to the RSS feed.

Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 22 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.

Previously in IT Blogwatch:

• EXTRA: London Stock Exchange: blame Microsoft?
• Intel's fast flash drive: 250MB/s and 0.085ms
• Happy birthday, Goooooooooogle