• On TV.com: New TV sex symbol: Vintage black PORSCHE
advertisementGet Smart about Business Spending
September 9, 2008 10:49 AM PDT

Microsoft fixes eight critical flaws with four patches

by Robert Vamosi
  • Font size
  • Print
  • 10 comments

Microsoft on Tuesday released its September 2008 security bulletin summary.

The four bulletins concern Windows GDI+, Windows Media Player, and Microsoft Office OneNote. All are rated critical by Microsoft. There is no cumulative patch for Internet Explorer this month.

Starting next month, Microsoft plans to share the technical details of new vulnerabilities to give software developers time to update affected products before the public announcement.

Also in October, Microsoft will start providing each bulletin with an Exploitability Index to help system administrators prioritize the patches. All current Microsoft security patches for both Windows and Office software are available via Microsoft Update or the individual bulletins detailed below.

MS08-052: Critical
Entitled "Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)," this bulletin affects all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Microsoft Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4, Microsoft Digital Image Suite 2006, SQL Server 2000 Reporting Services Service Pack 2, all supported editions of SQL Server 2005, Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package, and Microsoft Report Viewer 2008 Redistributable Package. It addresses the issues detailed in CVE-2008-5348, CVE-2008-3012, CVE-2008-3013, CVE-2008-3014, and CVE-2008-3015. Microsoft says these vulnerabilities "could allow remote code execution, if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content."

MS08-053: Critical
Entitled "Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)," this bulletin affects all supported and affected editions of Microsoft Windows 2000, Windows XP, and Windows Vista, as well as supported and affected versions of Windows Server 2003 and Windows Server 2008. It addresses the vulnerability detailed in CVE-2008-3008. Microsoft says the vulnerability could "allow remote code execution, if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

MS08-054: Critical
Entitled "Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)," this bulletin affects all supported and affected editions of Windows Media Player 11. This bulletin addresses the issues detailed in CVE-2008-2253. Microsoft says there is a "vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."

MS08-055: Critical
Entitled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)," this bulletin affects supported editions of Microsoft Office OneNote 2007 and supported editions of Microsoft Office XP, Microsoft Office 2003, and 2007 Microsoft Office System. This bulletin addresses the vulnerability detailed in CVE-2008-3007. Microsoft says "if a user clicks a specially crafted OneNote URL...an attacker who successfully exploited this vulnerability could take complete control of an affected system."

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

News,

Vulnerabilities & attacks

Tags:

security,

Microsoft,

Patch Tuesday,

Windows GDI+,

Windows Media Player,

Microsoft Office,

OneNote

Share:
Digg
Del.icio.us
Reddit
advertisement
Click Here
Recent posts from Security
Pub fined $13k for Wi-Fi copyright infringement
Tips for safe online shopping
Big changes in Security Starter Kit 2010
Confidential 9/11 pager messages disclosed
Microsoft warns of IE exploit code in the wild
Chrome OS security: 'Sandboxing' and auto updates
E-tailers snagged in marketing 'scam' blame customers
McAfee warns about '12 Scams of Christmas'
Related
Microsoft to fix holes in Windows, Office
Microsoft patches critical hole in Windows kernel
Microsoft patching zero-day Windows 7 SMB hole
Microsoft probing Windows 7 zero-day hole
Microsoft warns of IE exploit code in the wild
Office 2010 beta goes public
PDC Day 2 live blog: Office 2010, IE 9 on stage
Phishing, worms spike this year, say Microsoft and McAfee
Add a Comment (Log in or register) (10 Comments)
  • prev
  • 1
  • next
by The_happy_switcher September 9, 2008 11:43 AM PDT
The SS Titanic MS needs another patch.
Reply to this comment
by compudoc318 September 9, 2008 12:58 PM PDT
and where is the apple patch to lower the price, and the patch for more games and software...lol. And i forgot the boot camp patch to make osx use a real os to get the real work done...lol.
by t26l September 9, 2008 4:44 PM PDT
At least they admit when their software has flaws, and take action to fix it in a timely manner.
by Vegaman_Dan September 9, 2008 9:40 PM PDT
Apple's iTunes keeps bugging me to do a security update patch. What does that say about your argument?
by nb2000nb September 9, 2008 11:57 AM PDT
yeah. You just keep on wishing apple could find their bugs... They might as well start a new OS from scratch.
Reply to this comment
by catch23 September 9, 2008 12:12 PM PDT
Apple can't write an OS. They tried, and it was so crappy not even they could use it. That is why they had to cut and paste FreeBSD.
Hell, they can't even write QuickTime. It, an app, has more holes then the entire Windows OS...
by ncalishome September 9, 2008 1:12 PM PDT
by Imalittleteapot September 9, 2008 7:02 PM PDT
Installing now :(
Reply to this comment
by Imalittleteapot September 9, 2008 7:05 PM PDT
Oh wait, these are entirely different updates. Jeez it never ends. I have Linux updates too! Grrrr.
Reply to this comment
by David Gerard September 10, 2008 4:18 PM PDT
It's the Monthly IT Job Creation Scheme Newsletter! http://tinyurl.com/56dvdt
Reply to this comment
(10 Comments)
  • prev
  • 1
  • next
advertisement

The browser battles go on and on

roundup From Firefox to IE and from Chrome to Opera and Safari, there's no sitting still for browser makers looking to keep their products fresh and competitive.

3G wireless still holds promise

The next generation of 4G wireless may get all the headlines, but advanced 3G technology will likely dominate services for the next few years.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET