In this section

• Home
• Press office
• News archive
• Articles
• 2005
• 02

• Journalists' guide
• News archive

Talk to our experts

• Press contacts

Resources

• Sophos Podcasts
• SophosLabs blog
• Graham Cluley's blog
• Image gallery
• Customer case studies
• Free anti-virus
• White papers
• Awards and reviews
• Industry affiliations

Info feeds

• Security news
• Company news

• Security news
• Company news

What are info feeds?

10 February 2005

Microsoft graphic security problem - are you patched? Sophos advises customers to patch now

PNG image exploit code targets Windows Media Player and MSN Messenger

Microsoft issued security patches and advice about the problem on 8 February 2005

Malicious exploit code has been published on the internet, taking advantage of a critical security hole in Microsoft's Windows Media Player and MSN Messenger software. The code, that exploits a security vulnerability associated with PNG image files, was only protected against in a patch issued by Microsoft on 8 February. Sophos recommends that customers ensure their computers are patched and protected.

The security hole could be exploited by malicious hackers or a future internet worm.

Microsoft first published a technical bulletin about the problem on 8 February 2005, including links to security patches. At the same time they issued advisories about eleven other security problems in their software.

"Microsoft won't be happy that someone has posted information about how to take advantage of their critical security hole within 48 hours of their patch being released, as many computer users are bound to have not yet defended themselves," said Graham Cluley, senior technology consultant for Sophos. "Many businesses find it difficult to keep on top of the Microsoft patching problem as new vulnerabilities are found on a regular basis. The message to all computer users should be clear: This vulnerability is serious. Everyone should ensure their systems are properly protected with the security patch at the earliest opportunity."

Sophos recommends that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.

"Home users should consider checking out the services Microsoft offers at windowsupdate.microsoft.com, which can scan your home PC for security vulnerabilities and suggest which critical patches need to be installed," continued Cluley. "Additionally, if they use MSN Messenger, they should update themselves to the latest version now."

Microsoft has published further information about how home users and businesses should respond to the threat at www.microsoft.com/security/incident/im.mspx.

Sophos continues to recommend computer users practise safe computing as well as running up-to-date anti-virus software.

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot

See also:

• Microsoft warns of critical security flaws in its software