It's been almost 6 months since we've seen a Microsoft monthly security update with several new fixes. This month, the company shipped seven security fixes, two of which are labeled as critical. Every time Microsoft issues patches, hackers review the flaws to see which they can exploit. Security researchers were quick to issue warnings that some of the flaws Microsoft has fixed are incredibly easy to exploit. The point is clear: Users who don't update their machines with the fixes soon could be in trouble.
The most serious flaw, perhaps, is in Windows Media Player (WMP) 10 for Windows XP. Hackers who successfully exploit this flaw can remotely control the affected PC. Security researchers are most worried about this flaw because it's easy to exploit and few users would expect an attack to come from within WMP. The other critical flaw, in the Microsoft Internet Explorer (IE) image-rendering engine, has similar properties, in that it allows remote code execution. The patch is an updated version of the patch for the Windows Metafile Format (WMF) flaw that Microsoft issued last month.
The other five fixes are all rated important. These flaws involve various components of Windows, including the WMP plug-in for non-Microsoft browsers, TCP/IP, the Web Client Service, the Input Method Editor, and Microsoft Office PowerPoint 2000.
In related news, Microsoft has elected not to fix a new zero-day vulnerability in IE 5.0 and later until it ships XP Service Pack 3 (SP3) in late 2007. According to the company, the flaw, which was actually discovered last summer, requires users to follow an exact series of steps for a successful exploit to occur. For this reason, Microsoft doesn't feel the flaw warrants an immediate fix. It's unclear why the company can't simply fix this flaw in a future monthly security release. After all, Microsoft has scheduled at least 18 of them before XP SP3 ships.