Microsoft has a big patch day, warns of next security hole

Posted by Rick C. Hodgin

Redmond (WA) - Yesterday, Microsoft rolled out its largest number of patches issued at one time in five years. The patches affect software in every operating system since and including Windows 2000. In addition to the new patches, Microsoft also warned of a critical WordPad bug that has not yet been patched and leaves a gaping security hole so that a hacker could gain access and run remote software from email.

When WordPad loads Microsoft Word 97 documents, it converts the .DOC file internally to WordPad's format. An error in the conversion system could allow a remote hacker to gain the same system level access as the current user (which, if running as Administrator means full system access), and then to execute remote code which could completely compromise the machine.

Microsoft notes that by default Word 97 .DOC files will open with Microsoft Word - which does not carry the bug. However, if a .DOC file was renamed as a .WRI file, then WordPad could be the default program used to open an infected file from inside an email program, for example.

Microsoft considers this a critical bug and system administrators are advised to block .WRI files in email attachments. Users should also make sure they know who sent them the .DOC or .WRI file if WordPad will be used to open it.

Major patch

The second Tuesday of each month is Microsoft's normal patch release day. This December 9 was a big day as Microsoft released six critical patches which fixed errors in the GDI (the main Windows graphics engine responsible for drawing all windows, fonts, images, mouse pointers, everything), Windows Explorer, Visual Basic 6.0, Word and Excel. Most of those patches require a system restart.

Two additional "Important" patches were also issued for SharePoint Server and Windows Media components. These may require a restart. And Microsoft also included several other regular updates for a wide range of their software, including developer tools. 

Microsoft uses an Exploitability Index Assessment gauge to determine the likelihood of the bug being exploited by hackers. Microsoft cited 28 internal instance patches (specific parts of the program which contained the exploits) which were corrected by the six critical and two important updates listed above.

Of the 28 internal patch instances, 13 were rated "#1 - consistent exploit code likely," 13 were rated as "#2 - inconsistent exploit code likely," and only two were rated as "#3 - functioning exploit code unlikely."

Microsoft is planning its December 2008 security bulletin webcast today at 11am PST. Microsoft's regular patch bulletins can be found at Microsoft TechNet.