Microsoft Patches Bevy of GDI Flaws -- Redmond Channel Partner

Microsoft Patches Bevy of GDI Flaws

By Stephen Swoyer
April 03, 2007

As promised, Microsoft Corp. today released an out-of-band update to correct a bevy of flaws in its Windows GDI implementation.

At least one of these flaws, which collectively affect all supported versions of Windows -- including Windows Vista -- has already been linked to a known zero day attack exploit. Microsoft last week confirmed that an attacker who successfully exploits a flaw in its Windows Animated Cursor Handling implementation can take complete control of a compromised Windows system.

Today's update patches this flaw and six others.

The complete tally includes:

a GDI Local elevation of privilege vulnerability that affects both Windows XP (all flavors) and Windows 2000 (all flavors)
a WMF Denial-of-Service (DoS) vulnerability that affects all flavors of Windows with the exception of Vista
an EMF elevation of privilege vulnerability that affects all versions of Windows
a GDI Invalid Window Size elevation of privilege vulnerability that affects Windows XP (all flavors) and Windows 2000 (all flavors)
a GDI Incorrect Parameter elevation of privilege vulnerability that affects all versions of Windows
and a Font Rastizer vulnerability, which affects only Windows 2000.

The Windows Animated Cursor Handling vulnerability is the only known flaw for which exploit code -- and actual zero day attacks -- have been substantiated. Microsoft originally planned to patch these flaws during its scheduled April 10 update (part of its monthly Patch Tuesday update proces), but instead decided to release an out-of-band update, officials confirm.

"We have been monitoring the situation throughout and our indications, and those of our MSRA partners, show there is a threat for attacks against this vulnerability to increase, although we haven't seen anything widespread," wrote Christopher Budd on Microsoft's Security Response Center (MSRC) blog. "Based on customer feedback and our teams' ability to complete testing in an expedited manner by working around the clock, we've gone ahead and released this update early to help better protect customers from this threat."

Customers typically like to take their time before rolling out operating system updates on production systems but, in this case, Budd urges admins to expedite this process. "We are encouraging customers to test and deploy this update as quickly as possible as well as ensure that you have the latest signatures and updates for your security products such as anti-virus," he indicated.

Budd recommends that users also check Microsoft's Master Knowledge Base article to determine which potential conflicts-- if any -- could crop up once they deploy the update. He noted that there's at least one known issue which affects Windows XP SP2 users of Realtek's HD Audio Control Panel, for which there is a hotfix available.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Free Webcast! Learn about Password Management Best Practices

Featured

Nutanix Partner Central Rolls Out To Boost Channel Engagement

Nutanix on Wednesday launched a new platform, Partner Central, to give its channel partners a unified digital workspace for managing sales, tracking incentives and collaborating more effectively.
Veeam Releases Data Cloud for MSPs, Targets SaaS Protection at Scale

Veeam is expanding its footprint in the managed services arena with the global launch of Veeam Data Cloud for Managed Service Providers (MSPs).
The Era of Windows 10 (and Some Office and Skype Editions) Officially Comes to an End

Microsoft has formally withdrawn support for Windows 10 as of Oct. 14, 2025, bringing the curtain down on one of its most widely adopted operating systems.
Microsoft Builds AI Agent To Help Its Own Employees Navigate Licensing

Microsoft has rolled out an internal AI agent dubbed "Licensing Navigator" to help its own users answer complex licensing questions, promising to improve response times by nearly 90 percent.

RCP Update

Email Address*Country*

Please type the letters/numbers you see above.

Microsoft Patches Bevy of GDI Flaws

Featured

Nutanix Partner Central Rolls Out To Boost Channel Engagement

Veeam Releases Data Cloud for MSPs, Targets SaaS Protection at Scale

The Era of Windows 10 (and Some Office and Skype Editions) Officially Comes to an End

Microsoft Builds AI Agent To Help Its Own Employees Navigate Licensing

Nutanix Partner Central Rolls Out To Boost Channel Engagement

Microsoft To Standardize Online Services Pricing for Volume Licensing

Microsoft Appoints Althoff as New CEO for Commercial Business

MIT Finds Only 1 in 20 AI Investments Translate into ROI

Dynamics 365, Power Platform and Copilot Getting AI Boosts in Wave 2 Update

Nutanix Partner Central Rolls Out To Boost Channel Engagement

Microsoft To Standardize Online Services Pricing for Volume Licensing

Microsoft Appoints Althoff as New CEO for Commercial Business

MIT Finds Only 1 in 20 AI Investments Translate into ROI

Dynamics 365, Power Platform and Copilot Getting AI Boosts in Wave 2 Update

Partner Guides

Partner's Guide to the Windows Server 2008 Deadline

Partner's Guide to Office 365 Security Costs

Partner's Guide to UCaaS

Partner's Guide to Starter Workloads in Azure

Partner's Guide to Microsoft's Fiscal Year 2019

FREE WEBCASTS FROM OUR SPONSORS

Veeam Data Cloud for Microsoft 365

Coffee Talk | MSP Security Playbook: Threat Detection, Response and Beyond

Coffee Talk | Next-Gen Threat Management: A Unified Approach for MSPs

Veeam Simplified: The Easy Button for MSPs Protecting Microsoft 365

FREE WHITE PAPERS FROM OUR SPONSORS

The Easy Button eBook: Simplicity of SaaS-Based Backup for Microsoft 365

H1 2025 Threat Landscape Report

The Real Gap in Traditional EDR Security

3 Signs It's Time to Consolidate Your Stack