The typical security vulnerability and patching story paints security researchers as the good guys in the white hats, the straight shooting style, and the soda pop. But on this particular Patch Tuesday (a lighter one than most) Microsoft is crediting not some white-hat researcher but a really good guy -- a fellow who's the author of a simple Sidebar gadget that displays the contents of your clipboard -- as having done the right thing and notified Microsoft of a critical hole.
German developer Helmut Buhler, whose other claim to fame is a portable wrapper function that makes dialog boxes in Windows 95 and XP look like those in Vista, was credited by Microsoft today for discovering one of the critical vulnerabilities being addressed by the March edition of its Patch Tuesday bug fixes.
It's a serious hole that has resided deep in the kernel of the operating ever since Windows 2000 Service Pack 4, so it may be a miracle that it hasn't been found up to now: In a rerun of a problem that rears its ugly head now almost semi-annually, the Graphics Device Interface (the old system for projecting 2D graphics in Windows, outmoded now by Windows Presentation Foundation) can be leveraged for passing what's supposed to be a kernel mode API function in user mode. That leads to the possibility that any code in memory could be executed without proper authentication, and in this case once again, a malformed Windows Metafile (WMF) graphic could place that code in memory.
Very little Windows software even uses WMF any more, so on the surface, this might seem like a very limited problem. However, quite a bit of Windows' functionality currently sits there under-utilized, though without being decommissioned; for the sake of backwards compatibility, it must remain. Thus it's conceivable that a malicious program could be the one to make use of functionality that doesn't really have a purpose anymore in modern Windows; so just because WMF is a relic of the early 1990s doesn't mean it can't leave a hole for everyone that's exploitable.
In addition to Windows 2000 SP4, this vulnerability can be found in all editions of Windows XP up to Service Pack 3; Windows Server 2003 for x86, x64, and Itanium systems; Windows Vista up to SP1; and Windows Server 2008 for x86, x64.
MS09-006 - Vulnerabilities in Windows Kernel Could Allow Remote Code Execution
MS09-007 - Vulnerability in SChannel Could Allow Spoofing
MS09-008 - Vulnerabilities in DNS and WINS Server Could Allow Spoofing