• On TV.com: TOP 10 Shows CANCELED Too Soon
advertisementGet Smart about Business Spending
December 9, 2008 12:41 PM PST

Microsoft fixes 28 flaws; 6 are critical

by Robert Vamosi

Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.

Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-070: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)", this bulletin affects the Microsoft Visual Basic 6.0 Runtime Extended Files; all supported editions of Microsoft Visual Studio .Net 2002, Microsoft Visual Studio .Net 2003, Microsoft Visual FoxPro 8.0, Microsoft Visual FoxPro 9.0, Microsoft Office Project 2003, and Microsoft Office Project 2007. This bulletin addresses the vulnerabilities detailed in CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, and CVE-2008-3704, which could allow remote code execution "if a user browsed a Web site that contains specially crafted content," Microsoft says.

MS08-071: Critical

Exploitability index: 2-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in GDI Could Allow Remote Code Execution (956802)", this bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This bulletin addresses the vulnerabilities detailed in CVE-2008-2249 and CVE-2008-3465. Microsoft says "exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS08-072: Critical

Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)," this bulletin is rated critical for supported editions of Microsoft Office Word 2000 and Microsoft Office Outlook 2007. For supported editions of Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office Compatibility Pack, Microsoft Office Word Viewer 2003, Microsoft Works 8, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. This bulletin addresses the issues detailed in CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4030,CVE-2008-4028, CVE-2008-4031, and CVE-2008-4837 . Microsoft says this bulletin resolves "eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

MS08-073: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Cumulative Security Update for Internet Explorer (958215)", this bulletin is rated critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Microsoft Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. For Internet Explorer 6 running on Windows Server 2003, this security update is rated "moderate." This update addresses the vulnerabilities detailed in CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, and CVE-2008-4261. Microsoft says the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

MS08-074: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)." This bulletin is rated critical for all supported editions of Microsoft Office Excel 2000. For all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack, Microsoft Office Excel Viewer, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. For Internet Explorer 6 running on Windows Server 2003, this security update is rated moderate. This update addresses the vulnerabilities detailed in CVE-2008-4265, CVE-2008-4264, and CVE-2008-4266. Microsoft says if a user opens a specially crafted Excel file an attacker could exploit these vulnerabilities and take complete control of an affected system.

MS08-075: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)" This bulletin is rated critical for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4268 and CVE-2008-4269. Microsoft says that "these vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."

MS08-076: Important

Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)", this bulletin is rated important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008. This update addresses the vulnerabilities detailed in CVE-2008-3009 and CVE-2008-3010. Microsoft says the "most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."

MS08-077: Important

Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)", this bulletin is rated important for all supported editions of Microsoft Office SharePoint Server 2007 and Microsoft Search Server 2008. This update addresses the vulnerability detailed in CVE-2008-4032. Microsoft says the "vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure."

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

News,

Vulnerabilities & attacks

Tags:

security,

Microsoft,

Patch Tuesday,

vulnerablities,

exploit,

elevation of privilege,

remote code execution,

Excel,

Word,

Internet Explorer,

SharePoint,

GDI,

Windows Search

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Microsoft to fix holes in Windows, Office
Google privacy controls: Most people won't care
Zero-day flaw found in Web encryption
Mac Game: Art project or malware?
Corporate bank accounts targeted in online fraud
Hacker breaks into jailbroken iPhones, asks for $7
Malwarebytes accuses rival of software theft
Security firm M86 acquires Finjan
Related
Critical Windows 7 holes fixed in record Patch Tuesday
Office 2010 to enter public beta next month
Google competes for the future; Microsoft, the past
Windows 7 default user account control worries experts
Week in review: Data loss disasters
Microsoft to fix holes in Windows, Office
Microsoft hints at another cheap Office option
Visual Studio 2010 to launch in March
Add a Comment (Log in or register) (37 Comments)
  • prev
  • 1
  • next
by Penguinisto December 9, 2008 12:56 PM PST
Ouch... all but one allows remote code execution, and many of those don't even require user assistance (that is, download and execution) to trigger.

Ah well... time to get up the threat posture analysis and patching...
Reply to this comment
by faboumen December 9, 2008 1:49 PM PST
Shouldn't you be standing in line somewhere, waiting for Jobs' next trendy gadget to hit store shelves?
by Vegaman_Dan December 9, 2008 1:55 PM PST
You don't have to worry, Penguinisto. You have already publically claimed multiple times that you neither own, nor use, nor support any Microsoft products. So unless you have gone back on your word, you have nothing to worry about for Microsoft products or their patching methods.
by tm_anon December 9, 2008 2:07 PM PST
yet another reason I do as much as possible to stay away from MSFT.
by Penguinisto December 9, 2008 3:12 PM PST
Hey Dan: stop lying, please.

Hay "faboumen" - I love you too, man. ;)
by ferretboy88 December 9, 2008 4:12 PM PST
After I updated my system I was having fun playing Crysis with my Vista machine(custom made by me) on high res. Good luck playing that game with a mac. You would have to buy a $8000 mac just to be able to play it on high settings. That is if they made the game for Apples.
by Vegaman_Dan December 9, 2008 4:53 PM PST
Penguinisto wrote:

"Hey Dan: stop lying, please."

I'm sorry, I am just quoting you on your comments about not owning, using, or supporting any Microsoft products. Are you now saying publically that you lied about that? Perhaps if you don't want people to remind you of the very claims you made, you may want to not make them in the first place?

It's kind of embarassing when you get caught telling stories, ya know.
by Penguinisto December 9, 2008 4:59 PM PST
"I'm sorry, I am just quoting you on your comments about not owning, using, or supporting any Microsoft products."

...at home.

Lying by omission is still a lie, Dan.
by rapier1 December 9, 2008 9:06 PM PST
You go drinking with Commander_Spock a lot don't you?
by rnaoncfixd December 9, 2008 9:41 PM PST
@ ferretboy88
Yeah, but most people I know who buy a mac don't buy it for the games anyways. Glad the update worked for you though.
by goodspeed8701 December 9, 2008 1:48 PM PST
@ penguin...
You are the first to post again. i think this is your job... Since you have nothing to do but to sit in front of a keyboard and start posting rubbish. Once again i am saying you should get a life and stop being a freak.

My door has holes in it, so i patched it before any one could even think of taking advantage of the holes. Is my house secured or not?

Even applesuxleo has things doing. You dont see him here and there posting biased and stupid comments about apple always. He is properbly doing something serious right now.

Get a life.
Reply to this comment
by Vegaman_Dan December 9, 2008 1:58 PM PST
It's Penguinisito. It's expected of him. You can't ask a leopard to change its spots, nor can we ask Penguinisto to be open minded. It just isn't going to happen. Live with it and move on.
by mikestatic1 December 9, 2008 1:58 PM PST
Wow, it looks like the Microsoft apologists are out in force. Windows is the best, because you use Windows. Good for you. Enjoy your substandard piecemeal piece of junk PC, maybe Santa will bring you a sound card or video card for XMas.
by test_tester December 9, 2008 2:48 PM PST
interesting
by Penguinisto December 9, 2008 3:14 PM PST
Wow - you kids really know how to leap to the defense of your favorite products... so, you have no points or rebuttals, just blind and screaming ad hominem?

Reflects more on you guys than it does me, but seriously... maybe you shouldn't let your emotions rule you so much.

Kisses,
/P
by Vegaman_Dan December 9, 2008 4:57 PM PST
Penguinisto wrote:

"so, you have no points or rebuttals, just blind and screaming ad hominem? "

Much like what you do in each and every post about MIcrosoft. :)

Caught doing it yourself, Penguinisto. It's hilarious when you totally embarass yourself to thoroughly. It's like nobody even needs to help you- you do it to yourself.

Priceless.

(And the sad part is, he doesn't even know it, folks)
by Penguinisto December 9, 2008 5:00 PM PST
Ah, Dan? The "I know you are but what am I" argument doesn't work so hot. Anyone with even a partial grasp of how to use CNET's search feature can disprove your statement.
by Dalkorian December 10, 2008 10:36 AM PST
*Looks at Dan, then at Peng*
Now children, behave yourselves or you'll get sent to your rooms without supper.
;-)
by moordrake December 9, 2008 1:51 PM PST
The Excel update broke one of my Access databases. It messed with all kinds of associations of the test machine I had the patch on. Didnt affect the way unpatched machines saw the DB. Somebody put on a pot of coffee, this might take the rest of the night.........
Reply to this comment
by twecrob December 11, 2008 1:46 PM PST
Don't know if you've made any progress with this, but I have at least four users who can no longer paste rows from Excel 2007 directly into a table in Access 2007 because of the KB958437 patch. I've confirmed that uninstalling this patch removes the problem. After speaking with Microsoft for 2 hours, I finally got them to tell me that an updated patch should be released next week.
by test_tester December 9, 2008 2:50 PM PST
interesting
Reply to this comment
by ferretboy88 December 9, 2008 4:13 PM PST
I love my dual boot vista/Fedora box. I just love my windows games.
Reply to this comment
by The_happy_switcher December 9, 2008 4:22 PM PST
I guess the previous 50,000+ patches weren't enough to keep this turd from smelling any further.
Reply to this comment
by rnaoncfixd December 9, 2008 9:48 PM PST
Hey, as a Mac person myself, we go through tons and tons of updates that get quite annoying after a while. Both companies are pretty grubby like that.

Vista may be a turd, but people still use it and they provided at least some support to their users. It's a company trying to win back some people and keep the people it has happy.

No need to be a flammer about these issues. Just be glad that Apple has competition because without Microsoft, Apple wouldn't strive to be better.
by  Brian December 10, 2008 1:53 PM PST
I like what Apple is doing so far and with Snow Leopard arriving very soon, we will be the happiest computer users on the planet.

Do Micro$oft users feel the same about their operating system?
by Mr. Dee December 9, 2008 4:38 PM PST
I don't patch and regularly update my Antivirus software and nothing affects my system. Windows folks, don't worry your little heads off.
Reply to this comment
by JunkSiu December 9, 2008 4:51 PM PST
Well, basically that "allow remote code execution" is standard "line" for buffer overflow bugs. Just copy and paste....
Reply to this comment
by gggg sssss December 9, 2008 6:59 PM PST
stay away from prn sites and you will be OK.. And anybody that downloads an Excel spreadsheet from a porn site has absolutely no clue
Reply to this comment
by Imalittleteapot December 9, 2008 9:21 PM PST
But the spreadsheets are the best part?
by Penguinisto December 9, 2008 8:07 PM PST
Okay folks... instead of relying on my own experiences (professional and otherwise, I decided to have a look around WRT Windows...

I really didn't have to go far: one of DirectX' three creators says, and I quote: "First, Vista blows. DirectX came with it?you just want to slap Microsoft and go, "What the hell were you thinking?"?"

Read for yourself: http://www.custompc.co.uk/news/602286/vista-blows-says-directx-creator.html
Reply to this comment
by celticbrewer December 10, 2008 8:39 AM PST
and what did the other two DirectX creators say? You can't make everyone happy, afterall. No matter how good or how bad a product is, there will be people who love or hate it.
by ferretboy88 December 10, 2008 4:33 AM PST
They should patch Apple computers so they can run all my Business software and games.
Reply to this comment
by Dalkorian December 10, 2008 10:39 AM PST
Apple isn't able to patch the defect in front of the keyboard any better than any other vendor. Try an education, that might fix your problem.
by biffhenerson December 10, 2008 8:00 AM PST
Vista rocks! I use it at the office, on my tablet, and at home. I have custom built computers and a Dell XPS. I have had zero problems. I am a power user. I am a NET software developer. I play games. I use Office 2007. I have camera, scanner, printer, sound, video, joystick, USB drives, USB flash attachments. No problems. Ever. Never. It just boggles my mind when people dis Vista. Whats the problem? I dont see it. I am convinced that the problem is not with Vista but with the people using Vista. Oh yeah, at the office we get a never ending stream of users bringing their laptops in because they are "broke" or the users come in to describe problems with their home PC. Most are still on XP but a few are on Vista. The cause of the problem is ALWAYS the user, or thier children. It is NEVER the operating system. Never once. When your child scratches the paint on your car, do you then run around saying that Ford sucks? I too am not impressed with the number of patches. But considering the millions of lines of code in the operating system, its really not bad at all. The good news is that they are fixing it. It would be worse if they didnt. If find it all very interesting to study and hopefully produce better software myself.
Reply to this comment
by celticbrewer December 10, 2008 8:38 AM PST
Amen, brother. Myself (power user) and my clients (Tech-Stupid) have all used Vista with zero problems. It's the XP machines that give me headaches.
by Dalkorian December 10, 2008 10:45 AM PST
by biffhenerson December 10, 2008 8:00 AM PST
I am convinced that the problem is not with Vista but with the people using Vista.
=================================================
Funny, that's been M$'s position with most of their problems. Their OS isn't insecure, it's their customers going to "questionable websites". Office isn't insecure, it's just their customers opening documents from unknown sources. Fista isn't a disaster, it's just some bad publicity from a few vocal customers who were trying to do things they shouldn't have been doing.

Blaming the customer glosses over the real problem - their software is trash. Always was and always will be. If they were in any other industry they would be out of business decades ago for their flawed products.
by the_hacker_1 December 18, 2008 8:26 AM PST
critical bugs found by people like Carstein Eiram, Mark Down or Michal Bucko, you can find more here-
http://www.microsoft.com/technet/security/Bulletin/MS08-070.mspx
Reply to this comment
(37 Comments)
  • prev
  • 1
  • next
advertisement

FAQ: Buying the right Windows 7 upgrade

Readers still have lots of questions on just which version of the software they need to buy in order to upgrade their PC. CNET News tries to offer some answers.

N.Y. lawsuit details Intel's 'largesse' toward Dell

Attorney General Andrew Cuomo's federal antitrust case filed Wednesday alleges a longstanding symbiotic relationship between Intel and Dell.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET