Microsoft on Tuesday issued five "critical" security patches designed to address vulnerabilities in Windows, Microsoft Office, and Internet Explorer.
The five critical patches were included among . The bulletins covered a total of 10 vulnerabilities.
One of the five critical patches is designed to resolve a flaw in Microsoft Office Project, which could allow attackers to take complete control of users' systems if they open a malicious Office Project file.
A second critical patch is designed to tackle GDI (Graphics Device Interface) vulnerabilities in Windows that could allow attackers to remotely execute malicious code if users open malicious EMF or WMF image files. Two years ago, Microsoft faced similar vulnerabilities, forcing the software giant to rush out a fix outside of its monthly patch cycle, noted Dave Marcus, security research and communications manager at McAfee Avert Labs.
This security flaw, along with two Internet Explorer-related vulnerabilities are at the top of the list as a must fix, Marcus said.
One of the security bulletins is a cumulative patch for IE, and the other is designed to resolve vulnerabilities in ActiveX Kill Bits. Both flaws affect users who visit malicious Web sites with IE, which, in turn, allows malicious attackers to execute remote code from their systems.
"We live in a Web 2.0 world," Marcus said. "It's getting more and more popular to send people e-mails with link spam...It's becoming an effective way to compromise people's machines."
Microsoft also issued a critical Windows patch for vulnerabilities in its VBScript and JScript Scripting engines, which could provide attackers with access to users' systems and allow them to install programs, as well as view and change data.
Microsoft today released its March 2008 security bulletin, which includes four bulletins, all deemed critical by Microsoft.
The most serious of these affects Microsoft Excel, which alone has six specific "Common Vulnerablities and Exposures" vulnerabilities noted, one of which has been exploited in the wild. The next most serious affects Microsoft Outlook. In that one, a vulnerability in how the software parses "mailto" URIs could lead to remote code execution. A third bulletin affects how various Microsoft Office apps open maliciously crafted files. The final bulletin concerns how Office interfaces with the Web and includes one vulnerability that has been known but unpatched since September 2006. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)," this bulletin is critical for users of Microsoft Excel 2000 Service Pack 3, and important for users of Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2007, Microsoft Office Excel Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. Not affected are Microsoft Works 8, 8.5, and 9, or Works suite 2005 and Works suite 2006. The update addresses vulnerabilities detailed in CVE-2008-0111, CVE-2008-0112, CVE-2008-0114, CVE-2008-0115, CVE-2008-0116, CVE-2008-0117, and CVE-2008-0081. Microsoft says, "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights."
Entitled "Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)," this bulletin affects users of Microsoft Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2, Outlook 2003 Service Pack 3, and Outlook 2007. Not affected are users of Outlook 2007 Service Pack 1. The update addresses the vulnerability detailed in CVE-2008-0110. Microsoft says this vulnerability "could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane."
Entitled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac. Not affected are users of Microsoft Office 2003 Service Pack 3, Microsoft PowerPoint Viewer 2003, Microsoft Visio 2002 Service Pack 2, Microsoft Visio 2003 Viewer, Microsoft Word Viewer 2003, Microsoft Project 2000 Service Pack 1, Microsoft Project 2002 Service Pack 2, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, and Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0113 and CVE-2008-0118. Microsoft says, "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Entitled "Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000, Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2. Not affected are users of Microsoft Works 8, Microsoft Works 9, Microsoft Works Suite 2005, Microsoft Works Suite 2006, Microsoft Office 2003 Service Pack 2, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft BizTalk Server 2004, Microsoft BizTalk Server 2006, Microsoft Commerce Server 2000 Service Pack 1, Microsoft Commerce Server 2000 Service Pack 2, and Microsoft Commerce Server 2000 Service Pack 3, Microsoft Commerce Server 2002, Microsoft Commerce Server 2007, Internet Security and Acceleration Server 2004, and Internet Security and Acceleration Server 2006. This update addresses the vulnerability detailed in CVE-2006-4695 and CVE-2007-1201. Microsoft says, "these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Microsoft on Tuesday released its January 2008 security bulletin, which includes only two updates: One is designated as "critical" by the software giant and the second one is deemed "important". Both concern the Windows operating system. There are no Microsoft Office updates this month. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)", this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, and Vista, and addresses the vulnerability detailed in CVE-2007-0069 and CVE-2007-0066. A vulnerability exists in Transmission Control Protocol/Internet Protocol (TCP/IP) processing, and the patch modifies the way that the Windows kernel processes TCP/IP structures that contain multicast and ICMP requests. Microsoft says "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)", this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, but not Windows Vista. The update addresses the vulnerability detailed in CVE-2007-5352. If exploited, a vulnerability within Microsoft Windows Local Security Authority Subsystem Service (LSASS) could allow an attacker to elevate privileges, take complete control of an affected system, then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft on Tuesday released its December 2007 security bulletin, which includes seven updates: three are designated as critical by the software giant and four are deemed important.
On the Windows side is a cumulative update for Internet Explorer, plus patches for the Windows Kernel, DirectX, Macrovision Driver, and the Windows Media File format--the latter three suggest concern that criminal hackers are targeting media files for exploitation. There are no Microsoft Office updates this month. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
MS07-063: Important
Entitled "Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)," this bulletin affects users of Microsoft Windows Vista and does not affect users of Windows 2000 or Windows XP SP2, and addresses the vulnerability detailed in CVE-2007-5351. A vulnerability exists in the way data is transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2.
MS07-064: Critical
Entitled "Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)," this bulletin affects users of DirectX versions 7.0 through 10.0 included within Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The update addresses two vulnerabilities detailed in CVE-2007-3901 and CVE-2007-3895 that could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. Successful exploitation could allow remote code execution.
MS07-065: Critical
Entitled "Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)," this bulletin affects users of Windows Server 2000, Windows 2000, and Windows XP SP2, and does not affect users of Windows XP Professional x64, Windows Server 2003, or Windows Vista. The update addresses the vulnerability detailed in CVE-2007-3039. A vulnerability in the Message Queuing Service (MSMQ) could allow remote code execution in implementations on Microsoft Windows 2000 Server, or elevation of privilege in implementations on Microsoft Windows 2000 Professional and Windows XP. Successful exploitation due could allow remote code execution or elevation of privilege.
MS07-066: Important
Entitled "Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)," this bulletin affects users of Windows Vista, and does not affect users of Windows 2000, Windows Server 2003, or Windows XP. The update addresses the Windows kernel vulnerability detailed in CVE-2007-5350. Successful exploitation could allow an attack to take complete control of an affected system.
MS07-067: Important
Entitled "Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)," this bulletin affects users of Microsoft XP SP2 and Windows Server 2003, and does not affect users of Windows 2000 or Windows Vista. The update addresses a vulnerability in the way the Macrovision driver incorrectly handles configuration parameters detailed in CVE-2007-5587. Successful exploitation could allow elevation of privilege and allow an attacker complete control of the system.
MS07-068: Critical
Entitled "Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)," this bulletin affects users of Windows Media Runtime Format 7.1, 9, 9.5, and 11, and Windows Media Services 9.1 running on Microsoft Windows 2000, Windows XP SP2, Windows Server 2003, and Windows Vista. This update addresses the Windows Media File Format vulnerability detailed in CVE-2007-0064. Successful exploitation could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime.
MS07-069: Critical
Entitled "Cumulative Security Update for Internet Explorer (942615)," this bulletin affects users of Internet Explorer 5.1, 6, and 7, running on Windows 2000, Windows Server 2003, Windows XP SP2, and Windows Vista. The update addresses the four privately reported vulnerabilities detailed in CVE-2007-3902, CVE-2007-3903, CVE-2007-5344, and CVE-2007-5347. Successful exploitation could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.
On Thursday, Microsoft announced that it will have seven patches available on Patch Tuesday, December 11. Three of these will be ranked by Microsoft as critical. One critical patch concerns DirectX versions 7.0 through 10.0. Another affects Microsoft Media Format. The third appears to be a cumulative update for Internet Explorer.
The important patches include two for Windows Vista, one for Windows 2000 and Windows XP, and one for Windows XP and Windows Server 2003.
Microsoft today released its November 2007 security bulletin, which includes only two updates. One is designated as Critical by the software giant and affects how Windows XP and Windows Server 2003 handle Windows URIs. The other bulletin is deemed Important and affects how Windows Server 2000 and Windows Server 2003 handle spoofing attacks. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)," this bulletin affects users of Microsoft Windows XP SP2 and x64, and Windows Server 2003 x64 and Itanium-based users, and does not affect Windows 2000 or Windows Vista. This patch addresses the vulnerability detailed in CVE-2007-3896. Microsoft says "a remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003." Successful exploitation could allow remote code execution.
Entitled "Vulnerability in DNS Could Allow Spoofing (941672)," this bulletin affects users of Windows Server 2000 and Windows Server 2003 only and addresses the vulnerability detailed in CVE-2007-3898. According to Microsoft, a "spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations." Successful exploitation could allow an attacker to hijack from a legitimate location.
Microsoft today released its October 2007 security bulletin, which includes six updates: four are designated as Critical by the software giant; two are deemed Important, and one previously announced patch was dropped. On the Windows side there is a cumulative update for Internet Explorer, a patch for Outlook/Windows Mail, and one for an RPC vulnerability. On the Microsoft Office side, there is a patch for SharePoint Server and one critical patch for Microsoft Office Word, including Microsoft Office 2004 for Mac. And one patch for the Kodak Image Viewer. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution (923810)," this bulletin affects users of Microsoft Windows 2000, Windows XP SP2, and Windows Server 2003 x64 and Itanium-based users, or Windows Vista, and addresses the vulnerability detailed in CVE-2007-2217. A vulnerability exists in the way that the Kodak Image Viewer, formerly known as Wang Image Viewer, handles specially crafted images files. Successful exploitation could allow remote code execution.
Entitled "Security Update for Outlook Express and Windows Mail (941202)," this bulletin affects users of Outlook Express 5.5, 6, and Windows Mail running on Windows 2000, Windows XP, and Windows Server 2003, and Windows Vista, and addresses the vulnerability detailed in CVE-2007-3897. Successful exploitation due to an incorrectly handled malformed NNTP response could allow remote code execution.
Entitled "Cumulative Security Update for Internet Explorer (939653)," this bulletin affects users of Internet Explorer 5.01, 6, and 7 running on Windows 2000, Windows XP, and Windows Server 2003, and Windows Vista, and addresses the four vulnerabilities detailed in CVE-2007-3892, CVE-2007-3893, CVE-2007-1091 and CVE-2007-3826. Successful exploitation due could allow remote code execution.
Entitled "Vulnerability in RPC Could Allow Denial of Service (933729)," this bulletin affects users of Windows 2000, Windows Server 2003, Windows XP, and Windows Vista, and addresses the vulnerability detailed in CVE-2007-2228. Successful exploitation could lead to a denial-of-service vulnerability.
Entitled "Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site (942017)," this bulletin affects users of Microsoft Windows Server 2003 SP1 running SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007, and addresses the vulnerability detailed in CVE-2007-2581. Successful exploitation could allow an attacker to run arbitrary script to modify a user's cache, resulting in information disclosure at the workstation.
Entitled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (942695)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, and Microsoft Office 2004 for Mac, and does not affect Microsoft Office 2003 Service Pack 2 and 3 and 2007 Microsoft Office system, and addresses the vulnerability detailed in CVE-2007-3899. Successful exploitation if a user opens a specially crafted Word file with a malformed string could allow remote code execution.
As part of this month's Patch Tuesday, coming next week, Microsoft plans to release seven patches, four rated "critical" and three "important." Affected software includes Windows (Windows 2000, XP, and Vista), Office (Word and SharePoint Server), Internet Explorer, Outlook Express and Windows Mail. One patch affects Microsoft Office 2004 for the Mac.
Microsoft on Tuesday released its September 2007 security bulletin, which includes four updates: One is designated as "critical" by the software giant; three are deemed "important," and one previously announced patch was dropped. Microsoft decided at the last minute not to patch Sharepoint Server in this month's release. The most serious patch affects Microsoft Agent in Windows 2000. Of the important patches, one affects Windows Services for UNIX, one affects Visual Studio and one affects both MSN Messenger and Windows Live Messenger.
All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)" this bulletin affects only the users of Windows 2000 SP4, and does not affect users of Windows XP and Windows Vista and it addresses the vulnerability detailed in CVE-2007-3040. Successful exploitation could lead to remote code execution.
Titled "Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution (941522)" this bulletin affects users of Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003, Visual Studio .NET 2003 Service Pack 1, Visual Studio 2005, and Visual Studio 2005 Service Pack 1 and addresses the vulnerability detailed in CVE-2007-6133. Successful exploitation could lead to remote code execution.
Titled "Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778)" this bulletin affects users of Windows Services for UNIX in Windows 2000, Windows XP and Windows Server 2003, and the Subsystem for UNIX-based Applications in Windows Server 2003 and Windows Vista, and addresses the vulnerability detailed in CVE-2007-3036. Successful exploitation could allow an attacker to gain an elevation of privilege.
Titled "Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution (942099)" this bulletin affects users of Windows 2000, Windows Server 2003, Windows XP and Windows Vista running MSN Messenger 6.2, MSN Messenger 7.0, MSN Messenger 7.5, and Windows Live Messenger 8.0, but it does not affect Windows Live Messenger 8.1, and addresses the vulnerability detailed in CVE-2007-2931. Successful exploitation could lead to remote code execution.
Last week, the Skype VoIP service went down for two days, affecting customers worldwide. On Monday, Villu Arak, writing on the Skype blog Heartbeat, attributed the outage to "a previously unseen software bug within the network resource allocation algorithm which prevented the self-healing function from working quickly."
But the root cause? "The disruption," he said, "was triggered by a massive restart of our users' computers across the globe within a very short time frame as they rebooted after receiving a routine set of patches through Windows Update." Tuesday Microsoft pushed out nine patches, six of which were deemed critical.
Skype works by distributing the process of making calls over the Internet among its many users. This peer-to-peer architecture allows the international voice over Internet Protocol (VoIP) service to be offered for free between users, and to landlines for low prices. However, shortly after the latest round of updates from Microsoft last week, the network experienced a high number of system restarts, draining Skype's resources. After the system restart, users must then log back into the service and that, combined with fewer global resources, produced the outage, according to Arak. He said the software bug has been identified and improvements are being pushing out to the network.
Arak also ruled out any nefarious action by others. The outage coincided with the online release of a denial of service for Skype exploit code from a group at Securitylab.ru, but Arak denied that. "We can confirm categorically that no malicious activities were attributed or that our users' security was not, at any point, at risk."
