Microsoft patched seven vulnerabilities in Windows, including one marked 'critical', in its Patch Tuesday updates for March, released yesterday.

Of the three security updates the most serious, and the one to patch first, is MS09-006, researchers said. That update, which contains three separate vulnerabilities, contains the month's single critical bug.

"It's in all versions of Windows, it's deep in the kernel and in GDI," said Wolfgang Kandek, chief technology officer at security company Qualys. "And you could get exploited in many ways. I could send you an email or I could get you to go to a malicious website."

"MS09-006, that's just pretty evil," said Eric Schultze, chief technology officer at Shavlik Technologies. "View something evil and you're hacked."

According to Microsoft, the critical vulnerability is due to "improper validation of input passed from user mode through the kernel component of GDI". The Graphics Device Interface (GDI) is the core graphics rendering component of Windows. Because the flaw is in the kernel, a successful exploit would leave the attacker with complete control of the machine.

"With the history of GDI, people will really be looking at this," predicted Andrew Storms, director of security operations at nCircle Network Security. Microsoft fixed GDI three times last year, most recently in December 2008, and the Windows kernel twice. "It's like rewind, repeat," Storms said.

Attackers would use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) images to exploit the bug, Microsoft said, feeding them to users via email or hosting them on websites. Opening or viewing the images would trigger the vulnerability.

"I liked how Microsoft acknowledged that attackers could exploit this by getting users to view an email or visit a website or open a document with an evil image," said Schultze.

But because Microsoft rated the vulnerability as '3' in its Exploitability Index, indicating that it doesn't believe functional attack code is likely in the next 30 days, Storms said he was confused. "Now I'm unsure. It's obviously the riskiest vulnerability, but with the exploitability index at 3, should I really worry about it or not?"

Storms answered his own question. "I have to take the safe side, and consider it a major bug and put it at the top of the list," he said.

The other update that Kandek, Schultze and Storms agreed needed immediate attention was MS09-008, which contained four separate flaws in Windows' DNS and WNS servers. All four were labelled 'important', the second-highest ranking in Microsoft's four-step scoring system. All currently supported server editions of Windows should be patched, including Windows 2000 Server, Server 2003 and Server 2008.

"These vulnerabilities could allow a remote attacker to redirect network traffic intended for systems on the internet to the attacker's own systems," said Microsoft. Such attacks are often referred to as "cache poisoning" attacks because they replace the legitimate addresses in a DNS server's cache with bogus destinations. DNS cache poisoning vulnerabilities gained attention last July when researcher Dan Kaminsky discovered a major flaw in the underlying DNS protocol, and organised an industry-wide patching effort to plug the hole.

"These seem to be separate from [Kaminsky's vulnerability]," said Kandek, and Schultze concurred. Storms, however, wasn't as sure.

"It sounds a lot like what we saw last summer," he countered.

But while Microsoft tagged the update as important, Schultze argued that it should be considered critical. "Microsoft seems to think that there not much likelihood of someone pulling off an exploit of this," he said, "but there was already code released for 08-037, another DNS vulnerability last year, and Microsoft rated that important, too. To me, that makes me rate this one kind of critical."

Microsoft's third update, MS09-007, fixes a flaw in the Secure Channel (SChannel) security package within Windows, and if exploited, could let attackers impersonate an authorised user. Kandek, Sarwate and Storms all argued that the SChannel vulnerability was the one that could wait to be patched.

"I don't think it's a very big deal," said Kandek.

Missing from this month's updates, however, was a fix for a vulnerability in Excel that Microsoft revealed two weeks ago, and has admitted is already being used by attackers. According to researchers at Symantec, the vulnerability is a file format bug in all supported versions, including the latest - Excel 2007 on Windows and Excel 2008 for the Mac.

Researchers today were split on whether it was reasonable to expect Microsoft to hustle up an Excel patch that quickly. "I expected one, given the high visibility of Excel, and the number of Excel users," said Amol Sarwate, manager of Qualys's vulnerability lab.

"We should have expected a patch," said Schultze. "And that we didn't get on, that sucks."

"No, I'm not surprised at all that it wasn't ready," said Storms. "But I wouldn't be surprised if we saw a patch in the next couple of weeks if things heat up."

March's three security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Computerworld US