|Network Security Consulting SecurityFocus Article
Microsoft Plugs Five Holes In Graphics Code
Microsoft released four patches on Tuesday, closing five critical flaws in its widely used graphics device interface (GDI+) library as well as three security holes in its other software products.
The security vulnerabilities in the GDI+ library affect a wide number of applications, because the library itself is a common component of Windows applications. All five vulnerabilities patched by Microsoft's GDI+ update are rated critical for at least one of the company's applications or operating systems, according to Microsoft's security bulletin.
Attackers could create specially-crafted images that would compromise a victim's system through its Web browser, security experts stated.
"If a user visits a page controlled by an attacker or a site that allows users to upload images, such as some of the social media sites, they could fall victim to this attack," Ben Greenbaum, senior research manager, Symantec Security Response, said in a statement sent to SecurityFocus. "Attackers are routinely using vulnerabilities like these to gain control of endpoint systems as part of large scale fraud campaigns. At least one of these vulnerabilities is highly similar to one that we have seen before, so hackers may be able to use old code or at the very least apply knowledge gained from previous attacks as a starting point for creating new malicious code."
The software company also patched critical flaws in Windows Media Player, Windows Media Encoder, and Microsoft's Office productivity suite. Each vulnerability could allow an attacker to remotely execute code on a victim's system.
The software updates, released on Microsoft's regularly scheduled patch day, can be downloaded through Microsoft's Windows Update service.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos