Microsoft issued a critical patch for two vulnerabilities in the core graphics subsystem of Windows, one of eight fixes released Tuesday as part of its monthly security updates.
Microsoft released a total of five critical patches in its April security bulletin. Two of them fix bugs in Windows, two fix bugs in Windows and Internet Explorer (IE), and one fixes a vulnerability in Microsoft Office. The critical rating means an attacker could potentially exploit the flaws to hack into a victim's computer.
The other patches fix vulnerabilities in Windows and Office and were rated "important." Microsoft releases patches on the second Tuesday of every month, which has become known in the industry as "Patch Tuesday."
MS08-021 fixes two vulnerabilities in Windows' graphics device interface (GDI), one of three core Windows subsystems, that could allow a hacker to take over someone's computer if a user opens certain kinds of image files, according to Microsoft.
Eric Schultze, chief technology officer of security and patch-management company Shavlik Technologies, said the GDI patch is the most important because it fixes vulnerabilities that could create "a trifecta of problems" across all versions of Windows, from Windows 2000 to the latest Windows Server 2008 release. "If you visit an evil Web site, read an evil e-mail or open an evil document, you can get hacked," he said.
Schultze said the GDI issue has come up twice before, "dating back to January 2006," which means that this is Microsoft's third attempt at fixing the problems. "Hackers have come up with different variants" to attack the same vulnerabilities, he said.
Of the five patches marked critical, Schultze recommended that users also immediately install two others -- MS08-022, which affects Windows, and MS08-024, which affects both Windows and IE.
MS08-022 patches a vulnerability in VBScript and JScript scripting engines in Windows that originally was supposed to be patched in January, but Microsoft pulled the patch at the last minute because it wasn't ready, Schultze said. MS08-24 patches a vulnerability found in all versions of IE.
Amol Sarwate, manager of the Vulnerability Research Lab at security service provider Qualys, agreed that MS08-021 and MS08-022 are among the top three most important patches, but considers critical patch MS08-023 more important than MS08-022. MS08-023 fixes an ActiveX vulnerability that affects both Windows and Internet Explorer.
In Sarwate's opinion, MS08-021, MS08-022 and MS08-023 are especially important for users because they affect all versions of Windows, even if no other software is installed on the machine.
He also noted that because five of the eight patches affect both early client and server versions of Windows through the most current Windows Vista and Windows Server 2008 OSes, hackers are taking advantage of Microsoft's reuse of code throughout different versions of the OS.
The fifth critical patch, MS08-018, affects Microsoft Office, fixing a vulnerability that can be exploited when a user opens an Office Project file.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Sterling Commerce Speeds Long-Distance Delivery of Large Files 2008-12-03 09:28:00+11
FrontRange Solutions launches HEAT Plus Mobile to reduce help desk costs and improve service management productivity 2008-12-02 15:15:00+11
AARNet Helps to Advance Indigenous Health 2008-12-02 12:44:00+11
Orbis selects Telstra International as its data centre partner for the UK, Europe and Middle East Region 2008-12-02 11:23:00+11
ComOps Deploys Corporate Performance Reporting Solution For Healthcare Test Manufacturer 2008-12-02 10:09:00+11
IT Service Management Needs and Adoption Trends: An Analysis of a Global Survey of IT Executives
IT executives face the need to improve service delivery with limited resource increases. Two common strategies for achieving this are network and systems management tools and datacenter consolidation. Read on to disocover how you can make a strong business case for IT Consolidation.
Buying Guides
Buying Guides
