Microsoft offers largest set of vulnerability patches to date

by Steve Ragan - Aug 13 2008, 13:44

Microsoft yesterday issued a total of 11 security bulletins, addressing six critical issues and five important issues, while the combined weight of all 11 alerts equals 26 addressed vulnerabilities. What is important about this patch release is that Microsoft hasn’t dropped this many bulletins since last February. This month’s release also marks the largest 'Patch Tuesday' deployment in almost two years.

"This is a mammoth Patch Tuesday, and we have not seen anything of this scale in a long time,” said Karthik Raman, a research scientist at security vendor McAfee, to The Tech Herald in a related e-mail.

Six of the bulletins are rated 'critical' by Microsoft because the vulnerabilities could allow attackers to take control of a system. The remaining bulletins are rated 'important', one notch lower on Microsoft's severity scale. However, as with all updates, users should apply them ASAP, no matter where Microsoft has placed them in terms of threat level.

Two of Tuesday's Microsoft patches ('MS08-041' and 'MS08-042') cover vulnerabilities that have already been publicly disclosed and are actively being used in attacks online.

MS08-041 addresses an issue in the ActiveX control for the Snapshot Viewer for Microsoft Access. Exploitation will lead to code execution, as is the reasoning for listing it as critical.

Oddly, MS08-042 is listed as important, and addresses a vulnerability in Microsoft Word.

"This vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said in the advisory for MS08-42.

"Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply views a malformed image or visits a malicious Web site, a favorite attack method among [criminals]," Raman added.

Another critical vulnerability resides in the Microsoft Image Color Management (ICM) system, which could allow remote code execution in the context of the current user. This is listed as critical for Windows XP with SP2 or SP3, Windows Vista, Server 2003, and also Server 2000. Windows Vista is listed as immune to this flaw.

The majority of the vulnerabilities addressed by Microsoft's bulletins this month can be exploited through malicious Web sites or by tricking a computer user into opening a rigged image or Office file. For this reason, McAfee said that its top-two picks for both home and business users are MS08-044 and 045.

MS08-044, rated as critical, corrects an issue that could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. MS08-45, also listed as critical, resolves five privately reported vulnerabilities, and one public vulnerability. All of the reported vulnerabilities allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

There is more however, with two advisories that IT professionals need to pay close attention to. The first is addressed in KB954960.

"This announces an update for Windows Server Update Services (WSUS) that can impact organizations’ ability to deploy security patches. If an organization utilizes WSUS, it is important that their IT teams assess the applicability of this update to their WSUS implementation," advised Don Leatham, director of solutions and strategy for Lumension Security.

The issue deals with some computers that do not receive updates from the WSUS server as intended. Microsoft said this problem occurs if the computers have Microsoft Office 2003 or components of Office 2003 installed.

The other issue IT departments need to watch for is addressed in KB956187, which is an issue all of IT should be well aware of by now.

"Once exploit code for the DNS vulnerability announced in July became available, Microsoft took the unusual step to issue this security advisory that encouraged customers to update their DNS servers (see Microsoft Security Bulletin MS08-037) ASAP, even though the original bulletin rating was an “Important” and not a "Critical," explained Leatham. 

"Given the publically available exploit code and the possible compromise of critical DNS services, IT teams that have not deployed this update should give it top priority," he added.

More information on all of the above can be found here.

Around the Web