December 9th, 2008
MS Patch Tuesday whopper: 28 vulnerabilities in Windows, IE, Office
Microsoft today dropped a monster Patch Tuesday release with fixes for at least 28 vulnerabilities affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player.
Of the 28 flaws, 23 carry a “critical” rating, meaning they could be used to launch remote code execution attacks with minimal user action. It is the largest patch batch from Redmond since the company implemented the Patch Tuesday schedule five years ago.
Most of the bulletins address client-side flaws that could be exploited via the browser or if a user opens a booby-trapped file.
[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]
The bulletin with the most patches (MS08-072) addresses a total of 8 flaws in the ubiquitous Microsoft Office software suite. According to Microsoft, the bugs could be exploited if a user is tricked into opening a rigged Word of RTF (Rich Text Format) file.
Another major bulletin is MS08-073, which covers 4 flaws in Internet Explorer, the world’s most widely deployed browser. These could be exploited if a user simply surfs to a specially crafted page in IE, making it a perfect target for drive-by download attacks.
Here are the raw details on all the patches:
- MS08-070 (critical; 6 vulnerabilities fixed): This update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls), which could allow remote code execution if a user browsed a Web site that contains specially crafted content.
- MS08-071 (critical; 2 vulnerabities fixed): This update resolves two privately reported vulnerability in Windows, which could allow remote code execution if a user opens a specially crafted WMF image file.
- MS08-072 (critical; 8 vulnerabilities): This update resolves eight privately reported vulnerabilities in Microsoft Office, which could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file.
- MS08-073 (critical; 4 vulnerabilities fixed): This update resolves four privately reported vulnerabilities in Internet Explorer, which could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
- MS08-074 (critical; 3 vulnerabilities): This update resolves three privately reported vulnerabilities in Microsoft Office, which could allow remote code execution if a user opens a specially crafted Excel file.
- MS08-075 (critical; 2 vulnerabilities): This update resolves two privately reported vulnerabilities in Windows, which could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL.
- MS08-076 (important; 2 vulnerabilities): This update resolves two privately reported vulnerabilities in Windows, which could allow remote code execution.
- MS08-077 (important; 1 vulnerability): This update resolves one privately reported vulnerability in Microsoft Office SharePoint, which could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack could result in denial of service or information disclosure.
[ SEE: Coming on Patch Tuesday: 8 bulletins, 6 critical ]
According to Eric Schultze, CTO of patch-management firm Shavlik Technologies, Windows users should prioritize around the MS08-76 as well as MS08-070 through MS08-075, as soon as possible.
“Corporations and hosting services that use Sharepoint 2007 should install MS08-077 as soon as they can,” Schultze said.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
