Microsoft has patched seven vulnerabilities in Windows, including one marked "critical" that could be triggered by attackers simply by getting users to view a malicious image or visit a malicious site.
Of the three security updates the most serious, and the one to patch first, is MS09-006, researchers said today. That update, which contains three separate vulnerabilities, contains the month's single critical bug.
"It's in all versions of Windows, it's deep in the kernel and in GDI," said Wolfgang Kandek, chief technology officer at security company Qualys. "And you could get exploited in many ways. I could send you an email or I could get you to go to a malicious website."
"MS09-006, that's just pretty evil," said Eric Schultze, chief technology officer at Shavlik Technologies. "View something evil and you're hacked."
According to Microsoft, the critical vulnerability is due to "improper validation of input passed from user mode through the kernel component of GDI." The Graphics Device Interface (GDI) is the core graphics rendering component of Windows. Because the flaw is in the kernel, a successful exploit would leave the attacker with complete control of the machine.
"With the history of GDI, people will really be looking at this," predicted Andrew Storms, director of security operations at nCircle Network Security Microsoft fixed GDI three times last year, most recently in December 2008, and the Windows kernel twice. "It's like rewind, repeat," Storms said.
Attackers would use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) images to exploit the bug, Microsoft said, feeding them to users via email or hosting them on websites. Opening or viewing the images would trigger the vulnerability.
"I liked how Microsoft acknowledged that attackers could exploit this by getting users to view an email or visit a website or open a document with an evil image," said Schultze.
But because Microsoft rated the vulnerability as "3" in its Exploitability Index, indicating that it doesn't believe functional attack code is likely in the next 30 days, Storms said he was confused. "Now I'm unsure. It's obviously the riskiest vulnerability, but with the exploitability index at 3, should I really worry about it or not?"
Storms answered his own question. "I have to take the safe side, and consider it a major bug and put it at the top of the list," he said.
The other update that Kandek, Schultze and Storms agreed needed immediate attention was MS09-008, which contained four separate flaws in Windows' DNS and WNS servers. All four were pegged as "important," the second-highest ranking in Microsoft's four-step scoring system. All currently supported server editions of Windows should be patched, including Windows 2000 Server, Server 2003 and Server 2008.