Feb. 2006 Security Updates

Two new critical and five new important patches were released on the Feb. 2006 “Patch Tuesday.” Among the more noteworthy patches are one for a second Windows Metafile (WMF) vulnerability and a patch for a Windows Media Player plug-in that is used by non-Microsoft software. Microsoft also updated its Malicious Software Removal Tool and advised customers that later this year Windows 98 and Windows XP SP1 will no longer qualify for public security updates.

Critical Patches

The first critical patch for Feb. 2006 involves the way in which Internet Explorer (IE) handles WMF images, but it is separate from the WMF vulnerabilities addressed in the previously issued MS05-053 and MS06-001 bulletins. When IE 5.01 SP4 on Windows 2000 SP4 displays a Web page that contains a specially crafted WMF image, system memory may be corrupted in such a way that an attacker could take complete control of the affected system.

The other critical patch fixes a buffer overflow in the Windows Media Player, a feature of the Windows OS that plays audio and video. The affected Windows Media Player code processes bitmap files and, if exploited, could allow an attacker to take complete control of the affected system.