RSSMicrosoft's Valentine: Patch Tuesday
By Ed Oswald | Published February 14, 2006, 5:35 PM
It was no love and all business for Microsoft on Tuesday, as the company released seven updates for its products. These included fixes for two critical flaws in Internet Explorer and Windows Media Player, and five important updates addressing issues in Windows and Microsoft Office.
A critical vulnerability that existed in the Graphics Rendering Engine of Internet Explorer was one of those patched. A specially crafted Windows Metafile image could be generated to allow for remote code execution and potentially open the door for an attacker to take complete control of an affected system.
Microsoft said the problem is a separate issue from WMF vulnerabilities previously disclosed by the company, adding that the flaw could only be exploited within Windows 2000 Service Pack 4. It also stressed that a user would need to visit a malicious Web site, open or preview an e-mail message, or open a specially crafted attachment.
The second critical flaw addressed Tuesday deals with the way Windows Media Player processes bitmap files. Attackers could exploit the vulnerability by creating a malicious .bmp file that could then execute code to allow an attacker to take control of the system.
However, as with the new WMF flaw, significant user interaction is required in order for the vulnerability to be exploited. However, the scope of this flaw is much wider, and affects Windows Media Player 10 for XP and WMP 9 for Windows 98 and later operating systems.
Also addressed was a less severe flaw in the way the Windows Media Player plug-in is handled by non-Microsoft browsers, which could allow for remote code execution.
"A remote code execution vulnerability exists in the Windows Media Player plug-in for non-Microsoft Internet browsers because of the way the Windows Media Player plug-in handles a malformed EMBED element," the company said in an advisory.
Other "important" flaws patched involved two within Windows, one in TCP/IP that could allow for a denial of service attack, another within the Windows Web Client Service that could allow for remote code execution, and also a flaw in the Korean Input Method Editor that could allow for elevation of privilege, however the attacker would need to log in to the affected system.
Finally, Microsoft addressed an issue within PowerPoint 2000 that could potentially disclose sensitive information about the user.
"An attacker who successfully exploited this vulnerability could remotely attempt to access objects in the Temporary Internet Files Folder (TIFF) explicitly by name," the company said in its advisory.
While this information would not allow for malicious activity, data discovered by the attacker in these files could be use to further compromise an affected system, Microsoft warned.
For those of you who didn't download the patch manually, Microsoft has fixed the issue and Automatic Updates should work fine again:
http://www.betanews.com/...lation_Snafu/1140024474
Score: 0
I had a black screen after reboot on two boxes, had to use the reset button and boot normal. It worked.
Score: 0
I have deployed on multiple computers with no problems. Running XP with SP2 or something else? Why does it work for some and not others? Anyway no problems here...
Score: 0
Same problem here, thanks!
Score: 0
http://blogs.technet.com.../2006/02/14/419572.aspx
Score: 0
Oh, yeah thanks. Almost forgot.
Score: 0
Yep.. same here.. cannot install
Score: 0
Same problem on my 3 pc's.
Score: 0
Many people are having this problem. If you download it from here it will work.
http://www.microsoft.com.../bulletin/ms06-007.mspx
Score: 0
Thank you for your suggestion. It worked.
Score: 0
That worked great, thank you!
Score: 0
Ah glad I'm not the only one.
Score: 0
Why can't I install "Security Update for Windows XP (KB913446)" ???
Score: 0
Same here. Keeps failing.
Score: 0