Three security flaws covered by Microsoft

This month’s crop of vulnerabilities in Microsoft’s security update includes three ‘critical’ issues. The announcement includes the .wmf vulnerability which came to light over the holiday period.

The .wmf flaw came to light when the problem – and accompanying source code – began to appear just after Christmas. Initially, Microsoft planned to release the patch alongside the regular update on the first Tuesday of January. However, the furore caused by Microsoft’s apparent complacency led many IT managers to use an unofficial patch. Sensing a PR disaster if an exploit became widespread Redmond eventually announced it had completed testing ‘ahead of schedule’ and released the code.

Elsewhere, Microsoft is providing patches for two other vulnerabilities.

The first relates to the behaviour of embedded web fonts in Microsoft Windows. According to Microsoft, a remote code execution vulnerability exists in Windows due to the way that it manages malformed embedded Web fonts. Because of this weakness, an attacker could exploit the vulnerability by constructing a malicious embedded Web font that would allow remote code execution.

To trigger an attack a user would either have to visit a malicious Web site or open a specially crafted e-mail message. Anyone who successfully exploited this vulnerability could take complete control of an affected system.

The other issue is with Outlook and Exchange. Microsoft says there is a problem with the Transport Neutral Encapsulation Format (TNEF) MIME attachment because of the way it is decoded by Microsoft Outlook and Microsoft Exchange Server.

Once again, a specially built TNEF message could allow a hacker to take control of a machine when a user opens or previews a malicious e-mail message or when the Microsoft Exchange Server Information Store processes the message.

Subscribers to Microsoft’s Update services should receive the patches automatically. Further details are available at the Microsoft Technet Security pages.