Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.
Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)", this bulletin affects the Microsoft Visual Basic 6.0 Runtime Extended Files; all supported editions of Microsoft Visual Studio .Net 2002, Microsoft Visual Studio .Net 2003, Microsoft Visual FoxPro 8.0, Microsoft Visual FoxPro 9.0, Microsoft Office Project 2003, and Microsoft Office Project 2007. This bulletin addresses the vulnerabilities detailed in CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, and CVE-2008-3704, which could allow remote code execution "if a user browsed a Web site that contains specially crafted content," Microsoft says.
Exploitability index: 2-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in GDI Could Allow Remote Code Execution (956802)", this bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This bulletin addresses the vulnerabilities detailed in CVE-2008-2249 and CVE-2008-3465. Microsoft says "exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)," this bulletin is rated critical for supported editions of Microsoft Office Word 2000 and Microsoft Office Outlook 2007. For supported editions of Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office Compatibility Pack, Microsoft Office Word Viewer 2003, Microsoft Works 8, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. This bulletin addresses the issues detailed in CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4030,CVE-2008-4028, CVE-2008-4031, and CVE-2008-4837 . Microsoft says this bulletin resolves "eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Cumulative Security Update for Internet Explorer (958215)", this bulletin is rated critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Microsoft Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. For Internet Explorer 6 running on Windows Server 2003, this security update is rated "moderate." This update addresses the vulnerabilities detailed in CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, and CVE-2008-4261. Microsoft says the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)." This bulletin is rated critical for all supported editions of Microsoft Office Excel 2000. For all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack, Microsoft Office Excel Viewer, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. For Internet Explorer 6 running on Windows Server 2003, this security update is rated moderate. This update addresses the vulnerabilities detailed in CVE-2008-4265, CVE-2008-4264, and CVE-2008-4266. Microsoft says if a user opens a specially crafted Excel file an attacker could exploit these vulnerabilities and take complete control of an affected system.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)" This bulletin is rated critical for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4268 and CVE-2008-4269. Microsoft says that "these vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)", this bulletin is rated important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008. This update addresses the vulnerabilities detailed in CVE-2008-3009 and CVE-2008-3010. Microsoft says the "most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)", this bulletin is rated important for all supported editions of Microsoft Office SharePoint Server 2007 and Microsoft Search Server 2008. This update addresses the vulnerability detailed in CVE-2008-4032. Microsoft says the "vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure."
The final Patch Tuesday for 2008 will be big, with six critical bulletins and two important bulletins due, according to Microsoft.
On Thursday, the company announced eight security bulletins set to go public December 9. The pre-announcement is intended as a heads-up for IT departments before Patch Tuesday. Six bulletins are considered "critical," the most serious ranking given by the software giant. Two are considered "important," the next level down.
Among the critical patches, two affect Windows, and there is one each that addresses issues in Word, Excel, Visual Basic, and Internet Explorer. All flaws could enable remote code execution if exploited.
Of the "important" bulletins, one is for SharePoint, and the other is for Windows Media Center.
Microsoft and EMC's RSA on Thursday announced an expanded technology partnership around digital rights management in the enterprise.
There are two parts to the announcement, said Douglas Leland, general manager of the Identity and Security Business Group at Microsoft. One, Microsoft will build RSA's Data Loss Prevention (DLP) prevention classification into the Microsoft IT platform and future information protection products.
The other part of the announcement, said Leland, is that RSA will in turn integrate Microsoft's Active Directory Right Management System (RMS) into its DLP product. "This makes RSA's DLP solution identity-aware."
Microsoft and EMC said their solution is different from other DLP solutions on the market because it is thoroughly integrated within the platform, not layered on. For example, Microsoft will start by adding RSA's DLP 6.5 to Windows Server 2008. Other Microsoft products to be included in the program are Microsoft Exchange and SharePoint.
For the user, the process is transparent, happening entirely on the back end. "(This technology will) assist the user in such a way that they don't have to make a choice in what information they have to protect," said Christopher Young, senior vice president of products at RSA. Whenever sensitive documents are traded via Exchange or SharePoint, the ability to read only, print, or not print will be controlled automatically by the policies set by the CIO or other security officers.
Twenty-two percent of the managers surveyed said they had found sensitive data on SharePoint sites.
(Credit: Courion)Eighty-seven percent of IT managers cited content-sharing and employee collaboration service SharePoint as their top concern for leaking sensitive data, according to a survey schedule for release on Tuesday.
Courion, an access management and compliance company, found that SharePoint sites are being deployed in some corporations without consideration of security's best practices. More than 33 percent of the organizations surveyed said they did not have a policy to manage the rights necessary to create SharePoint sites.
The study of 150 business managers conducted in September found that companies lack automated tools for provisioning SharePoint users and managing their access rights. About 37 percent of companies surveyed said they were not monitoring the creation of new SharePoint sites to make sure they conform to existing corporate guidelines and policies. Most companies, the survey showed, are largely unaware of what is happening within the information sharing environment.
A spokesperson for Microsoft said: "Any enterprise software development project should be approached with managed planning and deployments. SharePoint is no exception to this, and SharePoint installations by default do not allow software developers or end users to upload custom code without oversight by system administrators."
The survey sampled a diverse group of financial services, high tech, manufacturing, health care, retail, and public sector managers.
(Credit: Courion)- prev
- 1
- next
