By Gregg Keizer
September 9, 2008

Microsoft Corp. today patched eight vulnerabilities, all rated critical, in four security updates for Windows, Office, Windows Media Player, Internet Explorer 6, SQL Server and other programs.

Unlike last month, when Microsoft issued 12 bulletins that fixed 26 flaws, today's patched vulnerabilities did not include any that have already been exploited in the wild. "It doesn't look too bad today," said Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., comparing the count to August's. "Although anything running Windows will have to be updated with MS08-052."

The update in that bulletin, highlighted by Storms and other experts as the one most crucial to apply immediately, fixes a total of five vulnerabilities in the GDI+ component of Windows. GDI+ (Graphics Device Interface) debuted in Windows XP and is a core part of Windows Vista and the current server-side operating systems, Windows Server 2003 and Windows Server 2008.

"It's one of the foundations for graphic display in Windows," said Storms. "Anyone running XP or newer -- and who isn't these days -- will have to update." Hackers could exploit the GDI+ bugs by sending specially-crafted image files in a variety of formats -- including EMF, GIF, WMF and BMG -- to a user via e-mail, or by convincing users to visit sites that contain malicious image files.