Home : Strategy : News

Microsoft patches Windows graphics bugs

Critical patches that the software giant warned were affecting its latest Vista and Server 2008 operating systems have been released as part of its 'Patch Tuesday' cycle to address vulnerabilities in Windows' core graphics subsystem.

By Miya Knights, 9 Apr 2008 at 08:34

gallery

Security experts are urging IT administrators to patch systems affected by a two critical vulnerabilities affecting the core graphics subsystem of Windows revealed by Microsoft late yesterday.

Microsoft released the patch, which was of five given its highest, 'critical' rating and eight fixes in total, as part of its monthly, 'Patch Tuesday' security bulletin.

MS08-02 fixes two vulnerabilities in Windows' graphics device interface (GDI), one of three core Windows subsystems, that the software vendor said could allow a hacker to take over someone's computer if a user opens a document or link containing infected common image files, according to Microsoft.

And, as it had warned in its pre-patch security bulletin last week, the GDI flaw occurs in all versions of Windows, from Windows 2000 to the latest Windows Server 2008 release and Vista running its first service pack (SP1) released just over two weeks ago.

Security vendor Symantec blogged that, along with another expected VBScript/JScript patch, the GDI vulnerability could be "the worst of the bunch".

"The components are installed on multiple flavours of Windows and are relatively easy to exploit. Customers are advised to follow security best practices, specifically avoiding websites of unknown and questionable integrity and refusing to accept or open files from unknown sources," the Symantec Security Response weblog

said.

And this is not the first time Microsoft has tried to address this GDI issue after hackers have developed variants to get around two other fixes issued since January 2006.

Out of the five critical patches, two of them address Windows flaws, while two fix bugs in Windows and Internet Explorer (IE). The other fixes a Microsoft Office vulnerability that can be exploited if a user opens Office Project files.

And, as highlighted by Symantec, MS08-022 patches a known vulnerability in Windows VBScript and JScript scripting engines that, like all the critical vulnerabilities, could potentially allow a hacker to gain control of a compromised system.

The last three 'important' patches address Windows kernel usermode callback local privilege escalation and domain name system (DNS) client service response spoofing vulnerabilities, as well as a remote code execution vulnerability in Office business and technical drawing application, Visio.