News

Microsoft Rolls Out 8 Patches for 10 Vulnerabilities

Microsoft rolled out five "critical" and three "important" patches for Windows Server 2008, Vista, Office, IE and other software.

• By Jabulani Leffall
• 04/08/2008

The eight-patch rollout is significant in that Redmond has now released 25 fixes in the first four months of 2008 -- a pace well on track to exceed 2007's 69 security bulletins.

St. Paul, Minn.-based Shavlik Technologies' Chief Technology Officer Eric Schultze cites today's release as a good news/bad news affair.

"All eight bulletins this month are client-side vulnerabilities. In other words, your system is safe unless a user logs in and opens documents, reads e-mail or visits an evil Web site on that computer. Systems where no one logs on and does this are safe," Schultze said. "[But] of the five OS-related vulnerabilities this month, four impact Vista and Windows Server 2008. This doesn't speak well for the debut of Windows Server 2008."

Critical Flaws
For the critical patches, client-side fixes with Remote Code Execution (RCE) implications remain prominent across a wide swath of applications such as Office and IE. Several versions of the Windows OS are also at issue this month.

The first critical issue (MS08-018) affects Microsoft Office Project, a workflow and project tracking program. Redmond says the patch resolves a "privately reported vulnerability" in Project that could allow the often-cited "remote code execution" (RCE) attack if a user falls victim to a hacker-created Project file. Those who operate the system on an administrative level are at a greater risk than normal system end users, the company said. Project 2000 Service Release 1 and the 2002 Service Pack 1 version, along with 2003 SP2, are all included in the patch.

Critical patch No. 2 (MS08-021) fixes two Graphic Device Interface (GDI) vulnerabilities that were privately reported to Microsoft. The issue affects all supported releases of XP and Windows Server 2003, as well as Vista, Windows Server 2008 and Windows 2000 SP4.

Microsoft Security Response's Tim Rains said in an e-mailed statement that an incursion exploiting these vulnerabilities could "allow remote code execution if a user opens a specially crafted Enhanced Metafile Format (EMF) or Windows Metafile Format (WMF) image file."

The third critical patch (MS08-022) -- pertaining to RCE exploits that would affect Visual Basic or VBScript and JScripting engines -- was announced in a February advance bulletin and then pulled back on that Patch Tuesday, but made this month's slate. VBScript and JScript are used to write browser functions embedded in or included in hypertext markup language (HTML) pages. The issue affects VBScript 5.1 and 5.6, as well as JScript 5.1 and 5.6. Related OS versions under this patch umbrella are Windows 2000 SP4, XP SP2 and XP Professional SP2, and all Windows Server 2003 versions.

VBScript and JScript are used mainly by Web developers working with IE. For this reason, the second and third critical patches are of particular concern to Symantec Security Response.

"These are ripe for the picking for browser-based attacks," said Symantec Senior Research Manager Ben Greenbaum in an interview today. "And the main issue for us is that we continue to see these client-side vulnerabilities with dire consequences as attackers become more Web-bound."

And Web-bound hacking is exactly what the final two critical patches hope to deflect as they both deal with IE. The fourth patch (MS08-023) will plug up the application in the form of ActiveX Kill Bits, thereby preventing any incursions of RCE-based bugs for IE 5.01 SP4 and IE 6 SP1. There is also a special kill bit update for the browser-based Yahoo Music Jukebox product application. The fix also affects XP SP2 and XP Professional SP2 on a critical level, with Windows Server 2003 versions and both Vista SP1 editions designated as either "moderate" or "important" in severity. Lastly, it touches all versions of Windows Server 2008, albeit with a "low" priority proviso.

The last critical fix (MS08-024) is a cumulative patch for IE. Once again, RCE implications are prevalent in all IE versions -- 5 through 7 -- that are currently in circulation. The related operating systems affected are Windows 2000 SP4, both XP SP2 releases, all Windows Server 2003 SP1 releases, both Vista SP1 releases and all versions of Windows Server 2008.

Important Patches
As noted in the patch preview last Thursday, the three important-rated patches represent a hodgepodge of security preparedness measures as they attempt to block spoofing, elevation of privilege and RCE attacks.

The first important patch (MS08-020) combats a privately reported vulnerability in Windows Domain Name System (DNS) that could allow it to fall victim to a spoof attack known in the hacking community as a "masquerade ball" -- an entry through a vector point after which an attacker or programmed bug masks itself as legitimate to gain entry into a workstation or network. This bulletin touches all Windows Server 2003 releases and Vista primary releases, as well as Windows 2000 SP4, XP and XP Professional SP2 releases.

The second important patch (MS08-025) is designed to mitigate "elevation of privilege" risk in the Windows Kernel, where hackers can circumvent access controls and upgrade their user profile to gain carte blanche control of the system as an administrator or super user. This fix affects all the same operating systems as the first important patch with the exception that it also touches all three Windows Server 2008 releases.

Shavlik's Schultze said this patch is of particular concern: "From what I can tell, this vulnerability erases the mitigation that MS provides for all earlier patches [where Microsoft said] 'the evil code will only execute with the permissions of the logged on user.' Therefore, you are safer if you are logged on with a non-administrative account? This proves that's baloney."

The last important patch (MS08-019) affects Visio, the diagramming and imaging program for Windows. The RCE patch affects XP Office 2003 and 2007 Office System. The specific application versions are Visio 2002 SP3, 2003 SP2 and SP3, and Visio 2007 and 2007 SP1.

Web Attacks March On
Experts say the increase in vulnerabilities -- 10 were covered by these eight patches -- and the move to the Web as a primary vector by hackers will be one of the overriding security themes of 2008.

Referring to the VBScript and JScript flaws mentioned above, Symantec's Greenbaum said client-side, Web-based attack vulnerabilities will be the ones that stand out going forward.

"An attacker need only compromise and modify any Web page, which when viewed by a user in a browser that uses these engines, will result in the execution of attacker-supplied code on the user's computer," he said. "This is particularly troublesome given the increased focus by attackers in the last year and earlier this year on compromising trusted Web sites and inserting attacks into these sites that leverage vulnerabilities just like these."