Once again it is Patch Tuesday, the time of the month when Microsoft releases its security updates for the various Windows operating systems and Microsoft products. This time around, the patches are accompanied by the Exploitability Index, a new feature that helps IT administrators prioritize the various updates.
Microsoft releases eleven patches Tuesday, addressing four critical issues.(IMG:J.Anderson)
Of the 11 patches released today, four of them are critical. Internet Explorer (IE) gets six fixes from MS08-058, addressing issues in versions 5, 6 and 7. However, the issue in IE 5 only applies to Windows 2000 SP4; let’s just hope no company out there is using this version in a production environment.
Active Directory on Windows 2000 Server, which is still popular in many IT shops and used in production environments, is vulnerable to incorrect memory allocation when receiving specially crafted LDAP or LDAPS requests. Exploitation of this flaw will lead to the server being completely compromised, Microsoft warns.
However, this will only apply to Windows 2000 Server installs that are configured as a Domain Controller; this is because unless the server is a fully-fledged Domain Controller, it will not listen for LDAP or LDAPS queries. MS08-060 addresses this issue, but the better advice is to update to Windows Server 2003 or even 2008.
Another issue gaining some attention is MS08-059. This patch addresses the first ever reported vulnerability in Microsoft Host Integration Server (HIS).
“A remote code execution vulnerability exists in the SNA Remote Procedure Call (RPC) service for Host Integration Server. An attacker could exploit the vulnerability by constructing a specially crafted RPC request. The vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system,” The CVE reports.
Microsoft, along with a patch, lists workarounds for IT shops that cannot deploy the patch instantly. It includes tips for HIS 2000, as well as HIS 2004 and 2006.
Finally, the last critical patch (MS08-057) corrects issues in Microsoft Excel, three of them to be exact, each leading to complete remote control of the system if exploited. Like other Excel issues of the past, the user will have to open a malicious Excel file in order to be exploited.
“With four critical updates and six moderate patches, this is a pretty heavy Patch Tuesday in terms of volume. Given that the four critical bulletins deal with Windows and Excel 2000, Internet Explorer 6 and Microsoft Host Integration Server, organizations should not be lax when rolling out this month's patches,” Lumension Security’s Don Leatham said in an e-mail to The Tech Herald.
Leatham also pointed out that the Internet Explorer update was seriously important, and companies should pay special attention to it.
“It is not as simple as patching IE for XP or Vista as it impacts 2000, XP, Vista as well as Microsoft Windows Server 2003 and 2008,” he added. “Lastly, the Windows Host Integration Server is a gateway application between Microsoft networks to IBM mainframe and AS400 environments so anyone using HIS environments will need to prioritize this patch accordingly.”
To help companies prioritize the patching process, Microsoft has introduced the Exploitability Index with this month’s security advisories. The Exploitability Index is a quick at-a-glance look of the current patch, CVE ID, risk assessment, and related notes. It offers one-of-three levels of risk, depending on the nature of the vulnerability.
For example, MS08-060 (Active Directory) is listed as a Level 2 risk (Inconsistent exploit code likely). This means that exploit code could be created, but an attacker would likely experience inconsistent results, according to Microsoft.
However, MS08-059 (Host Integration Server) is given a Level 1 risk assessment. Level 1 means that exploit code can be created by an attacker that would consistently exploit this problem.
A ranking of Level 3 means, “it might be possible for exploit code to be released that could trigger the vulnerability and cause abnormal behavior, but it is unlikely that an attacker would be able to create an exploit that could successfully exercise the full impact of the vulnerability,” Microsoft explains.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)