Jan. 2007 Security Updates

Four patches-three critical and one important-addressing multiple vulnerabilities were distributed on the Jan. 2007 “Patch Tuesday.” The patches repair vulnerabilities in Windows, Internet Explorer (IE), and Office, but some publicly circulating exploits for Office remain unrepaired.

Critical Patches

An unchecked buffer in the Windows and IE implementations of Vector Markup Language (VML) creates a critical vulnerability. VML is an XML-based editing and delivery format for high-quality vector graphics on the Web and is generated by some Web-based applications.

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability, but the attacker would have to convince a user to visit the site-for example, by getting the user to click on a link in an e-mail or instant messenger message, or including VML information in HTML-formatted message. An exploit of this buffer overflow could allow the attacker to take complete control of the system. The VML patch for Windows closes this vulnerability.