Microsoft fixes 28 flaws; 6 are critical

Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.

Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-070: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)", this bulletin affects the Microsoft Visual Basic 6.0 Runtime Extended Files; all supported editions of Microsoft Visual Studio .Net 2002, Microsoft Visual Studio .Net 2003, Microsoft Visual FoxPro 8.0, Microsoft Visual FoxPro 9.0, Microsoft Office Project 2003, and Microsoft Office Project 2007. This bulletin addresses the vulnerabilities detailed in CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, and CVE-2008-3704, which could allow remote code execution "if a user browsed a Web site that contains specially crafted content," Microsoft says.

MS08-071: Critical

Exploitability index: 2-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in GDI Could Allow Remote Code Execution (956802)", this bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This bulletin addresses the vulnerabilities detailed in CVE-2008-2249 and CVE-2008-3465. Microsoft says "exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS08-072: Critical

Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)," this bulletin is rated critical for supported editions of Microsoft Office Word 2000 and Microsoft Office Outlook 2007. For supported editions of Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office Compatibility Pack, Microsoft Office Word Viewer 2003, Microsoft Works 8, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. This bulletin addresses the issues detailed in CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4030,CVE-2008-4028, CVE-2008-4031, and CVE-2008-4837 . Microsoft says this bulletin resolves "eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

MS08-073: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Cumulative Security Update for Internet Explorer (958215)", this bulletin is rated critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Microsoft Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. For Internet Explorer 6 running on Windows Server 2003, this security update is rated "moderate." This update addresses the vulnerabilities detailed in CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, and CVE-2008-4261. Microsoft says the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

MS08-074: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)." This bulletin is rated critical for all supported editions of Microsoft Office Excel 2000. For all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack, Microsoft Office Excel Viewer, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. For Internet Explorer 6 running on Windows Server 2003, this security update is rated moderate. This update addresses the vulnerabilities detailed in CVE-2008-4265, CVE-2008-4264, and CVE-2008-4266. Microsoft says if a user opens a specially crafted Excel file an attacker could exploit these vulnerabilities and take complete control of an affected system.

MS08-075: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)" This bulletin is rated critical for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4268 and CVE-2008-4269. Microsoft says that "these vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."

MS08-076: Important

Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)", this bulletin is rated important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008. This update addresses the vulnerabilities detailed in CVE-2008-3009 and CVE-2008-3010. Microsoft says the "most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."

MS08-077: Important

Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)", this bulletin is rated important for all supported editions of Microsoft Office SharePoint Server 2007 and Microsoft Search Server 2008. This update addresses the vulnerability detailed in CVE-2008-4032. Microsoft says the "vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure."

[Penguinisto]

Ouch... all but one allows remote code execution, and many of those don't even require user assistance (that is, download and execution) to trigger.

Ah well... time to get up the threat posture analysis and patching...

[faboumen]

Shouldn't you be standing in line somewhere, waiting for Jobs' next trendy gadget to hit store shelves?

[Vegaman_Dan]

You don't have to worry, Penguinisto. You have already publically claimed multiple times that you neither own, nor use, nor support any Microsoft products. So unless you have gone back on your word, you have nothing to worry about for Microsoft products or their patching methods.

[tm_anon]

yet another reason I do as much as possible to stay away from MSFT.

[Penguinisto]

Hey Dan: stop lying, please.

Hay "faboumen" - I love you too, man. ;)

[ferretboy88]

After I updated my system I was having fun playing Crysis with my Vista machine(custom made by me) on high res. Good luck playing that game with a mac. You would have to buy a $8000 mac just to be able to play it on high settings. That is if they made the game for Apples.

[Vegaman_Dan]

Penguinisto wrote:

"Hey Dan: stop lying, please."

I'm sorry, I am just quoting you on your comments about not owning, using, or supporting any Microsoft products. Are you now saying publically that you lied about that? Perhaps if you don't want people to remind you of the very claims you made, you may want to not make them in the first place?

It's kind of embarassing when you get caught telling stories, ya know.

[Penguinisto]

"I'm sorry, I am just quoting you on your comments about not owning, using, or supporting any Microsoft products."

...at home.

Lying by omission is still a lie, Dan.

[rapier1]

You go drinking with Commander_Spock a lot don't you?

[rnaoncfixd]

@ ferretboy88
Yeah, but most people I know who buy a mac don't buy it for the games anyways. Glad the update worked for you though.

[goodspeed8701]

@ penguin...
You are the first to post again. i think this is your job... Since you have nothing to do but to sit in front of a keyboard and start posting rubbish. Once again i am saying you should get a life and stop being a freak.

My door has holes in it, so i patched it before any one could even think of taking advantage of the holes. Is my house secured or not?

Even applesuxleo has things doing. You dont see him here and there posting biased and stupid comments about apple always. He is properbly doing something serious right now.

Get a life.

[Vegaman_Dan]

It's Penguinisito. It's expected of him. You can't ask a leopard to change its spots, nor can we ask Penguinisto to be open minded. It just isn't going to happen. Live with it and move on.

[mikestatic1]

Wow, it looks like the Microsoft apologists are out in force. Windows is the best, because you use Windows. Good for you. Enjoy your substandard piecemeal piece of junk PC, maybe Santa will bring you a sound card or video card for XMas.

[test_tester]

interesting

[Penguinisto]

Wow - you kids really know how to leap to the defense of your favorite products... so, you have no points or rebuttals, just blind and screaming ad hominem?

Reflects more on you guys than it does me, but seriously... maybe you shouldn't let your emotions rule you so much.

Kisses,
/P

[Vegaman_Dan]

Penguinisto wrote:

"so, you have no points or rebuttals, just blind and screaming ad hominem? "

Much like what you do in each and every post about MIcrosoft. :)

Caught doing it yourself, Penguinisto. It's hilarious when you totally embarass yourself to thoroughly. It's like nobody even needs to help you- you do it to yourself.

Priceless.

(And the sad part is, he doesn't even know it, folks)

[Penguinisto]

Ah, Dan? The "I know you are but what am I" argument doesn't work so hot. Anyone with even a partial grasp of how to use CNET's search feature can disprove your statement.

[Dalkorian]

*Looks at Dan, then at Peng*
Now children, behave yourselves or you'll get sent to your rooms without supper.
;-)

[moordrake]

The Excel update broke one of my Access databases. It messed with all kinds of associations of the test machine I had the patch on. Didnt affect the way unpatched machines saw the DB. Somebody put on a pot of coffee, this might take the rest of the night.........

[twecrob]

Don't know if you've made any progress with this, but I have at least four users who can no longer paste rows from Excel 2007 directly into a table in Access 2007 because of the KB958437 patch. I've confirmed that uninstalling this patch removes the problem. After speaking with Microsoft for 2 hours, I finally got them to tell me that an updated patch should be released next week.

[test_tester]

interesting

[ferretboy88]

I love my dual boot vista/Fedora box. I just love my windows games.

[The_happy_switcher]

I guess the previous 50,000+ patches weren't enough to keep this turd from smelling any further.

[rnaoncfixd]

Hey, as a Mac person myself, we go through tons and tons of updates that get quite annoying after a while. Both companies are pretty grubby like that.

Vista may be a turd, but people still use it and they provided at least some support to their users. It's a company trying to win back some people and keep the people it has happy.

No need to be a flammer about these issues. Just be glad that Apple has competition because without Microsoft, Apple wouldn't strive to be better.

[Brian]

I like what Apple is doing so far and with Snow Leopard arriving very soon, we will be the happiest computer users on the planet.

Do Micro$oft users feel the same about their operating system?

[Mr. Dee]

I don't patch and regularly update my Antivirus software and nothing affects my system. Windows folks, don't worry your little heads off.

[JunkSiu]

Well, basically that "allow remote code execution" is standard "line" for buffer overflow bugs. Just copy and paste....

[gggg sssss]

stay away from prn sites and you will be OK.. And anybody that downloads an Excel spreadsheet from a porn site has absolutely no clue

[Imalittleteapot]

But the spreadsheets are the best part?

[Penguinisto]

Okay folks... instead of relying on my own experiences (professional and otherwise, I decided to have a look around WRT Windows...

I really didn't have to go far: one of DirectX' three creators says, and I quote: "First, Vista blows. DirectX came with it?you just want to slap Microsoft and go, "What the hell were you thinking?"?"

Read for yourself: http://www.custompc.co.uk/news/602286/vista-blows-says-directx-creator.html

[celticbrewer]

and what did the other two DirectX creators say? You can't make everyone happy, afterall. No matter how good or how bad a product is, there will be people who love or hate it.

[ferretboy88]

They should patch Apple computers so they can run all my Business software and games.

[Dalkorian]

Apple isn't able to patch the defect in front of the keyboard any better than any other vendor. Try an education, that might fix your problem.

[biffhenerson]

Vista rocks! I use it at the office, on my tablet, and at home. I have custom built computers and a Dell XPS. I have had zero problems. I am a power user. I am a NET software developer. I play games. I use Office 2007. I have camera, scanner, printer, sound, video, joystick, USB drives, USB flash attachments. No problems. Ever. Never. It just boggles my mind when people dis Vista. Whats the problem? I dont see it. I am convinced that the problem is not with Vista but with the people using Vista. Oh yeah, at the office we get a never ending stream of users bringing their laptops in because they are "broke" or the users come in to describe problems with their home PC. Most are still on XP but a few are on Vista. The cause of the problem is ALWAYS the user, or thier children. It is NEVER the operating system. Never once. When your child scratches the paint on your car, do you then run around saying that Ford sucks? I too am not impressed with the number of patches. But considering the millions of lines of code in the operating system, its really not bad at all. The good news is that they are fixing it. It would be worse if they didnt. If find it all very interesting to study and hopefully produce better software myself.

[celticbrewer]

Amen, brother. Myself (power user) and my clients (Tech-Stupid) have all used Vista with zero problems. It's the XP machines that give me headaches.

[Dalkorian]

by biffhenerson December 10, 2008 8:00 AM PST
I am convinced that the problem is not with Vista but with the people using Vista.
=================================================
Funny, that's been M$'s position with most of their problems. Their OS isn't insecure, it's their customers going to "questionable websites". Office isn't insecure, it's just their customers opening documents from unknown sources. Fista isn't a disaster, it's just some bad publicity from a few vocal customers who were trying to do things they shouldn't have been doing.

Blaming the customer glosses over the real problem - their software is trash. Always was and always will be. If they were in any other industry they would be out of business decades ago for their flawed products.

[the_hacker_1]

critical bugs found by people like Carstein Eiram, Mark Down or Michal Bucko, you can find more here-
http://www.microsoft.com/technet/security/Bulletin/MS08-070.mspx