Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Microsoft's Valentine: Patch Tuesday

By Ed Oswald, BetaNews

February 14, 2006, 5:35 PM

It was no love and all business for Microsoft on Tuesday, as the company released seven updates for its products. These included fixes for two critical flaws in Internet Explorer and Windows Media Player, and five important updates addressing issues in Windows and Microsoft Office.

A critical vulnerability that existed in the Graphics Rendering Engine of Internet Explorer was one of those patched. A specially crafted Windows Metafile image could be generated to allow for remote code execution and potentially open the door for an attacker to take complete control of an affected system.

Microsoft said the problem is a separate issue from WMF vulnerabilities previously disclosed by the company, adding that the flaw could only be exploited within Windows 2000 Service Pack 4. It also stressed that a user would need to visit a malicious Web site, open or preview an e-mail message, or open a specially crafted attachment.

The second critical flaw addressed Tuesday deals with the way Windows Media Player processes bitmap files. Attackers could exploit the vulnerability by creating a malicious .bmp file that could then execute code to allow an attacker to take control of the system.

However, as with the new WMF flaw, significant user interaction is required in order for the vulnerability to be exploited. However, the scope of this flaw is much wider, and affects Windows Media Player 10 for XP and WMP 9 for Windows 98 and later operating systems.

Also addressed was a less severe flaw in the way the Windows Media Player plug-in is handled by non-Microsoft browsers, which could allow for remote code execution.

"A remote code execution vulnerability exists in the Windows Media Player plug-in for non-Microsoft Internet browsers because of the way the Windows Media Player plug-in handles a malformed EMBED element," the company said in an advisory.

Other "important" flaws patched involved two within Windows, one in TCP/IP that could allow for a denial of service attack, another within the Windows Web Client Service that could allow for remote code execution, and also a flaw in the Korean Input Method Editor that could allow for elevation of privilege, however the attacker would need to log in to the affected system.

Finally, Microsoft addressed an issue within PowerPoint 2000 that could potentially disclose sensitive information about the user.

"An attacker who successfully exploited this vulnerability could remotely attempt to access objects in the Temporary Internet Files Folder (TIFF) explicitly by name," the company said in its advisory.

While this information would not allow for malicious activity, data discovered by the attacker in these files could be use to further compromise an affected system, Microsoft warned.

Add a Comment (15 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By johnusa@email.com

edited Feb 14, 2006 - 6:15 PM

All of today's updates went well, except KB913446, I tried it several times and the update always "Failed". Cannot find the reason why it failed. Any help is appreciated.

Score: 0

By nate

posted Feb 15, 2006 - 12:37 PM

For those of you who didn't download the patch manually, Microsoft has fixed the issue and Automatic Updates should work fine again:

http://www.betanews.com/...lation_Snafu/1140024474

Score: 0

By gawd21

posted Feb 15, 2006 - 12:00 PM

I had a black screen after reboot on two boxes, had to use the reset button and boot normal. It worked.

Score: 0

By bourgeoisdude

posted Feb 15, 2006 - 10:04 AM

I have deployed on multiple computers with no problems. Running XP with SP2 or something else? Why does it work for some and not others? Anyway no problems here...

Score: 0

By The MAZZTer

posted Feb 14, 2006 - 8:45 PM

Same problem here, thanks!

Score: 0

By mjm01010101

posted Feb 14, 2006 - 8:18 PM

http://blogs.technet.com.../2006/02/14/419572.aspx

Score: 0

By irdepesca572

posted Feb 14, 2006 - 6:20 PM

Oh, yeah thanks. Almost forgot.

Score: 0

By eddie

posted Feb 14, 2006 - 6:18 PM

Yep.. same here.. cannot install

Score: 0

By wat0114

posted Feb 14, 2006 - 6:08 PM

Same problem on my 3 pc's.

Score: 0

By kjnangre

posted Feb 14, 2006 - 6:02 PM

Many people are having this problem. If you download it from here it will work.
http://www.microsoft.com.../bulletin/ms06-007.mspx

Score: 0

By wat0114

posted Feb 14, 2006 - 10:25 PM

That worked great, thank you!

Score: 0

By JohnOhan

edited Feb 14, 2006 - 6:23 PM

Thank you for your suggestion. It worked.

Score: 0

By JonathanDoe

posted Feb 14, 2006 - 6:01 PM

Ah glad I'm not the only one.

Score: 0

By Project51

posted Feb 14, 2006 - 5:49 PM

Why can't I install "Security Update for Windows XP (KB913446)" ???

Score: 0

By TomeOne

posted Feb 14, 2006 - 5:59 PM

Same here. Keeps failing.

Score: 0

Jul 3 - 6:45 PM ET Netflix box by Roku to get more content providers

Jul 3 - 6:30 PM ET US Justice Dept. sued for info on cellular tracking practices

Jul 3 - 6:27 PM ET Next Patch Tuesday has few security updates, big Vista reliability fix

Jul 3 - 5:49 PM ET BlackBerry Pearl users can test voice input for Google Maps

Jul 3 - 5:30 PM ET Adobe pushes its Flash 10 beta 2 refresh

Jul 3 - 4:39 PM ET Nokia and InterDigital start to disassemble their running feud

Jul 3 - 4:34 PM ET Do-it-yourself phone manufacturer declares its independence tomorrow

Jul 3 - 4:16 PM ET Study: US broadband access up overall, but down among the poor

Jul 3 - 3:54 PM ET Beta test a portable Web browsing device

Jul 3 - 3:20 PM ET Nvidia: 'Previous generation' GPUs failing at high rates