While security experts are now minimizing the impact of a WMF vulnerability (especially now that it's been patched since last Thursday), Microsoft issued a similar warning as part of its monthly security patches released today, only this time about Web fonts.
One of today's security bulletins, rated critical (MS06-002), is similar to last Thursday's WMF warnings because the vulnerability affects all users of Internet Explorer surfing the Web.
"This is much like WMF," said Johannes Ullrich, Chief Research Officer for SAN. Ullrich recommends users install the patch without delay.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iThe patch is similar to the WMF vulnerability that Microsoft updated outside of its regular patching cycle last week. In the latest patch, an embedded fonts threat requires a user be enticed to visit a Web site, according to Alain Sergile, Technical Product Manager of Internet Security Systems X Force research.
Athough embedded Web fonts present a vulnerability easier to exploit, The other bulletin (MS06002), addresses a vulnerability in Microsoft Office and Microsoft Exchange with much wider possible impact. This, too, was rated critical as part of Microsoft's monthly security bulletin notices, otherwise known as Patch Tuesday.
The patch in this bulletin is because vulnerabilities in Microsoft Office and Microsoft Exchange could, if exploited, allow attackers to take control of a PC with or without user participation, according to Microsoft.
The security concern centers on Microsofts use of proprietary e-mail code. The vulnerability is made even more important since Microsoft Exchange Server 5.0 Service Pack 2 and Microsoft Exchange Server 5.5 Service Pack 4 are targeted, according to Ullrich. Microsoft Exchange Server 2003 is not affected, according to Redmond.
Microsoft initially planned on Tuesday to release a patch for the WMF vulnerabilities discovered in December. However, pressure from companies and security experts prompted the patch to appear last week. While the WMF bug yesterday was described as potentially enabling malicious instructions, researchers scaled back their concerns and alerts.