Get Smart about Business Spending
Microsoft will issue a patch on Tuesday to fix a critical vulnerability in PowerPoint that could be the same hole that has been exploited in limited and targeted attacks.
The vulnerability affects Microsoft Office 2000, 2003, 2007 and XP, as well as PowerPoint Viewer and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file formats, according to an advance notification released on Thursday.
In a security advisory in early April, Microsoft warned about a vulnerability in PowerPoint that had been targeted by attacks that were tailored and not widespread.
That vulnerability could be exploited by getting a person to open a PowerPoint file rigged for the attack, the company said. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.
Microsoft on Tuesday released its October 2008 security bulletin. The four critical bulletins concern Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. The patch for Internet Explorer is cumulative.
Microsoft is now sharing the technical details of new vulnerabilities in advance of so-called Patch Tuesday to give software developers a chance to update affected products before the public announcement.
Microsoft is also including within each bulletin this month an "exploitability index" to help system administrators prioritize the patches--1 is for consistently functioning exploits (of most concern), 2 is for inconsistently functioning exploits (of moderate concern), and 3 is for vulnerabilities that are unlikely to produce functioning exploits (of least concern). All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 2. Microsoft recommends that customers consider applying the security update. Titled "Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)," this bulletin only affects Microsoft Office XP Service Pack 3; all other supported versions of Microsoft Office are not affected. This bulletin addresses the vulnerability detailed in CVE-2008-4020. Microsoft says an attacker "who successfully exploited this vulnerability could inject a client side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site."
Exploitability index: 1-2. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)," this bulletin affects Microsoft Office Excel 2000 and is rated Important for all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack , Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. This bulletin addresses the vulnerability detailed in CVE-2008-4019, CVE-2008-3471, and CVE-2008-3477. Microsoft says an attacker who exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Cumulative Security Update for Internet Explorer (956390)," this bulletin affects Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on all supported editions of Microsoft Windows 2000, and for Internet Explorer 6 running on all supported editions of Windows XP. For Internet Explorer 7 running on all supported editions of Windows XP and Windows Vista, this security update is rated Important. Otherwise, this security update is rated Moderate or Low. This bulletin addresses the issues detailed in CVE-2008-2947, CVE-2008-3472, CVE-2008-3473, CVE-2008-3474, CVE-2008-3475, and CVE-2008-3476. Microsoft says that "the vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer."
Exploitability index: 1. Microsoft recommends that customers apply the update immediately. Titled "Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)," this bulletin affects Microsoft Host Integration Server 2000, Microsoft Host Integration Server 2004, and Microsoft Host Integration Server 2006. This bulletin addresses the vulnerability detailed in CVE- 2008-3466. Microsoft says this "vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights."
Exploitability index: 2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerability in Active Directory Could Allow Remote Code Execution (957280)," this bulletin affects implementations of Active Directory on Microsoft Windows 2000 Server. This update addresses the vulnerability detailed in CVE-2008-4023. Microsoft says that "this vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability."
Exploitability index: 1-3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)," this bulletin affects users of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2250, CVE-2008-2251, and CVE-2008-2252. Microsoft says a "local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)," this bulletin affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1446. Microsoft says an "attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 2 Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in SMB Could Allow Remote Code Execution (957095)," this bulletin affects all supported versions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4038. Microsoft says the "vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user right."
Exploitability index: 2. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)," this bulletin affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4036. Microsoft says that "the vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.."
Exploitability index: 3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)," this bulletin affects Microsoft Windows 2000. This update addresses the vulnerability detailed in CVE-2008-3479. Microsoft says the "vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)," this bulletin affects Windows XP and Windows Server 2003. The update addresses the vulnerabilities detailed in CVE-2008-3464. Microsoft says "a local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
On Thursday, Microsoft announced four security bulletins for next week. The announcement is intended as a heads-up for IT departments before Patch Tuesday. Four fixes are considered critical, six important, and one is moderate as ranked by the software giant.
Starting this month, Microsoft is sharing the technical details of new vulnerabilities to give software developers a catch to update affected products before the public announcement. And on Tuesday, Microsoft is expected to provide with each bulletin an "exploitability index" to help system administrators prioritize the patches.
Among the critical patches one each affects Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. All four could enable remote code execution if exploited.
Of the important patches, all six affect Windows, and could enable remote code execution or elevation of privilege if exploited.
The lone moderate patch affects Windows Office and could enable information disclosure if exploited.
Microsoft on Tuesday released its September 2008 security bulletin summary.
The four bulletins concern Windows GDI+, Windows Media Player, and Microsoft Office OneNote. All are rated critical by Microsoft. There is no cumulative patch for Internet Explorer this month.
Starting next month, Microsoft plans to share the technical details of new vulnerabilities to give software developers time to update affected products before the public announcement.
Also in October, Microsoft will start providing each bulletin with an Exploitability Index to help system administrators prioritize the patches. All current Microsoft security patches for both Windows and Office software are available via Microsoft Update or the individual bulletins detailed below.
MS08-052: Critical
Entitled "Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)," this bulletin affects all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, Microsoft Internet Explorer 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4, Microsoft Digital Image Suite 2006, SQL Server 2000 Reporting Services Service Pack 2, all supported editions of SQL Server 2005, Microsoft Report Viewer 2005 Service Pack 1 Redistributable Package, and Microsoft Report Viewer 2008 Redistributable Package. It addresses the issues detailed in CVE-2008-5348, CVE-2008-3012, CVE-2008-3013, CVE-2008-3014, and CVE-2008-3015. Microsoft says these vulnerabilities "could allow remote code execution, if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content."
MS08-053: Critical
Entitled "Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)," this bulletin affects all supported and affected editions of Microsoft Windows 2000, Windows XP, and Windows Vista, as well as supported and affected versions of Windows Server 2003 and Windows Server 2008. It addresses the vulnerability detailed in CVE-2008-3008. Microsoft says the vulnerability could "allow remote code execution, if a user viewed a specially crafted Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected system."
MS08-054: Critical
Entitled "Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)," this bulletin affects all supported and affected editions of Windows Media Player 11. This bulletin addresses the issues detailed in CVE-2008-2253. Microsoft says there is a "vulnerability in Windows Media Player that could allow remote code execution when a specially crafted audio file is streamed from a Windows Media server. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."
MS08-055: Critical
Entitled "Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)," this bulletin affects supported editions of Microsoft Office OneNote 2007 and supported editions of Microsoft Office XP, Microsoft Office 2003, and 2007 Microsoft Office System. This bulletin addresses the vulnerability detailed in CVE-2008-3007. Microsoft says "if a user clicks a specially crafted OneNote URL...an attacker who successfully exploited this vulnerability could take complete control of an affected system."
On Thursday, Microsoft announced four security bulletins for Tuesday. The announcement is intended as a heads-up for IT departments before Patch Tuesday. All four are considered critical, the most serious ranking offered by the software giant.
Among the critical patches, two affect Windows Media Player, one affects Windows, while the other affects Microsoft Office. All could enable remote code execution if exploited.
Starting next month, Microsoft will be sharing the technical details of new vulnerabilities to give software developers a catch to update affected products before the public announcement. Also in October, Microsoft will start providing each bulletin with an Exploitability Index to help system administrators prioritize the patches.
Microsoft on Tuesday released its August 2008 security bulletin. Bulletins rated "critical" concern Microsoft Access 2003 and earlier; Microsoft Word 2002 and 2003; Microsoft Excel; and Microsoft Office 2000, Microsoft Office XP and Microsoft Office 2003. A cumulative patch for Internet Explorer also is rated critical.
"Important" bulletins affect Windows Internet Protocol Security (IPsec); Outlook Express and Windows Mail; Microsoft Windows Event System; Windows Messenger; and Microsoft PowerPoint. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)." This bulletin affects Snapshot Viewer for Microsoft Access and for supported versions of Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003. This update addresses the vulnerability in CVE-2008-2463. Microsoft says that "an attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."
Titled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048)." This bulletin only affects users of Microsoft Word 2002 and Microsoft Word 2003. The update addresses vulnerability detailed in CVE-2008-2244. Microsoft says that "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066)." This bulletin affects users of Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2003 Service Pack 3, Excel Viewer 2003, Excel Viewer 2003 Service Pack 3, Excel 2007, Excel 2007 Service Pack 1, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. The update addresses the issues detailed in CVE-2008-3003, CVE-2008-3004, CVE-2008-3005, CVE-2008-3006. Microsoft says that "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)." This bulletin affects Microsoft Office 2000, and is "important" for supported editions of Microsoft Office XP, Microsoft Office 2003 Service Pack 2, Microsoft Project 2002 Service Pack 1, Microsoft Office Converter Pack, and Microsoft Works 8. This update addresses the vulnerabilities detailed in CVE-2008-3018, CVE-2008-3019, CVE-2008-3021, CVE-2008-3022, and CVE 2008-3460. Microsoft says these vulnerabilities could allow remote code execution if a user views a specially crafted image file when using Microsoft Office.
Titled " Cumulative Security Update for Internet Explorer (953838)." This bulletin affects users of all supported releases of Internet Explorer. This update addresses the vulnerabilities detailed in CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2258, and CVE-2008-2259. Microsoft says all of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
Titled " Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)." This bulletin affects users of Microsoft Windows 2000, Windows XP, and Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-2245. Microsoft says a vulnerability in the Microsoft Image Color Management (ICM) system could allow remote code execution in the context of the current user. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled " Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)." This bulletin affects all supported versions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2246. Microsoft says the vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text, disclosing information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the traffic. According to Microsoft: "Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system or network."
Titled "Security Update for Outlook Express and Windows Mail (951066)." This bulletin affects Windows XP and Windows Vista and is rated "low" for supported editions of Windows Server 2003 and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1448. Microsoft says this vulnerability could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer.
Titled "Vulnerabilities in Event System Could Allow Remote Code Execution (950974)." This bulletin affects Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1456 and CVE-2008-1457. Microsoft says that "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."
Titled "Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)" This bulletin affects Windows Messenger 4.7 and Windows Messenger 5.1 and rated Important for all supported editions of Microsoft Windows 2000 and Windows XP, and Moderate for all supported versions of Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-0028. Microsoft says that "as a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user. An attacker could change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user. An attacker could also capture the user's logon ID and remotely log on to the user's Messenger client impersonating that user."
Titled "Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)." This bulletin affects Microsoft Office PowerPoint 2000 and is rated "important" for supported editions of Microsoft Office PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft Office PowerPoint 2007, Microsoft Office PowerPoint Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. This update addresses the vulnerability detailed in CVE-2008-0120, CVE-2008-0121, and CVE-2008-1455. Microsoft says an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system: "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
- prev
- 1
- next
