Tomorrow's critical Windows updates may focus on multimedia exploit

The software most affected by a quartet of updates to be released by Microsoft tomorrow morning, is our only clue to the possibility of a remote code vulnerability in multimedia files that may never have been reported elsewhere.

By number, four seems like a pretty small quantity for monthly Windows security updates, and that's the number Windows administrators and users will start seeing in their regular updates tomorrow, the second Tuesday of the month.

But the extent of at least two of these updates is curiously far-reaching, impacting not just Windows XP and Vista but also Media Player 11; Internet Explorer 6 (not 7); most importantly of all Microsoft Office components listed, an older one called Digital Image Suite 2006; and most importantly of all Visual Studio components listed, two versions of the redistributable Report Viewer package. This suggests a major fix to a possible remote code execution vulnerability involving media files.

Security researchers are noting that the level of stealth surrounding this week's fixes -- including the lack of any descriptive information in the latest bulletins -- resembles the secrecy Microsoft successfully employed during last July's fix to the DNS system, causing them to consider whether this round of fixes is as major. However, it could also be an indication that Microsoft is deciding to share descriptive data with select partners first and with the rest of the public later, in an effort to reduce the number of "zero-day" exploits inspired by advance security bulletins.

Of all the Microsoft software that has been the subject of frequent updates over the years, the Report Viewer 2005 or 2008 Redistributable Package has not been one of them. Report Viewer is an ActiveX control that enables reports generated by SQL Server to be distributed to other Windows-based systems where SQL Server may not be installed. It enables the embedding of charts, which aren't exactly movies, though they are one kind of multimedia file that could theoretically be used in a buffer overflow style of exploit. This is perhaps the one element that Report Viewer and Media Player 11 have in common; and the vector for this exploit could be .NET Framework. That component was mentioned also in Microsoft's list of affected software, though not with any severity ranking; conceivably, it may just be the vehicle for the exploit.

At least some more substantial level of detail is expected tomorrow morning.