Updated at 2:20 p.m. PDT with Adobe update released; at 12:25 p.m. PDT with Microsoft saying this is a record number of vulnerabilities addressed in Patch Tuesday; and at 11:45 a.m. PDT with comment.
Microsoft has released 10 security updates fixing a record number of Patch Tuesday holes, including one for a critical hole in Internet Explorer 8 that was exploited as part of a hacking contest at CanSecWest in March.
The bulletin addresses 31 vulnerabilities. "It's the most since Microsoft started releasing updates on a regular schedule of the second Tuesday of every month in October 2003," a Microsoft spokesman said.
The June security Patch Tuesday bulletin resolves eight vulnerabilities in IE, the more severe of which could allow remote code execution if a user views a specially crafted Web page. The IE8 vulnerability does not affect Windows 7 RC (build 7100), but does affect Windows 7 beta.
The updates also plug two critical holes in implementations of Active Directory on Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode installed on Windows XP Professional and Server 2003, the worse of which could allow an attacker to take control of a system remotely.
The security update fixes three critical vulnerabilities in Windows Print Spooler that could allow remote code execution if an affected server received a specially crafted RPC (remote procedure call) request.
Several vulnerabilities in Office Word and Excel are addressed in the update that could allow an attacker to remotely run code or take control of the machine using a specially crafted Word or Excel file. The update fixes the PowerPoint vulnerability Microsoft warned in April was being exploited in limited, targeted attacks that was fixed in the Windows version last month.
The update includes a patch for an important hole in its IIS Web server product that Microsoft reported in May.
"We didn't see any in-the-wild exploitations of the (IIS WebDav) vulnerability but typically when Microsoft releases those alerts they're doing it because a customer" has alerted them to an exploit, said Steve Manzuik, senior manager of security research at Juniper Networks.
Also fixed is a critical vulnerability in Microsoft Works Converters, important vulnerabilities in RPC and Windows Kernel. And Microsoft fixed a moderate vulnerability in Windows Search that could allow information disclosure if a user performs a search that returns a specially crafted file as the first result, or if the user previews a malicious file from the search results. By default, the Windows Search component is not preinstalled on Windows XP and Server 2003.
Products affected by the updates include Windows 2000, XP, XP Professional edition, Vista, Server 2003, Server 2008; Office 2000, 2003, 2007, and XP; and Microsoft Office 2004 and 2008 for the Mac.
Other affected software includes Office Excel Viewer; Office Word Viewer; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats; Works 8.5 and 9.0; and Office SharePoint Server.
The updates did not include a fix for a vulnerability in Microsoft's DirectX streaming media technology in Windows disclosed late last month that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.
"They probably didn't have time to QA (quality assurance test) it adequately," said Wolfgang Kandek, chief technology officer at Qualys. "It doesn't surprise me because look at how many vulnerabilities they had in this release. It must have been an enormous workload for these teams to fix all of these."
Adobe also issued security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday in its first quarterly security update for its popular software for creating and reading PDF files.
The updates, available from Adobe's site, resolve critical vulnerabilities in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions that could cause the application to crash and could potentially allow an attacker to take control of the system.
Updated 12:30 p.m. PDT with ZoneAlarm discount offer and 11:50 a.m. PDT with comment from security vendors.
Microsoft on Tuesday closed security holes in Excel, Windows, and Word that had been exploited in the wild as well as other holes for which exploit code or details exist, all as part of its monthly patch update cycle.
The critical Excel hole could allow an attacker to take complete control of an unpatched system if a user opens a specially crafted Excel file. Security firm Symantec said in February that it had discovered malicious files in the wild in Japan that attempt to exploit the Excel Unspecified Remote Code Execution Vulnerability.
The patch affects Microsoft Office, 2002, 2003, and 2007, as well as Microsoft Office 2004 and 2008 for the Mac, according to the Microsoft bulletin.
Microsoft also released a patch for a critical vulnerability in WordPad and Office that could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Word. This vulnerability is currently being exploited on the Internet, Microsoft said. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Server 2003, Microsoft Office Word 2000 and Word 2002.
Another patch fixes four critical vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted Web page or if a user connects to an attacker's server via HTTP. Exploit code and attack details have been made public for a couple of the vulnerabilities. Affected software is IE 5, 6, and 7.
A patch for Microsoft DirectShow closes a critical vulnerability that could allow an attacker to take complete control of a system if a user opened a specially crafted MJPEG file. It affects DirectX 8 and DirectX 9.
A fifth patch addresses critical vulnerabilities in Windows HTTP services that could allow an attacker to take complete control of the system and for which exploit tools and code have been made public. Affected are Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and Server 2008.
Also fixed are important holes in Windows being exploited in the wild that could allow elevation of privilege if an attacker is allowed to log on to a system and run a specially crafted application. Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and Server 2008 are affected.
Other patches address less critical holes in Microsoft Internet Security and Acceleration Server 2004 and 2006 and the medium business edition of Forefront Threat Management Gate, as well as SearchPath. Attack details have been made public for the SearchPath blended threat vulnerability. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003, and 2008.
In all, Microsoft issued eight patches for about two dozen reported vulnerabilities.
"We were astonished to see how many zero-days are in that release," said Wolfgang Kandek, chief technology officer of Qualys, in reference to exploits that target software with a vulnerability that has not been patched yet.
"Ten of the vulnerabilities have either exploits out in the wild or there is proof-of-concept code available and that's a first, I think, in terms of the number of zero days in a single bulletin," he said. "For the IT guys, that means their window has just shrunk to zero to get these things fixed."
The IE vulnerability is of particular concern, Ben Greenbaum, senior research manager at Symantec Security Response, said in an e-mail statement. It "appears to be the easiest of the bunch to take advantage of by an attacker and also happens to be the one that requires the least amount of involvement by a user to exploit. An attacker can simply lure a victim into viewing a Web page that contains malicious content and that individual's computer can then be taken over."
Missing from the bulletin was a fix for a zero-day hole in PowerPoint that Microsoft warned on April 2 had been targeted by attackers.
In honor of Patch Tuesday, Check Point Software technologies said it was selling a full version of its ZoneAlarm Internet Security Suite for $9.95 instead of $49.95. The sale runs for 24 hours starting at 6 a.m. PDT on Tuesday. Check Point said it will donate half of the proceeds to non-profit TechSoup Global.
A correction was made to this story. See below for details.
Microsoft on Thursday said next week's Patch Tuesday would include eight patches, five of them critical, including one addressing a vulnerability in Excel.
A company representative declined to confirm whether the patch for its spreadsheet software addresses a vulnerability that has seen "zero-day attacks" which target unpatched security holes. But given the fact that both that Excel vulnerability and the Excel patch slated for Tuesday affect Microsoft Office 2000, 2002, 2003, and 2007, as well as Microsoft Office 2004 and 2008 for the Mac, it could be the same weakness.
Security firm Symantec said in February that it had discovered malicious files in the wild in Japan that attempt to exploit the Excel Unspecified Remote Code Execution Vulnerability. The attack requires a computer user to open an attachment sent via e-mail that has a maliciously crafted Excel document.
Also on Tuesday, Microsoft will provide updates addressing critical remote code execution vulnerability in Internet Explorer, Windows, and Office, and less severe vulnerabilities in Windows and Microsoft's Forefront Edge Security.
Affected software includes IE 7, Windows 2000, Windows XP, Windows Vista, Server 2003, and Server 2008, according to Microsoft's advance-notification bulletin, released on the Thursday before every Patch Tuesday, which is the second Tuesday of the month.
Correction: This story initially gave the wrong day of Microsoft's announcement. It was made Thursday, April 9.
Attackers are attempting to exploit an unpatched security hole in Excel that could allow someone to take control of a compromised computer, Microsoft said in a security advisory on Tuesday.
The attack exploiting the Excel Unspecified Remote Code Execution Vulnerability requires a computer user to open an attachment sent via e-mail that has a maliciously crafted Excel document, according to the advisory.
Microsoft said it is working on a security fix to plug the hole and will release it after it has completed testing. In the meantime, Windows users are urged to avoid opening Office files from untrusted sources or that arrive unexpectedly.
Affected software includes Microsoft Office 2000, 2002, 2003, and 2007 and Microsoft Office 2004 and 2008 for Mac.
The exploit uses weak encryption in an attempt to evade detection, according to Symantec.
(Credit: Symantec)Symantec has discovered malicious files in the wild in Japan that attempt to exploit the vulnerability and has updated its antivirus software to detect the malicious spreadsheet files it has dubbed Trojan.Mdropper.AC, the company said in a blog posting on Tuesday.
The risk is low and there have been few infections, Symantec said in an advisory. It lists Windows Vista and XP as affected systems.
"It turns out that this vulnerability exists in the old Excel binary .xls format and not the new .xlsx format," Symantec wrote. "Opening the malicious spreadsheet triggers the vulnerability. This causes the shellcode to execute and then drops two files on the system--the malicious binary mentioned earlier and another valid Excel document. The shellcode then executes the dropped file and opens the valid Excel document to mask the fact that Excel has just crashed. This helps to decrease suspicion when the affected spreadsheet is opened."
Microsoft also on Tuesday announced the availability of an update for Windows Autorun that allows people to selectively disable the Autorun functionality for drives on a system or network to provide more security.
The update addresses an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected. Disabling Autorun functionality can help prevent the execution of arbitrary code when a removable storage device is used.
The Autorun functionality has been blamed for malware that has infected USB thumb drives, leading to a temporary ban on their use at the U.S. Defense Department, and digital photo frames, among other storage types.
Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.
Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)", this bulletin affects the Microsoft Visual Basic 6.0 Runtime Extended Files; all supported editions of Microsoft Visual Studio .Net 2002, Microsoft Visual Studio .Net 2003, Microsoft Visual FoxPro 8.0, Microsoft Visual FoxPro 9.0, Microsoft Office Project 2003, and Microsoft Office Project 2007. This bulletin addresses the vulnerabilities detailed in CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, and CVE-2008-3704, which could allow remote code execution "if a user browsed a Web site that contains specially crafted content," Microsoft says.
Exploitability index: 2-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in GDI Could Allow Remote Code Execution (956802)", this bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This bulletin addresses the vulnerabilities detailed in CVE-2008-2249 and CVE-2008-3465. Microsoft says "exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)," this bulletin is rated critical for supported editions of Microsoft Office Word 2000 and Microsoft Office Outlook 2007. For supported editions of Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office Compatibility Pack, Microsoft Office Word Viewer 2003, Microsoft Works 8, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. This bulletin addresses the issues detailed in CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4030,CVE-2008-4028, CVE-2008-4031, and CVE-2008-4837 . Microsoft says this bulletin resolves "eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Cumulative Security Update for Internet Explorer (958215)", this bulletin is rated critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Microsoft Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. For Internet Explorer 6 running on Windows Server 2003, this security update is rated "moderate." This update addresses the vulnerabilities detailed in CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, and CVE-2008-4261. Microsoft says the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)." This bulletin is rated critical for all supported editions of Microsoft Office Excel 2000. For all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack, Microsoft Office Excel Viewer, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. For Internet Explorer 6 running on Windows Server 2003, this security update is rated moderate. This update addresses the vulnerabilities detailed in CVE-2008-4265, CVE-2008-4264, and CVE-2008-4266. Microsoft says if a user opens a specially crafted Excel file an attacker could exploit these vulnerabilities and take complete control of an affected system.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)" This bulletin is rated critical for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4268 and CVE-2008-4269. Microsoft says that "these vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)", this bulletin is rated important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008. This update addresses the vulnerabilities detailed in CVE-2008-3009 and CVE-2008-3010. Microsoft says the "most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)", this bulletin is rated important for all supported editions of Microsoft Office SharePoint Server 2007 and Microsoft Search Server 2008. This update addresses the vulnerability detailed in CVE-2008-4032. Microsoft says the "vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure."
The final Patch Tuesday for 2008 will be big, with six critical bulletins and two important bulletins due, according to Microsoft.
On Thursday, the company announced eight security bulletins set to go public December 9. The pre-announcement is intended as a heads-up for IT departments before Patch Tuesday. Six bulletins are considered "critical," the most serious ranking given by the software giant. Two are considered "important," the next level down.
Among the critical patches, two affect Windows, and there is one each that addresses issues in Word, Excel, Visual Basic, and Internet Explorer. All flaws could enable remote code execution if exploited.
Of the "important" bulletins, one is for SharePoint, and the other is for Windows Media Center.
Microsoft on Tuesday released its October 2008 security bulletin. The four critical bulletins concern Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. The patch for Internet Explorer is cumulative.
Microsoft is now sharing the technical details of new vulnerabilities in advance of so-called Patch Tuesday to give software developers a chance to update affected products before the public announcement.
Microsoft is also including within each bulletin this month an "exploitability index" to help system administrators prioritize the patches--1 is for consistently functioning exploits (of most concern), 2 is for inconsistently functioning exploits (of moderate concern), and 3 is for vulnerabilities that are unlikely to produce functioning exploits (of least concern). All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 2. Microsoft recommends that customers consider applying the security update. Titled "Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)," this bulletin only affects Microsoft Office XP Service Pack 3; all other supported versions of Microsoft Office are not affected. This bulletin addresses the vulnerability detailed in CVE-2008-4020. Microsoft says an attacker "who successfully exploited this vulnerability could inject a client side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site."
Exploitability index: 1-2. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)," this bulletin affects Microsoft Office Excel 2000 and is rated Important for all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack , Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. This bulletin addresses the vulnerability detailed in CVE-2008-4019, CVE-2008-3471, and CVE-2008-3477. Microsoft says an attacker who exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Cumulative Security Update for Internet Explorer (956390)," this bulletin affects Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on all supported editions of Microsoft Windows 2000, and for Internet Explorer 6 running on all supported editions of Windows XP. For Internet Explorer 7 running on all supported editions of Windows XP and Windows Vista, this security update is rated Important. Otherwise, this security update is rated Moderate or Low. This bulletin addresses the issues detailed in CVE-2008-2947, CVE-2008-3472, CVE-2008-3473, CVE-2008-3474, CVE-2008-3475, and CVE-2008-3476. Microsoft says that "the vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer."
Exploitability index: 1. Microsoft recommends that customers apply the update immediately. Titled "Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)," this bulletin affects Microsoft Host Integration Server 2000, Microsoft Host Integration Server 2004, and Microsoft Host Integration Server 2006. This bulletin addresses the vulnerability detailed in CVE- 2008-3466. Microsoft says this "vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights."
Exploitability index: 2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerability in Active Directory Could Allow Remote Code Execution (957280)," this bulletin affects implementations of Active Directory on Microsoft Windows 2000 Server. This update addresses the vulnerability detailed in CVE-2008-4023. Microsoft says that "this vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability."
Exploitability index: 1-3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)," this bulletin affects users of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2250, CVE-2008-2251, and CVE-2008-2252. Microsoft says a "local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)," this bulletin affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1446. Microsoft says an "attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 2 Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in SMB Could Allow Remote Code Execution (957095)," this bulletin affects all supported versions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4038. Microsoft says the "vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user right."
Exploitability index: 2. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)," this bulletin affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4036. Microsoft says that "the vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.."
Exploitability index: 3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)," this bulletin affects Microsoft Windows 2000. This update addresses the vulnerability detailed in CVE-2008-3479. Microsoft says the "vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)," this bulletin affects Windows XP and Windows Server 2003. The update addresses the vulnerabilities detailed in CVE-2008-3464. Microsoft says "a local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
On Thursday, Microsoft announced four security bulletins for next week. The announcement is intended as a heads-up for IT departments before Patch Tuesday. Four fixes are considered critical, six important, and one is moderate as ranked by the software giant.
Starting this month, Microsoft is sharing the technical details of new vulnerabilities to give software developers a catch to update affected products before the public announcement. And on Tuesday, Microsoft is expected to provide with each bulletin an "exploitability index" to help system administrators prioritize the patches.
Among the critical patches one each affects Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. All four could enable remote code execution if exploited.
Of the important patches, all six affect Windows, and could enable remote code execution or elevation of privilege if exploited.
The lone moderate patch affects Windows Office and could enable information disclosure if exploited.
Microsoft on Tuesday released its August 2008 security bulletin. Bulletins rated "critical" concern Microsoft Access 2003 and earlier; Microsoft Word 2002 and 2003; Microsoft Excel; and Microsoft Office 2000, Microsoft Office XP and Microsoft Office 2003. A cumulative patch for Internet Explorer also is rated critical.
"Important" bulletins affect Windows Internet Protocol Security (IPsec); Outlook Express and Windows Mail; Microsoft Windows Event System; Windows Messenger; and Microsoft PowerPoint. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)." This bulletin affects Snapshot Viewer for Microsoft Access and for supported versions of Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003. This update addresses the vulnerability in CVE-2008-2463. Microsoft says that "an attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."
Titled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048)." This bulletin only affects users of Microsoft Word 2002 and Microsoft Word 2003. The update addresses vulnerability detailed in CVE-2008-2244. Microsoft says that "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066)." This bulletin affects users of Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2003 Service Pack 3, Excel Viewer 2003, Excel Viewer 2003 Service Pack 3, Excel 2007, Excel 2007 Service Pack 1, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. The update addresses the issues detailed in CVE-2008-3003, CVE-2008-3004, CVE-2008-3005, CVE-2008-3006. Microsoft says that "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)." This bulletin affects Microsoft Office 2000, and is "important" for supported editions of Microsoft Office XP, Microsoft Office 2003 Service Pack 2, Microsoft Project 2002 Service Pack 1, Microsoft Office Converter Pack, and Microsoft Works 8. This update addresses the vulnerabilities detailed in CVE-2008-3018, CVE-2008-3019, CVE-2008-3021, CVE-2008-3022, and CVE 2008-3460. Microsoft says these vulnerabilities could allow remote code execution if a user views a specially crafted image file when using Microsoft Office.
Titled " Cumulative Security Update for Internet Explorer (953838)." This bulletin affects users of all supported releases of Internet Explorer. This update addresses the vulnerabilities detailed in CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2258, and CVE-2008-2259. Microsoft says all of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
Titled " Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)." This bulletin affects users of Microsoft Windows 2000, Windows XP, and Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-2245. Microsoft says a vulnerability in the Microsoft Image Color Management (ICM) system could allow remote code execution in the context of the current user. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled " Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)." This bulletin affects all supported versions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2246. Microsoft says the vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text, disclosing information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the traffic. According to Microsoft: "Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system or network."
Titled "Security Update for Outlook Express and Windows Mail (951066)." This bulletin affects Windows XP and Windows Vista and is rated "low" for supported editions of Windows Server 2003 and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1448. Microsoft says this vulnerability could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer.
Titled "Vulnerabilities in Event System Could Allow Remote Code Execution (950974)." This bulletin affects Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1456 and CVE-2008-1457. Microsoft says that "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."
Titled "Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)" This bulletin affects Windows Messenger 4.7 and Windows Messenger 5.1 and rated Important for all supported editions of Microsoft Windows 2000 and Windows XP, and Moderate for all supported versions of Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-0028. Microsoft says that "as a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user. An attacker could change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user. An attacker could also capture the user's logon ID and remotely log on to the user's Messenger client impersonating that user."
Titled "Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)." This bulletin affects Microsoft Office PowerPoint 2000 and is rated "important" for supported editions of Microsoft Office PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft Office PowerPoint 2007, Microsoft Office PowerPoint Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. This update addresses the vulnerability detailed in CVE-2008-0120, CVE-2008-0121, and CVE-2008-1455. Microsoft says an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system: "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
- prev
- 1
- next
