In the first month following the release of Windows Vista Service Pack 1 and Windows Server 2008, Microsoft is already serving up a number of fixes for both operating systems, as it has issued eight security bulletins covering a total of 10 vulnerabilities.
Five of the eight are labeled as Critical, the most important of fixes, while three are labeled Important, the next level of severity. Two patches affect Office, four affect Windows across all versions and the final two are related to Internet Explorer.
One of the more significant fixes, as noted by security firm McAfee, is MS08-021, which fixes two vulnerabilities in Windows that would allow an attacker to take control of a PC through specially crafted Windows metafiles, using the WMF or EMF formats.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iMcAfee noted that similar vulnerabilities were exploited in cyber attacks two years ago, forcing Microsoft at the time to rush out a fix (MS06-001) outside of its monthly patch cycle.
There were also three Internet-oriented fixes, two Critical and one Important. MS08-023 addresses a vulnerability in an ActiveX control, which could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.
MS08-024 resolves a vulnerability in Internet Explorer, which could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.
Finally, MS08-020 fixes a vulnerability in Windows that could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.
"Today's Microsoft patches underline the risk of surfing the Web unprotected," said Dave Marcus, security research and communications manager at McAfee Avert Labs in an e-mailed statement. "Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site, a favorite attack method among cybercriminals."