Microsoft on Tuesday issued five "critical" security patches designed to address vulnerabilities in Windows, Microsoft Office, and Internet Explorer.
The five critical patches were included among . The bulletins covered a total of 10 vulnerabilities.
One of the five critical patches is designed to resolve a flaw in Microsoft Office Project, which could allow attackers to take complete control of users' systems if they open a malicious Office Project file.
A second critical patch is designed to tackle GDI (Graphics Device Interface) vulnerabilities in Windows that could allow attackers to remotely execute malicious code if users open malicious EMF or WMF image files. Two years ago, Microsoft faced similar vulnerabilities, forcing the software giant to rush out a fix outside of its monthly patch cycle, noted Dave Marcus, security research and communications manager at McAfee Avert Labs.
This security flaw, along with two Internet Explorer-related vulnerabilities are at the top of the list as a must fix, Marcus said.
One of the security bulletins is a cumulative patch for IE, and the other is designed to resolve vulnerabilities in ActiveX Kill Bits. Both flaws affect users who visit malicious Web sites with IE, which, in turn, allows malicious attackers to execute remote code from their systems.
"We live in a Web 2.0 world," Marcus said. "It's getting more and more popular to send people e-mails with link spam...It's becoming an effective way to compromise people's machines."
Microsoft also issued a critical Windows patch for vulnerabilities in its VBScript and JScript Scripting engines, which could provide attackers with access to users' systems and allow them to install programs, as well as view and change data.
Microsoft today released its March 2008 security bulletin, which includes four bulletins, all deemed critical by Microsoft.
The most serious of these affects Microsoft Excel, which alone has six specific "Common Vulnerablities and Exposures" vulnerabilities noted, one of which has been exploited in the wild. The next most serious affects Microsoft Outlook. In that one, a vulnerability in how the software parses "mailto" URIs could lead to remote code execution. A third bulletin affects how various Microsoft Office apps open maliciously crafted files. The final bulletin concerns how Office interfaces with the Web and includes one vulnerability that has been known but unpatched since September 2006. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)," this bulletin is critical for users of Microsoft Excel 2000 Service Pack 3, and important for users of Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2007, Microsoft Office Excel Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. Not affected are Microsoft Works 8, 8.5, and 9, or Works suite 2005 and Works suite 2006. The update addresses vulnerabilities detailed in CVE-2008-0111, CVE-2008-0112, CVE-2008-0114, CVE-2008-0115, CVE-2008-0116, CVE-2008-0117, and CVE-2008-0081. Microsoft says, "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system and could then install programs; view, change, or delete data; or create new accounts with full user rights."
Entitled "Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)," this bulletin affects users of Microsoft Outlook 2000 Service Pack 3, Outlook 2002 Service Pack 3, Outlook 2003 Service Pack 2, Outlook 2003 Service Pack 3, and Outlook 2007. Not affected are users of Outlook 2007 Service Pack 1. The update addresses the vulnerability detailed in CVE-2008-0110. Microsoft says this vulnerability "could allow remote code execution if Outlook is passed a specially crafted mailto URI. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This vulnerability is not exploitable by simply viewing an e-mail through the Outlook preview pane."
Entitled "Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 Service Pack 3, and Microsoft Office 2004 for Mac. Not affected are users of Microsoft Office 2003 Service Pack 3, Microsoft PowerPoint Viewer 2003, Microsoft Visio 2002 Service Pack 2, Microsoft Visio 2003 Viewer, Microsoft Word Viewer 2003, Microsoft Project 2000 Service Pack 1, Microsoft Project 2002 Service Pack 2, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, and Microsoft Office 2008 for Mac. The update addresses the vulnerability detailed in CVE-2008-0113 and CVE-2008-0118. Microsoft says, "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Entitled "Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (933103)," this bulletin affects users of Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, Visual Studio .NET 2003 Service Pack 1, Microsoft BizTalk Server 2000, Microsoft BizTalk Server 2002, Microsoft Commerce Server 2000, and Internet Security and Acceleration Server 2000 Service Pack 2. Not affected are users of Microsoft Works 8, Microsoft Works 9, Microsoft Works Suite 2005, Microsoft Works Suite 2006, Microsoft Office 2003 Service Pack 2, Microsoft Office 2003 Service Pack 3, 2007 Microsoft Office System, 2007 Microsoft Office System Service Pack 1, Microsoft BizTalk Server 2004, Microsoft BizTalk Server 2006, Microsoft Commerce Server 2000 Service Pack 1, Microsoft Commerce Server 2000 Service Pack 2, and Microsoft Commerce Server 2000 Service Pack 3, Microsoft Commerce Server 2002, Microsoft Commerce Server 2007, Internet Security and Acceleration Server 2004, and Internet Security and Acceleration Server 2006. This update addresses the vulnerability detailed in CVE-2006-4695 and CVE-2007-1201. Microsoft says, "these vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Apple released the first patches for 2008 to the QuickTime media player as well as the iPhone and iPod Touch on January 15.
The updates to QuickTime 7.4 for Windows and Mac users are designed to prevent a system from being hijacked when malicious movie files are opened.
Apple Downloads lists the updates for Windows XP and Vista as well as Mac OS X 10.3.9 and higher. Mac users also can access the download via Apple's Software Update.
Memory corruption issues in QuickTime's handling of Sorenson 3 video, Macintosh Resource Records, and Image Descriptor atoms are to blame for three of four noted security holes. The fix also closes a gap left when QuickTime processes compressed PICT graphics.
However, the updates do not address a vulnerability in QuickTime's streaming media protocol, publicized by Italian researcher Luigi Auriemma earlier this month.
The last fix to QuickTime was made December 13.
Apple's iPhone and iPod Touch updates are designed to bolster Passcode Lock and prevent unauthorized users from launching applications, as well as to keep owners from inadvertently leaking sensitive data via phishing Web sites accessed through Safari.
The version 1.1.3 fixes are available for download only through updates to iTunes, which should prompt users to accept the changes. Docking an iPhone or iPod Touch will also trigger the updates to be made.
If you build it, will they come?
Apparently not when it comes to Oracle's quarterly Critical Patch Updates (CPUs).
Database security firm Sentrigo released some surprising numbers Monday, culled from a survey of 305 database administrators, consultants, and developers in attendance at Oracle Users Group meetings last year.
The survey found that a staggering two-thirds of respondents had never applied an Oracle quarterly CPU. Not one, nada, a big fat zero.
And of the remaining 33 percent of survey respondents who did, only 10 percent noted they had gotten around to applying Oracle's more recent CPU, or the one before that.
"When it comes to installing the CPUs, it involves testing the applications that are running on the database. A single database may run three or four applications, or thousands of them. It takes a lot of time, and fixing a bug here, or there, in the database can affect the application," said Slavik Markovich, Sentrigo's chief technology officer.
Hopefully, database administrators will step up to the plate and take a swing at this cumbersome task, given Oracle is set to release its next quarterly Critical Patch Update on Tuesday--and we're talking 27 security patches across hundreds of Oracle products.
The upcoming CPU includes eight security patches for Oracle's database and six for its Oracle Application Server. While the database security flaws are believed to be less problematic in that the bad guys can't exploit them without such authentication as username and passwords, the Oracle Application Server security vulnerabilities aren't so lucky. These security flaws could be remotely exploited without authentication.
Despite this work ahead--or not if you're part of the group that never deploys the Oracle CPUs--one thing that you may find heartening is the 27 patches are far less than the 101 security fixes Oracle doled out in October 2006, as part of its Critical Patch Update.
Microsoft on Tuesday released its January 2008 security bulletin, which includes only two updates: One is designated as "critical" by the software giant and the second one is deemed "important". Both concern the Windows operating system. There are no Microsoft Office updates this month. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)", this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, and Vista, and addresses the vulnerability detailed in CVE-2007-0069 and CVE-2007-0066. A vulnerability exists in Transmission Control Protocol/Internet Protocol (TCP/IP) processing, and the patch modifies the way that the Windows kernel processes TCP/IP structures that contain multicast and ICMP requests. Microsoft says "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)", this bulletin affects users of Microsoft Windows 2000, XP SP2, Server 2003, but not Windows Vista. The update addresses the vulnerability detailed in CVE-2007-5352. If exploited, a vulnerability within Microsoft Windows Local Security Authority Subsystem Service (LSASS) could allow an attacker to elevate privileges, take complete control of an affected system, then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft on Tuesday released its December 2007 security bulletin, which includes seven updates: three are designated as critical by the software giant and four are deemed important.
On the Windows side is a cumulative update for Internet Explorer, plus patches for the Windows Kernel, DirectX, Macrovision Driver, and the Windows Media File format--the latter three suggest concern that criminal hackers are targeting media files for exploitation. There are no Microsoft Office updates this month. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
MS07-063: Important
Entitled "Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)," this bulletin affects users of Microsoft Windows Vista and does not affect users of Windows 2000 or Windows XP SP2, and addresses the vulnerability detailed in CVE-2007-5351. A vulnerability exists in the way data is transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2.
MS07-064: Critical
Entitled "Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)," this bulletin affects users of DirectX versions 7.0 through 10.0 included within Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The update addresses two vulnerabilities detailed in CVE-2007-3901 and CVE-2007-3895 that could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. Successful exploitation could allow remote code execution.
MS07-065: Critical
Entitled "Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)," this bulletin affects users of Windows Server 2000, Windows 2000, and Windows XP SP2, and does not affect users of Windows XP Professional x64, Windows Server 2003, or Windows Vista. The update addresses the vulnerability detailed in CVE-2007-3039. A vulnerability in the Message Queuing Service (MSMQ) could allow remote code execution in implementations on Microsoft Windows 2000 Server, or elevation of privilege in implementations on Microsoft Windows 2000 Professional and Windows XP. Successful exploitation due could allow remote code execution or elevation of privilege.
MS07-066: Important
Entitled "Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)," this bulletin affects users of Windows Vista, and does not affect users of Windows 2000, Windows Server 2003, or Windows XP. The update addresses the Windows kernel vulnerability detailed in CVE-2007-5350. Successful exploitation could allow an attack to take complete control of an affected system.
MS07-067: Important
Entitled "Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)," this bulletin affects users of Microsoft XP SP2 and Windows Server 2003, and does not affect users of Windows 2000 or Windows Vista. The update addresses a vulnerability in the way the Macrovision driver incorrectly handles configuration parameters detailed in CVE-2007-5587. Successful exploitation could allow elevation of privilege and allow an attacker complete control of the system.
MS07-068: Critical
Entitled "Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)," this bulletin affects users of Windows Media Runtime Format 7.1, 9, 9.5, and 11, and Windows Media Services 9.1 running on Microsoft Windows 2000, Windows XP SP2, Windows Server 2003, and Windows Vista. This update addresses the Windows Media File Format vulnerability detailed in CVE-2007-0064. Successful exploitation could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime.
MS07-069: Critical
Entitled "Cumulative Security Update for Internet Explorer (942615)," this bulletin affects users of Internet Explorer 5.1, 6, and 7, running on Windows 2000, Windows Server 2003, Windows XP SP2, and Windows Vista. The update addresses the four privately reported vulnerabilities detailed in CVE-2007-3902, CVE-2007-3903, CVE-2007-5344, and CVE-2007-5347. Successful exploitation could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.
On Thursday, Microsoft announced that it will have seven patches available on Patch Tuesday, December 11. Three of these will be ranked by Microsoft as critical. One critical patch concerns DirectX versions 7.0 through 10.0. Another affects Microsoft Media Format. The third appears to be a cumulative update for Internet Explorer.
The important patches include two for Windows Vista, one for Windows 2000 and Windows XP, and one for Windows XP and Windows Server 2003.
Microsoft today released its November 2007 security bulletin, which includes only two updates. One is designated as Critical by the software giant and affects how Windows XP and Windows Server 2003 handle Windows URIs. The other bulletin is deemed Important and affects how Windows Server 2000 and Windows Server 2003 handle spoofing attacks. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerability in Windows URI Handling Could Allow Remote Code Execution (943460)," this bulletin affects users of Microsoft Windows XP SP2 and x64, and Windows Server 2003 x64 and Itanium-based users, and does not affect Windows 2000 or Windows Vista. This patch addresses the vulnerability detailed in CVE-2007-3896. Microsoft says "a remote code execution vulnerability exists in the way that the Windows shell handles specially crafted URIs that are passed to it. If the Windows shell did not sufficiently validate these URIs, an attacker could exploit this vulnerability and execute arbitrary code. Microsoft has only identified ways to exploit this vulnerability on systems using Internet Explorer 7. However, the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003." Successful exploitation could allow remote code execution.
Entitled "Vulnerability in DNS Could Allow Spoofing (941672)," this bulletin affects users of Windows Server 2000 and Windows Server 2003 only and addresses the vulnerability detailed in CVE-2007-3898. According to Microsoft, a "spoofing vulnerability exists in Windows DNS Servers and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations." Successful exploitation could allow an attacker to hijack from a legitimate location.
The "click to activate" step for using certain interactive Web pages with embedded controls will no longer be required when viewing them with Internet Explorer, Microsoft announced Monday.
Microsoft had kept a "click to activate" requirement for interactive Web pages that embedded controls via HTML, in order to avoid patent infringement.
Microsoft has now licensed the technology from Eolas that allows that interaction to happen automatically. Eolas had been engaged in a long-running patent dispute with Microsoft that resulted in a settlement in August.
The result of that agreement is that IE users will no longer be bothered by that extra step. The change will be included in the Internet Explorer Automatic Component Activation Preview patch available from the Microsoft download site in early December. It will then be included for all IE users when the full IE Cumulative Update goes out in April 2008.
The update will not affect the way pages work, nor will developers and designers need to make any adjustment to the way they build their pages, Pete LePage, senior product manager for Microsoft Internet Explorer, said in a statement.
Those who have been using work-arounds using WebOC or MSHTML to bypass the "click to activate" step automatically on their own may have to make some adjustments. More info on that can be found on the IE blog.
Blogs were buzzing this week with reports that Windows users who thought they had automatic updates set to either not install or get permission before installing nonetheless had their machines patched and rebooted.
Friday afternoon, the company posted a response to its Web site saying no changes were made to the automatic update mechanism nor did any recent updates change AU settings. The company is looking into whether customers might have actually had their settings changed by Microsoft Office or Windows OneCare, two programs that do have mechanisms that will change a computer's automatic update preference settings.
"We have received some logs from customers, and have so far been able to determine that their AU settings were not changed by any changes to the AU client itself and also not changed by any updates installed by AU," program manager Nate Clinton said on Microsoft's Web site. "We are still looking into this to see if another application is making this change during setup with user consent, or if this issue is related to something else. We are continuing the investigation, and as I have more information I will update this post."
The company is asking anyone experiencing an issue to contact its customer support so that it can get more information.
Meanwhile, in a separate posting, Clinton acknowledged that some people are having trouble manually installing updates after moving to the latest version of Windows Update.
The issues Friday follow an earlier outcry over the discovery that the Windows Update utility updates itself regardless of whether automatic updates are turned on.
