Updates designed to plug six security holes labeled with the maximum severity rating of Critical for Windows Vista Service Pack 1 and Windows XP Service Pack 3 have been made available for download as of September 9, 2008. Microsoft has issued a total of four Security bulletins, all rated Critical, patching eight vulnerabilities across a variety of software products including the Windows client and server operating systems, the Office System, SQL, Visual Studio, and Forefront Client Security 1.0.

Taking into consideration the vulnerabilities directly impacting Vista SP1 and XP SP3, in addition to the flaws affecting default components, the two clients share no less than six security holes, four of which reside in Microsoft Windows GDI+ (graphics device interface).

“These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft informed.

According to the Redmond giant, both Vista SP1 and XP SP3 feature vulnerabilities related to GDI+ VML Buffer Overrun, GDI+ EMF Memory Corruption, GDI+ GIF Parsing, GDI+ WMF Buffer Overrun Vulnerability. The software company made it clear that the vulnerabilities were privately reported, and that it is not aware of exploits, proof of concept code or attacks in the wild.

Microsoft Security Bulletin MS08-052 “is rated Critical for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Microsoft Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4, Microsoft Digital Image Suite 2006, SQL Server 2000 Reporting Services Service Pack 2, all supported editions of SQL Server 2005, Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package, and Microsoft Report Viewer 2008 Redistributable Package,” the software giant stated.

MS08-053 – Critical is designed to patch a vulnerability in Windows Media Encoder 9 which puts both Vista SP1 and XP SP3 users at risk. In addition, MS08-054 - Critical, resolving a vulnerability in Windows Media Player 11 also affects both operating systems.

A Release Manager for the Microsoft Security Response Center revealed that “The September 2008 release contains 4 new bulletins, all with maximum severities of 'Critical':

- MS08-052 - Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
- MS08-053 - Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
- MS08-054 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
- MS08-055 - Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047).”