Microsoft fixes 26 flaws with 11 patches; six are critical

Microsoft on Tuesday released its August 2008 security bulletin. Bulletins rated "critical" concern Microsoft Access 2003 and earlier; Microsoft Word 2002 and 2003; Microsoft Excel; and Microsoft Office 2000, Microsoft Office XP and Microsoft Office 2003. A cumulative patch for Internet Explorer also is rated critical.

"Important" bulletins affect Windows Internet Protocol Security (IPsec); Outlook Express and Windows Mail; Microsoft Windows Event System; Windows Messenger; and Microsoft PowerPoint. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-041: Critical

Titled "Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)." This bulletin affects Snapshot Viewer for Microsoft Access and for supported versions of Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003. This update addresses the vulnerability in CVE-2008-2463. Microsoft says that "an attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."

MS08-042: Critical

Titled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048)." This bulletin only affects users of Microsoft Word 2002 and Microsoft Word 2003. The update addresses vulnerability detailed in CVE-2008-2244. Microsoft says that "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

MS08-043: Critical

Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066)." This bulletin affects users of Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2003 Service Pack 3, Excel Viewer 2003, Excel Viewer 2003 Service Pack 3, Excel 2007, Excel 2007 Service Pack 1, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. The update addresses the issues detailed in CVE-2008-3003, CVE-2008-3004, CVE-2008-3005, CVE-2008-3006. Microsoft says that "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

MS08-044: Critical

Titled "Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)." This bulletin affects Microsoft Office 2000, and is "important" for supported editions of Microsoft Office XP, Microsoft Office 2003 Service Pack 2, Microsoft Project 2002 Service Pack 1, Microsoft Office Converter Pack, and Microsoft Works 8. This update addresses the vulnerabilities detailed in CVE-2008-3018, CVE-2008-3019, CVE-2008-3021, CVE-2008-3022, and CVE 2008-3460. Microsoft says these vulnerabilities could allow remote code execution if a user views a specially crafted image file when using Microsoft Office.

MS08-045: Critical

Titled " Cumulative Security Update for Internet Explorer (953838)." This bulletin affects users of all supported releases of Internet Explorer. This update addresses the vulnerabilities detailed in CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2258, and CVE-2008-2259. Microsoft says all of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

MS08-046: Critical

Titled " Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)." This bulletin affects users of Microsoft Windows 2000, Windows XP, and Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-2245. Microsoft says a vulnerability in the Microsoft Image Color Management (ICM) system could allow remote code execution in the context of the current user. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

MS08-047: Important

Titled " Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)." This bulletin affects all supported versions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2246. Microsoft says the vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text, disclosing information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the traffic. According to Microsoft: "Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system or network."

MS08-048: Important

Titled "Security Update for Outlook Express and Windows Mail (951066)." This bulletin affects Windows XP and Windows Vista and is rated "low" for supported editions of Windows Server 2003 and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1448. Microsoft says this vulnerability could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer.

MS08-049: Important

Titled "Vulnerabilities in Event System Could Allow Remote Code Execution (950974)." This bulletin affects Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1456 and CVE-2008-1457. Microsoft says that "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."

MS08-050: Important

Titled "Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)" This bulletin affects Windows Messenger 4.7 and Windows Messenger 5.1 and rated Important for all supported editions of Microsoft Windows 2000 and Windows XP, and Moderate for all supported versions of Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-0028. Microsoft says that "as a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user. An attacker could change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user. An attacker could also capture the user's logon ID and remotely log on to the user's Messenger client impersonating that user."

MS08-051: Important

Titled "Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)." This bulletin affects Microsoft Office PowerPoint 2000 and is rated "important" for supported editions of Microsoft Office PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft Office PowerPoint 2007, Microsoft Office PowerPoint Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. This update addresses the vulnerability detailed in CVE-2008-0120, CVE-2008-0121, and CVE-2008-1455. Microsoft says an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system: "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

[The_happy_switcher]

Time for the Windows weekly turd polish.

[rapier1]

So what is it when Apple releases security updates, extra gilding on the lily?

[DrtyDogg]

Actually it's monthly

[Dalkorian]

As DrtyDogg alluded to, it's more like "that time of the month" for M$ fans.

[dragonstar125]

no prioblems installing them nothing hickup so far.... but total of 14 is alot thru.......figers corssed....

[Gasaraki]

Thanks for the info.

[Vegaman_Dan]

Obviously this indicates that Microsoft is a complete and utter failure. The company is going out of business and will be selling out to Apple and RedHat shortly.

Just beating Penguinisto to the punch. It's what he says about every MS story anyways.

[The_happy_switcher]

Thanks for describing my ultimate wet dream.

[Penguinisto]

Nah - MSFT won't die yet... it'll die slowly.

Meanwhile, where's the patch for the MSSQL flaw that has several thousand (and counting) MSSQL-based websites working as malware pumps? Inquiring minds want to know...

[Penguinisto]

Sorry Danny, but I was too busy watching the web congestion and multiple errors @ the windows update site while patching the one Win2k3 server I have left in the joint. ;)

/P

[Vegaman_Dan]

Wait a moment... you bragged previously about having ridden your multi-billion dollar world leading book publisher of all Windows servers and replaced them with Linux boxes. I'm confused- now you say you have a Win2k3 server? Your contradicting your own previous claims. Which story do you want to go with? You can't have both.

And it's not hard to update the server. Simply hit that ol' Windows Update option. If you are having trouble with your network, you may want to talk to your system administrator about the state of your network. I'm sorry to hear you are having multiple errors with your internal network. I know you are limited by what the company allows you to do. Perhaps you can use this as a reason to get your system updated and repaired.

[Penguinisto]

Never said that - I said that I've been busy ridding my organization of Windows servers, and that I had it down to just a handful (at the time). I'm now down to one, which runs NetBackup.

Maybe you should study that which you obsess over (or at least pay attention more closely ;) ).

[The_Decider]

MS can patch IE all it wants but it is still a very viable attack vector, and that is by design(what a surprise, insecure by design).

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1324395,00.html

Funny how the coverage of BlackHat by CNET missed this. Must have been an oversight...

[Lerianis]

IE6 and earlier were insecure by design. IE7 and IE8 are pretty damn secure by design, if you are running them on Windows Vista (which you should be doing by now).

[The_Decider]

I see you didn't read the article the link posts to.

It is NOT secure.

[frankwick]

The past few months have been low volume for updates. This is a catch up month!

[AgentSTS]

Peng,

That fix is called "SQL-101 - Software designers that have not read SQL for Dummies, Chapter 2, regarding elementary SQL injection attacks may cause wide open database access for any script kiddie to corrupt with the cyber-V.D. du jour. This vulnuability also affects Jobs' knob polishers and those that dream in 'console'."

[Penguinisto]

I wouldn't know - I use MySQL and PostgreSQL, which manage to do the job quite nicely in most cases, and without spending $$$ for CALs. For anything industrial, Oracle seems to work just fine, thanks much.

Meanwhile, MSSQL users get pwned by the thousands...

[JCPayne]

Does M$ announcing a new gargantuan web of patches actually make you feel any safer???

[benjaminstraight]

Yeah what's new.

[DawnClifton]

We have done some research on this month?s Microsoft Patch updates and have run them through our Application Compatibility Lab (ACL) which uses our AOK Workbench tool to analysed each of the patches. We found that most of the updates should not cause too many application issues. However, it looks like MS08-045, the IE 7 Security update may cause issues due to application dependencies on Internet Explorer 7. For further information, have a look at the our company report issued this morning; http://www.changebase.com/news_release_13_08_08.html

[acousticb1]

I know they do. I think they also when you try to remove them mess up aps

[acousticb1]

oh geeze . I am worried everytime there is a MS update they screw up something and it messes up computers.

[Lerianis]

They don't screw jack up. Usually, it is that some idiot programmer has coded a piece of software in a 'weird' way so when Microsoft updates to fix problems with a piece it uses.... the software in question chokes.