Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.
Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)", this bulletin affects the Microsoft Visual Basic 6.0 Runtime Extended Files; all supported editions of Microsoft Visual Studio .Net 2002, Microsoft Visual Studio .Net 2003, Microsoft Visual FoxPro 8.0, Microsoft Visual FoxPro 9.0, Microsoft Office Project 2003, and Microsoft Office Project 2007. This bulletin addresses the vulnerabilities detailed in CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, and CVE-2008-3704, which could allow remote code execution "if a user browsed a Web site that contains specially crafted content," Microsoft says.
Exploitability index: 2-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in GDI Could Allow Remote Code Execution (956802)", this bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This bulletin addresses the vulnerabilities detailed in CVE-2008-2249 and CVE-2008-3465. Microsoft says "exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)," this bulletin is rated critical for supported editions of Microsoft Office Word 2000 and Microsoft Office Outlook 2007. For supported editions of Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office Compatibility Pack, Microsoft Office Word Viewer 2003, Microsoft Works 8, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. This bulletin addresses the issues detailed in CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4030,CVE-2008-4028, CVE-2008-4031, and CVE-2008-4837 . Microsoft says this bulletin resolves "eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Cumulative Security Update for Internet Explorer (958215)", this bulletin is rated critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Microsoft Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. For Internet Explorer 6 running on Windows Server 2003, this security update is rated "moderate." This update addresses the vulnerabilities detailed in CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, and CVE-2008-4261. Microsoft says the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)." This bulletin is rated critical for all supported editions of Microsoft Office Excel 2000. For all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack, Microsoft Office Excel Viewer, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. For Internet Explorer 6 running on Windows Server 2003, this security update is rated moderate. This update addresses the vulnerabilities detailed in CVE-2008-4265, CVE-2008-4264, and CVE-2008-4266. Microsoft says if a user opens a specially crafted Excel file an attacker could exploit these vulnerabilities and take complete control of an affected system.
Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)" This bulletin is rated critical for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4268 and CVE-2008-4269. Microsoft says that "these vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)", this bulletin is rated important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008. This update addresses the vulnerabilities detailed in CVE-2008-3009 and CVE-2008-3010. Microsoft says the "most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)", this bulletin is rated important for all supported editions of Microsoft Office SharePoint Server 2007 and Microsoft Search Server 2008. This update addresses the vulnerability detailed in CVE-2008-4032. Microsoft says the "vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure."
Microsoft on Tuesday released its October 2008 security bulletin. The four critical bulletins concern Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. The patch for Internet Explorer is cumulative.
Microsoft is now sharing the technical details of new vulnerabilities in advance of so-called Patch Tuesday to give software developers a chance to update affected products before the public announcement.
Microsoft is also including within each bulletin this month an "exploitability index" to help system administrators prioritize the patches--1 is for consistently functioning exploits (of most concern), 2 is for inconsistently functioning exploits (of moderate concern), and 3 is for vulnerabilities that are unlikely to produce functioning exploits (of least concern). All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Exploitability index: 2. Microsoft recommends that customers consider applying the security update. Titled "Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)," this bulletin only affects Microsoft Office XP Service Pack 3; all other supported versions of Microsoft Office are not affected. This bulletin addresses the vulnerability detailed in CVE-2008-4020. Microsoft says an attacker "who successfully exploited this vulnerability could inject a client side script in the user's browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site."
Exploitability index: 1-2. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)," this bulletin affects Microsoft Office Excel 2000 and is rated Important for all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack , Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. This bulletin addresses the vulnerability detailed in CVE-2008-4019, CVE-2008-3471, and CVE-2008-3477. Microsoft says an attacker who exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Cumulative Security Update for Internet Explorer (956390)," this bulletin affects Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on all supported editions of Microsoft Windows 2000, and for Internet Explorer 6 running on all supported editions of Windows XP. For Internet Explorer 7 running on all supported editions of Windows XP and Windows Vista, this security update is rated Important. Otherwise, this security update is rated Moderate or Low. This bulletin addresses the issues detailed in CVE-2008-2947, CVE-2008-3472, CVE-2008-3473, CVE-2008-3474, CVE-2008-3475, and CVE-2008-3476. Microsoft says that "the vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer."
Exploitability index: 1. Microsoft recommends that customers apply the update immediately. Titled "Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)," this bulletin affects Microsoft Host Integration Server 2000, Microsoft Host Integration Server 2004, and Microsoft Host Integration Server 2006. This bulletin addresses the vulnerability detailed in CVE- 2008-3466. Microsoft says this "vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights."
Exploitability index: 2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerability in Active Directory Could Allow Remote Code Execution (957280)," this bulletin affects implementations of Active Directory on Microsoft Windows 2000 Server. This update addresses the vulnerability detailed in CVE-2008-4023. Microsoft says that "this vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability."
Exploitability index: 1-3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)," this bulletin affects users of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2250, CVE-2008-2251, and CVE-2008-2252. Microsoft says a "local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)," this bulletin affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1446. Microsoft says an "attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Exploitability index: 2 Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in SMB Could Allow Remote Code Execution (957095)," this bulletin affects all supported versions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4038. Microsoft says the "vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited this vulnerability could install programs; view, change, or delete data; or create new accounts with full user right."
Exploitability index: 2. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)," this bulletin affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4036. Microsoft says that "the vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.."
Exploitability index: 3. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)," this bulletin affects Microsoft Windows 2000. This update addresses the vulnerability detailed in CVE-2008-3479. Microsoft says the "vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled."
Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)," this bulletin affects Windows XP and Windows Server 2003. The update addresses the vulnerabilities detailed in CVE-2008-3464. Microsoft says "a local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
On Thursday, Microsoft announced four security bulletins for next week. The announcement is intended as a heads-up for IT departments before Patch Tuesday. Four fixes are considered critical, six important, and one is moderate as ranked by the software giant.
Starting this month, Microsoft is sharing the technical details of new vulnerabilities to give software developers a catch to update affected products before the public announcement. And on Tuesday, Microsoft is expected to provide with each bulletin an "exploitability index" to help system administrators prioritize the patches.
Among the critical patches one each affects Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. All four could enable remote code execution if exploited.
Of the important patches, all six affect Windows, and could enable remote code execution or elevation of privilege if exploited.
The lone moderate patch affects Windows Office and could enable information disclosure if exploited.
On Thursday, Mozilla pushed out a new security update for its new Firefox browser. Version 3.0.1 for Windows and Mac addresses vulnerabilities in malformed GIF files on Mac OS X, command-line URLs that could launch multiple tabs when Firefox is not running, and a potential remote code execution by overflowing CSS reference counter.
Meanwhile, Mozilla updated the earlier version of Firefox with 2.0.16 on Tuesday. The update addresses two of the Firefox 3 critical issues--command-line URLs and overflowing CSS reference counter.
Version-specific updates have been pushed out automatically to existing Firefox users.
Mozilla will continue to update Firefox 2 until mid-December.
- prev
- 1
- next
