Microsoft fixes 20 flaws with 11 patches
Microsoft on Tuesday released its October 2008 security bulletin. The four critical bulletins concern Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. The patch for Internet Explorer is cumulative.
Microsoft is now sharing the technical details of new vulnerabilities in advance of so-called Patch Tuesday to give software developers a chance to update affected products before the public announcement.
Microsoft is also including within each bulletin this month an "exploitability index" to help system administrators prioritize the patches--1 is for consistently functioning exploits (of most concern), 2 is for inconsistently functioning exploits (of moderate concern), and 3 is for vulnerabilities that are unlikely to produce functioning exploits (of least concern). All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 2. Microsoft recommends that customers consider applying the security update. Titled "Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)," this bulletin only affects Microsoft Office XP Service Pack 3; all other supported versions of Microsoft Office are not affected. This bulletin addresses the vulnerability detailed in CVE-2008-4020. Microsoft says an attacker "who successfully exploited this vulnerability could inject a client side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site."
Exploitability index: 1-2. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)," this bulletin affects Microsoft Office Excel 2000 and is rated Important for all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack , Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. This bulletin addresses the vulnerability detailed in CVE-2008-4019, CVE-2008-3471, and CVE-2008-3477. Microsoft says an attacker who exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Cumulative Security Update for Internet Explorer (956390)," this bulletin affects Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on all supported editions of Microsoft Windows 2000, and for Internet Explorer 6 running on all supported editions of Windows XP. For Internet Explorer 7 running on all supported editions of Windows XP and Windows Vista, this security update is rated Important. Otherwise, this security update is rated Moderate or Low. This bulletin addresses the issues detailed in CVE-2008-2947, CVE-2008-3472, CVE-2008-3473, CVE-2008-3474, CVE-2008-3475, and CVE-2008-3476. Microsoft says that "the vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer."
Exploitability index: 1. Microsoft recommends that customers apply the update immediately. Titled "Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)," this bulletin affects Microsoft Host Integration Server 2000, Microsoft Host Integration Server 2004, and Microsoft Host Integration Server 2006. This bulletin addresses the vulnerability detailed in CVE- 2008-3466. Microsoft says this "vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights."
Exploitability index: 2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerability in Active Directory Could Allow Remote Code Execution (957280)," this bulletin affects implementations of Active Directory on Microsoft Windows 2000 Server. This update addresses the vulnerability detailed in CVE-2008-4023. Microsoft says that "this vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability."
Exploitability index: 1-3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)," this bulletin affects users of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2250, CVE-2008-2251, and CVE-2008-2252. Microsoft says a "local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)," this bulletin affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1446. Microsoft says an "attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 2 Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in SMB Could Allow Remote Code Execution (957095)," this bulletin affects all supported versions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4038. Microsoft says the "vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user right."
Exploitability index: 2. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)," this bulletin affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4036. Microsoft says that "the vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.."
Exploitability index: 3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)," this bulletin affects Microsoft Windows 2000. This update addresses the vulnerability detailed in CVE-2008-3479. Microsoft says the "vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)," this bulletin affects Windows XP and Windows Server 2003. The update addresses the vulnerabilities detailed in CVE-2008-3464. Microsoft says "a local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
...Microsoft has FOUR vulnerabilities that can be hit remotely, randomly, and at any time (notice that I'm not counting AD or Office or trojan exploits - I'm counting problems that affect any current Windows machine.
I'd ask the MSFT fanboy choir how they intend to spin this one, but I suspect that they're all too busy hitting Windows Update and praying in sheer panic at the moment... ;)
/P
Thing is, today's list from MSFT shows that it is far easier to exploit the flaws found in and about Windows than those found with OSX.
As for marketshare, consider this: Apache/Tomcat is a server app which runs the majority of the web servers on the Internet. So why are there historically more exploits and successful attacks on IIS than on Apache?
As far as the ease of I do know individuals who hack both Windows and OS X boxes, neither being any more or less difficulty, according to them, since that goes WAY over my head.
It is true that some of these allow remote code execution, however it is important to point out that the affected operating systems are Windows 2000 and Host Integration Server.
There is no mention of Windows XP, Vista, Server 03 or Server 08 being patched for a remote execution flaw.
If you use one of these older operating systems, you should thank Microsoft to providing a free patch for you. When was the last time Apple fixed anything eight years old and gave it away?
It's pure FUD and his point has been proven to be blatantly inaccurate by Apple itself. It's not worth trying to explain the issue anymore. Anyone can go to the forums at Apple, Appleinsider, slashdot, and other sites to find out the truth.
Old news, move along.
I can say this with confidence because while you do have a point about focus, there's a larger reason behind that focus. The evidence is in the numbers at large - there hasn't been a remote hack on OSX or Linux since 2000-2001, and together the two OSes have less than a hand's count of viruses in their entire histories that have affected more than small groups of machines.
It certainly isn't Windows' marketshare overall - a good hard OSX hack would get your hypothetical friend into millions of machines - even now botnet herders brag on mere dozens of thousands of Windows zombies in their networks. Imagine what near-exclusive access to millions of heterogeneous machines (Macs) would do - yet no one has managed it in what, eight years?
@News_Reader: 08-062 and 08-063 affect far more than Win2k. Look up there for yourself.
@Dan: Nice try - try again? If you were right, you'd have URL's posted instead of that feeble vagueness that you typed out. ;)
/P
-
by RamblerRandy
October 14, 2008 9:49 PM PDT
- Unfortunately MS decided to once again install these patches without notification or permission and the auto patch settings are to "download and notify". The patches were trying to install while I was trying to shut down the computer from a power outage. The same thing was happening to my roommates computer. Nearly wrecked both computers.
-
Reply to this comment
-
-
-
by Penguinisto
October 15, 2008 6:56 AM PDT
- In fairness, you can turn off Automatic Updates.
-
-
(13 Comments)This is malware and vandalism yet MS gets away with it. I haven't heard about lawsuits but I bet there is good grounds to win on. If MS wins, though, then the malware people will be allowed to install all sorts of viruses 'legally'.
God help us all. MS's install without permission IS a security vulnerability! No one should be able to automatically do something to my computer without permission.
Me, I leave mine on - for OSX and Linux. :)
/P