• On TV.com: TOP 10 Shows CANCELED Too Soon
September 9, 2008 10:49 AM PDT

Microsoft fixes eight critical flaws with four patches

by Robert Vamosi

Microsoft on Tuesday released its September 2008 security bulletin summary.

The four bulletins concern Windows GDI+, Windows Media Player, and Microsoft Office OneNote. All are rated critical by Microsoft. There is no cumulative patch for Internet Explorer this month.

Starting next month, Microsoft plans to share the technical details of new vulnerabilities to give software developers time to update affected products before the public announcement.

Also in October, Microsoft will start providing each bulletin with an Exploitability Index to help system administrators prioritize the patches. All current Microsoft security patches for both Windows and Office software are available via Microsoft Update or the individual bulletins detailed below.

MS08-052: Critical
Entitled "Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)," this bulletin affects all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Microsoft Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4, Microsoft Digital Image Suite 2006, SQL Server 2000 Reporting Services Service Pack 2, all supported editions of SQL Server 2005, Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package, and Microsoft Report Viewer 2008 Redistributable Package. It addresses the issues detailed in CVE-2008-5348, CVE-2008-3012, CVE-2008-3013, CVE-2008-3014, and CVE-2008-3015. Microsoft says these vulnerabilities "could allow remote code execution, if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content."

MS08-053: Critical
Entitled "Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)," this bulletin affects all supported and affected editions of Microsoft Windows 2000, Windows XP, and Windows Vista, as well as supported and affected versions of Windows Server 2003 and Windows Server 2008. It addresses the vulnerability detailed in CVE-2008-3008. Microsoft says the vulnerability could "allow remote code execution, if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

MS08-054: Critical
Entitled "Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)," this bulletin affects all supported and affected editions of Windows Media Player 11. This bulletin addresses the issues detailed in CVE-2008-2253. Microsoft says there is a "vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."

MS08-055: Critical
Entitled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)," this bulletin affects supported editions of Microsoft Office OneNote 2007 and supported editions of Microsoft Office XP, Microsoft Office 2003, and 2007 Microsoft Office System. This bulletin addresses the vulnerability detailed in CVE-2008-3007. Microsoft says "if a user clicks a specially crafted OneNote URL...an attacker who successfully exploited this vulnerability could take complete control of an affected system."

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

News,

Vulnerabilities & attacks

Tags:

security,

Microsoft,

Patch Tuesday,

Windows GDI+,

Windows Media Player,

Microsoft Office,

OneNote

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Microsoft to fix holes in Windows, Office
Google privacy controls: Most people won't care
Zero-day flaw found in Web encryption
Mac Game: Art project or malware?
Corporate bank accounts targeted in online fraud
Hacker breaks into jailbroken iPhones, asks for $7
Malwarebytes accuses rival of software theft
Security firm M86 acquires Finjan
Related
Critical Windows 7 holes fixed in record Patch Tuesday
Microsoft to fix holes in Windows, Office
Microsoft to patch zero-day SMB, IIS holes
Podcast: Symantec researcher on biggest Patch Tuesday ever
Adobe fixes 28 holes in Reader and Acrobat
Firefox 3.5.4 closes security holes
Adobe issues update to Reader, Acrobat
Phishing, worms spike this year, say Microsoft and McAfee
Add a Comment (Log in or register) (10 Comments)
  • prev
  • 1
  • next
by The_happy_switcher September 9, 2008 11:43 AM PDT
The SS Titanic MS needs another patch.
Reply to this comment
by compudoc318 September 9, 2008 12:58 PM PDT
and where is the apple patch to lower the price, and the patch for more games and software...lol. And i forgot the boot camp patch to make osx use a real os to get the real work done...lol.
by t26l September 9, 2008 4:44 PM PDT
At least they admit when their software has flaws, and take action to fix it in a timely manner.
by Vegaman_Dan September 9, 2008 9:40 PM PDT
Apple's iTunes keeps bugging me to do a security update patch. What does that say about your argument?
by nb2000nb September 9, 2008 11:57 AM PDT
yeah. You just keep on wishing apple could find their bugs... They might as well start a new OS from scratch.
Reply to this comment
by catch23 September 9, 2008 12:12 PM PDT
Apple can't write an OS. They tried, and it was so crappy not even they could use it. That is why they had to cut and paste FreeBSD.
Hell, they can't even write QuickTime. It, an app, has more holes then the entire Windows OS...
by ncalishome September 9, 2008 1:12 PM PDT
by Imalittleteapot September 9, 2008 7:02 PM PDT
Installing now :(
Reply to this comment
by Imalittleteapot September 9, 2008 7:05 PM PDT
Oh wait, these are entirely different updates. Jeez it never ends. I have Linux updates too! Grrrr.
Reply to this comment
by David Gerard September 10, 2008 4:18 PM PDT
It's the Monthly IT Job Creation Scheme Newsletter! http://tinyurl.com/56dvdt
Reply to this comment
(10 Comments)
  • prev
  • 1
  • next
advertisement

FAQ: Buying the right Windows 7 upgrade

Readers still have lots of questions on just which version of the software they need to buy in order to upgrade their PC. CNET News tries to offer some answers.

N.Y. lawsuit details Intel's 'largesse' toward Dell

Attorney General Andrew Cuomo's federal antitrust case filed Wednesday alleges a longstanding symbiotic relationship between Intel and Dell.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement
Click Here

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET