Microsoft tacks WMP fix on to 'Patch Tuesday'

Microsoft has repaired 11 security holes in its software, spread out over 7 security bulletins as part of the company's monthly security update cycle.

Three of the bulletins were rated "critical" and the remaining four received a security rating of "important".

While none of the three critical fixes directly affected the Windows operating system itself, two of them affected applications commonly accessed by both home and business users.

A fix for a critical vulnerability in the Windows Media file format was added "at the last minute " according to a company spokesperson. The vulnerability could allow an attacker to embed a malicious .asf or .asx file inside a web page or email that would allow the attacker to take control of a system and remotely execute malware.

A fix for critical vulnerabilities in Internet Explorer was also included in the update. The script handling vulnerabilities effect IE6 for Windows Server 2003 and Windows XP. If exploited, the vulnerabilities could allow attackers to remotely execute code.

Security vendor Symantec labeled the Internet Explorer vulnerability as the most critical and warned that the Windows Media Player flaw too should be patched as soon as possible.

"Symantec’s Internet Security Threat Report indicates that due to the integration of various content-handling applications, such as media players, browsers are a viable attack vector for many client-side vulnerabilities," said Oliver Friedrichs, director for Symantec Security Response.

"Today’s release from Microsoft reconfirms that client-side vulnerabilities are one of the most efficient and well known methods by which computers can become infected, therefore users are urged to install patches as soon as possible."

The third critical fix affected Visual Studio, Microsoft's software development product. That vulnerability could allow users to take control of a system through Visual Studio's WMI Object Broker ActiveX component.

The update also included four less serious patches, all listed as "important ", three of which addressed vulnerabilities in Windows.

Vulnerabilities in the Simple Network Management Protocol and Remote Installation Service software components could allow for remote execution of malware by an attacker. Microsoft said, however, that neither component is installed by default on any recent version of Windows and most users will be uneffected.

The third Windows security fix involves a vulnerability in the way Windows handles corrupted file manifests from applications. The company said that if exploited, the vulnerability could allow for users to elevate their privileges.

The fourth "important" fix was a cumulative security patch for Outlook Express. Microsoft patched a vulnerability in the e-mail app's address book that could allow an attacker to take control of a system and remotely execute code.

As was earlier reported, Microsoft did not issue a patch for either of the vulnerabilities in Word that are currently being exploited. A company spokesperson told vnunet.com last week that Microsoft was investigating and that an out-of-cycle patch release would be made if necessary.