The software giant released its monthly security update, offering seven different fixes including an anticipated patch for critical flaws in its Windows Media Player.Microsoft released fixes for seven vulnerabilities in its Windows products as part of its monthly security update, including an anticipated patch addressing remote exploitable code execution issues in its Windows Media Player.
As expected, the company released five advisories with "important" severity ratings and two bulletins meant to solve "critical" flaws, the company's highest severity rating, as part of the bulletin.
For WMP, one of the software giant's most widely deployed products, Microsoft said that a critical vulnerability exists in the software's Graphics Rendering Engine that could allow for remote code execution.
The software maker said the WMP issue is related to the manner in which the application handles the processing of bitmap files.
According to the patch update, the security issue identified could allow an attacker to remotely compromise Windows-based systems using WMP and potentially gain control over such machines.
Microsoft instant messaging goes mobile. Click here to read more.
Someone targeting the flaw could exploit the vulnerability by constructing a malicious bitmap file that allows remote code execution if a user visits a malicious Web site or views an e-mail message, Microsoft said.
However, the firm claims that significant user interaction would be required to exploit the vulnerability.
A second, less dangerous WMP issue addressed in the update involves a vulnerability in Windows Media Player plug-ins with non-Microsoft Internet browsers that could also allow for remote code execution.
Microsoft said that issue was related to the manner in which WMP's plug-in handles malformed EMBED elements.
The second critical patch, labeled as a cumulative security update for Microsoft's ubiquitous Internet Explorer Web browser, includes a number of "hotfixes" for the product released since last month's security update.
Microsoft said the vulnerabilities covered by the patch are related to a remote code execution issue in the way Explorer handles WMF (Windows Metafile) images.
Microsoft said an attacker could potentially exploit the flaw by constructing a WMF image that allows remote code execution when an Explorer user visits a malicious Web site, opens or previews an e-mail message, or opens a specially crafted attachment in e-mail meant to target the vulnerability.
Of the less serious flaws covered in the patch update, Microsoft addressed one issue in its popular PowerPoint presentation software that it said could allow for unintended information disclosure by users.
The company said that an attacker who successfully exploited the vulnerability could remotely attempt to access objects in a computer's TIFF (Temporary Internet Files Folder) explicitly by name.
Microsoft gives workarounds for new IE, Windows flaws. Click here to read more.
Microsoft said that the PowerPoint vulnerability would not allow an outside attacker to execute code or to elevate their user rights directly on someone else's PC, but the firm said the flaw could be used to produce useful information about the computer that could be used to try and further compromise the affected system.
Other vulnerabilities addressed by the update included a flaw in the company's Windows XP and Windows server software related to its Web Client Service, and another related to those products' TCP/IP settings, both of which could allow for denial-of-service attacks on Web sites.
Another problem tackled in the update is a flaw in Microsoft's Windows or Office products related to the software's Korean Input Method Editor, which could allow for unauthorized elevation of privileges on machines running the software.
Check out eWEEK.com's for Microsoft and Windows news, views and analysis.
Graphics Tools 
