While Microsoft excluded Windows 7 from the security patching ceremony in January and in February, things went a little differently on this month's Patch Tuesday. Microsoft fixed three vulnerabilities yesterday: two were spoofing-related and were marked Important, while the other was marked Critical as it had a Remote Code Execution impact. According to the security bulletin for the last one, Microsoft said that the patch was meant "for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008." So I was surprised to see it in my Windows Update queue today (pictured above) on Windows 7 build 7000.
Microsoft disclosed that the security update resolves several privately reported vulnerabilities in the Windows kernel, the most serious of which could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system. The vulnerabilities are fixed by "validating input passed from user mode through the kernel component of GDI, correcting the way that the kernel validates handles, and changing the way that the Windows kernel handles specially crafted invalid pointer."
The update has also been available for a few days from the Microsoft Download Center for both Windows 7 beta 32-bit (1.2 MB) and 64-bit (1.6 MB). Microsoft describes the update as follows: "A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this update, you may have to restart your system. This update is provided to you and licensed under the Windows 7 Prerelease License Terms."
Microsoft is widely expected to give out the Windows 7 Release Candidate build to the public in April, though it may arrive earlier through other channels. Until then, Microsoft apparently wants to keep its public testers safeāfrom certain security flaws, anyway.
(arstechnica)