Microsoft issues patch for WMF vulnerability

The "critical" fix is part of seven security bulletins in the software maker's monthly update.

Greg Sandoval Former Staff writer
Greg Sandoval covers media and digital entertainment for CNET News. Based in New York, Sandoval is a former reporter for The Washington Post and the Los Angeles Times. E-mail Greg, or follow him on Twitter at @sandoCNET.
Greg Sandoval
2 min read
Microsoft released seven security bulletins as part of its monthly update on Tuesday, including a "critical" patch for a Windows Meta File vulnerability in Internet Explorer.

The Redmond, Wash.-based software maker also rated another patch for a vulnerability in Windows Media Player 7.1 as "critical." The five other bulletins were rated "important."

The update for Internet Explorer follows a security advisory the company issued last week after the WMF flaw was discovered. The flaw exists only in IE 5.01 with Service Pack 4 on Windows 2000 and IE 5.5 with Service Pack 2 on Windows ME, Microsoft said in the security advisory.

Exploiting the vulnerability means that someone could seize control of an affected system. Microsoft also recommended last week that users upgrade to IE6 with Service Pack 1.

Microsoft also patched Windows Media Player 7.1, on Windows 98/98SE/ME/2000, Windows Media Player 8 on Windows XP (up to and including SP1), Windows Media player 9 on Windows 2000/XP SP2/Server 2003, Windows Media Player 10 on 98/98SE/ME/XP (up to and including SP2).

The vulnerability in Windows Media Player has the potential to allow someone remotely take control of a system via a malicious images embedded in the customized versions of Windows Media Player.

"It could be exploited through Microsoft Internet Explorer because users often get media that is hosted on the Web," Microsoft said in a statement. "Microsoft Internet Explorer typically starts the media player automatically to open the media file which could allow attackers to host the malicious (customized file) on a Web page as a method of attack."

Microsoft rates as "critical" any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.