Microsoft Patches Critical Bugs in Windows

Microsoft has posted eight security updates — more than half marked “critical” — that patch 10 bugs in Windows, Office and Internet Explorer.

Of the 10 vulnerabilities plugged, Microsoft labeled seven as critical, the highest rating in its four-step threat-scoring system. Of the remainder, two were pegged as “important” and one as merely “moderate.”

Analysts agreed that the most serious vulnerabilities disclosed today were the two plugged by MS08-021, a critical update for every currently supported version of Windows, including the just-released Vista Service Pack 1 (SP1) and the even newer Windows Server 2008. “That’s right across the board,” said Tyler Reguly, a security research engineer at nCircle Network Security.

“All versions of Windows are affected,” echoed Amol Sarwate, manager of Qualys’s vulnerability research lab. “You don’t need to have any special software on your PC to be vulnerable.”

The MS08-021 update, said Microsoft in the advisory accompanying the release, fixes two flaws in Windows’ GDI, or graphics device interface, one of the core components of the operating system. Attackers can use malformed WMF (Windows Metafile) or EMF (Enhanced Metafile) image files to trigger the bugs and “take complete control of an affected system,” said Microsoft.

“Users who simply view an image online or in e-mail could be compromised,” said Sarwate.

Both Sarwate and Reguly noted that there are similarities between the two new GDI vulnerabilities and ones revealed in late 2005, which were extensively used by attackers for months afterward. In fact, Microsoft patched that earlier GDI vulnerability — which was also exploited by malicious WMF and EMF files — “out-of-cycle,” or outside of its normal second-Tuesday-of-the-month update schedule.

Adobe Unveils Free Web-based Photoshop

The long-awaited, Web-based and free version of Adobe Photoshop is now available as a beta, Adobe announced Thursday.

Photoshop Express allows users to store up to 2GB of images, make edits to their photos, and share them, all online.

It is a way for Adobe to compete with free applications like Google’s Picasa, which have emerged over the last few years.

Since it’s to be used by consumers, the company has put a lot of effort on ease-of-use. In a few clicks, users will be able to make standard edits, such as removing blemishes and red-eye, converting to black and white, cropping and resizing. No experience is required, Adobe said.

Users will also be able to integrate with social networking sites like Facebook.

Photoshop Express works with all major browsers, including Firefox, Internet Explorer and Safari, Adobe said. It requires an Internet connection and Flash Player 9 to work.

The tool is based on Flex, Adobes cross-browser plug-in technology for multimedia.

At first, Photoshop Express is available only to U.S. residents and only in English. Users may experience slow performance if accessed outside of the US, Adobe warned. Future plans include availability in other languages and countries.

This isn’t Adobe’s first foray into Web-based services. Adobe announced the availability of Premiere Express, an online video editing available on partner sites such as MTV and Photobucket, early last year.