Microsoft's August Patch-Tuesday

By Max Brenn
14:49, August 15th 2007

The Redmond software behemoth has issued 9 patches for vulnerabilities and bugs that affect Windows XP and Vista, Office 2003 and Office 2007, 6 of the flaws being considered critical.

The recent software updates are on the second spot in a top of “most numerous flaws fixed in 2007”, the first spot being occupied by the 12 patches released on February 12.

The fixes released yesterday address critical vulnerabilities in a section of the Windows operating system called XML Core Services.

XML Core Services (formerly known as MSXML, for Microsoft Extensible Markup Language or XML) is an application for processing Extensible Stylesheet Language Transformation (XSLT) in an XML file. Based on Microsoft's Component Object Model (COM), XML Core Services is essentially an application programming interface (API) to an XML parser and the XPath processor. The parser organizes the XML data into a tree structure for processing, and the processor converts the XML to Hypertext Markup Language (HTML) for display.

XML Core Services works in conjunction with Internet Explorer and is also a technology that makes JavaScript language perform under Windows, so it’s no wonder that four out of six vulnerabilities deem critical in this recent batch of updates has something to do with Web-browsing.

The XML Core Services patch however extends its benefic influence on Office 2003 Service Pack 2 and Office 2007, since they both utilize the same technology.

Users running Windows OS or Office without the recent fixes installed are in danger of getting their machines hijacked by malevolent persons, who could successfully exploit the aforementioned XMLCS flaws by running malicious code, using bogus links in an e-mail or an IM window or luring unsuspecting victims to access a fake, malware-infected site.

Another important patch released on Tuesday is related to a core operating system component called Object Linking and Embedding (OLE) automation, a technology that allows embedding and linking to documents and other objects (for example, a desktop publishing system might send some text to a word processor or a picture to a bitmap editor using OLE).

Microsoft says that “This critical security update resolves a privately reported vulnerability. This vulnerability could allow remote code execution if a user viewed a specially crafted Web page. The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE). Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This is a critical security update for all supported editions of Windows 2000, Windows XP, Office 2004 for Mac, and Visual Basic 6. For other affected editions of Windows, this update is rated moderate. This security update addresses the vulnerability by adding a check on memory requests within OLE Automation.”

The Redmond software and hardware behemoth has also looked into a vulnerability that has to do with what is called the GDI or Graphics Device Interface. The GDI is one of the three core components or "subsystems", together with the kernel and the user (window manager), of Microsoft Windows. GDI is responsible for tasks such as drawing lines and curves, rendering fonts and handling palettes.

This is how Microsoft describes GDI: "enables applications to use graphics and formatted text on both the video display and the printer. Windows-based applications do not access the graphics hardware directly. Instead, GDI interacts with device drivers on behalf of applications."

Malevolent persons can send you an e-mail with a specially crafted attachment containing a corrupted image. If you click to open the image – and don't have this patch installed – chances are you're immediately hosed with a drive-by download or some other type of attack that's equally unpleasant. Alternately, you could be tricked into visiting a Web site with the rigged image.

Although Microsoft touted Windows Vista as its most secure OS ever released, the recent batch of fixes includes an update that addresses a hole in the “gadgets” section of the desktop, which, among others, delivers RSS feeds.

According to Microsoft's security bulletin, Windows users who subscribe to a malicious RSS feed, add a malicious contact file or click on a malicious weather link could open the door for an attacker to run code on their systems.