Microsoft today plugged 14 vulnerabilities by distributing eight client-side patches, as well as a ninth fix that experts say foreshadows threats posed by virtualization.
Six of the patches fix critical flaws that could permit exploitation by malicious website. Among those was bulletin MS07-042, which corrects a vulnerability in Microsoft XML Core Services program that could lead to remote code execution.
This bug is particularly harmful because XML Core Services is a "core part of the operating system…and an underlying piece to the way a lot of Windows software works," Tom Cross, an X-Force researcher with IBM ISS, told SCMagazine.com today.
The security update – one of the largest of the year – also fixes a similar flaw, this one related to an error in object linking and embedding (OLE) technology that permits, for example, a user to copy a chart in Excel and paste it into a PowerPoint presentation, Amol Sarwate, manger of the vulnerability labs at Qualys, told SCMagazine.com.
The other critical patches fix vulnerabilities in ActiveX controls and cascading style sheets (CSS) in Internet Explorer (IE); in the graphics device interface (GDI); in Excel and in the vector markup language (VML) implementation.
The GDI bug "does not require any other application like IE or Excel or Media Player" to run, Sarwate said. "It can be exploited easily if someone downloads or views an image file."
Another two "important" bulletins fixed vulnerabilities in Windows Media Player and Windows Gadgets, a new feature that allows Vista users to, for example, display sports scores in a separate bar. In total, six of the patches affected the new operating system version but only the gadget flaw resulted from code written specifically for Vista.
None of the flaws exist in server-side issues, preventing any "wormable" exploits from occurring, Eric Schultze, chief security architect at Shavlik Technologies, told SCMagazine.com.
"Now you just have to worry about the masses running their desktops and visiting malicious websites," he said.
Experts agreed the most interesting bulletin was MS07-049, an "important" fix that repaired a vulnerability in Virtual PC and Virtual Server, which could permit privilege escalation. If successful, attackers can assume control of the host operating system, giving them access to virtual platforms running beneath the host, Cross said.
Flaws affecting these types of machines are likely to increase as more companies sign on to the cost-savings attraction of virtualization, he said. About 35 percent of U.S. and European firms employ virtualization, he said, citing statistics from Forrester Research.
Click here to email reporter Dan Kaplan.