Microsoft on Tuesday released its December 2008 security bulletin.
The 'critical' bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The 'important' updates affect SharePoint and Windows Media Components.
Microsoft is including within each bulletin an 'exploitability index' to help system administrators prioritise the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or the individual bulletins detailed below.
MS08-070: Critical
Exploitability index: 1-2. Microsoft recommended that customers apply the update immediately.
Entitled 'Vulnerabilities in Visual Basic 6.0 runtime extended files (ActiveX controls) could allow remote code execution (932349)', this bulletin affects the Visual Basic 6.0 runtime extended files; all supported editions of Visual Studio .Net 2002, Visual Studio .Net 2003, Visual FoxPro 8.0, Visual FoxPro 9.0, Office Project 2003, and Office Project 2007.
This bulletin addresses the vulnerabilities detailed in CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, and CVE-2008-3704, which could allow remote code execution "if a user browsed a website that contains specially crafted content", according to Microsoft.
MS08-071: Critical
Exploitability index: 2-3. Microsoft recommended that customers apply this update immediately.
Entitled 'Vulnerabilities in GDI could allow remote code execution (956802)', this bulletin is rated critical for all supported editions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
This bulletin addresses the vulnerabilities detailed in CVE-2008-2249 and CVE-2008-3465.
Microsoft said: "Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS08-072: Critical
Exploitability index: 1-3. Microsoft recommended that customers apply this update immediately.
Entitled 'Vulnerabilities in Microsoft Office Word could allow remote code execution (957173)', this bulletin is rated critical for supported editions of Office Word 2000 and Office Outlook 2007.
For supported editions of Office Word 2002, Office Word 2003, Office Word 2007, Office Compatibility Pack, Office Word Viewer 2003, Works 8, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important.
This bulletin addresses the issues detailed in CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4030, CVE-2008-4028, CVE-2008-4031 and CVE-2008-4837.
Microsoft said this bulletin resolves "eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights".
MS08-073: Critical
Exploitability index: 1-2. Microsoft recommended that customers apply the update immediately.
Entitled 'Cumulative security update for Internet Explorer (958215)', this bulletin is rated critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7.
For Internet Explorer 6 running on Windows Server 2003, this security update is rated as moderate.
This update addresses the vulnerabilities detailed in CVE-2008-4258, CVE-2008-4259, CVE-2008-4260 and CVE-2008-4261.
Microsoft said the vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer.
MS08-074: Critical
Exploitability index: 1-2. Microsoft recommended that customers apply the update immediately.
Entitled 'Vulnerabilities in Microsoft Office Excel could allow remote code execution (959070)', this bulletin is rated critical for all supported editions of Office Excel 2000.
For all supported editions of Office Excel 2002, Office Excel 2003, Office Excel Viewer 2003, Office Excel 2007, Office Compatibility Pack, Office Excel Viewer, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important.
For Internet Explorer 6 running on Windows Server 2003, this security update is rated moderate.
This update addresses the vulnerabilities detailed in CVE-2008-4265, CVE-2008-4264 and CVE-2008-4266.
Microsoft said that, if a user opens a specially crafted Excel file, an attacker could exploit these vulnerabilities and take complete control of an affected system.
MS08-075: Critical
Exploitability index: 1-2. Microsoft recommended that customers apply the update immediately.
Entitled 'Vulnerabilities in Windows Search could allow remote code execution (959349)', this bulletin is rated critical for all supported editions of Windows Vista and Windows Server 2008.
This update addresses the vulnerability detailed in CVE-2008-4268 and CVE-2008-4269.
Microsoft said that "these vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system".
MS08-076: Important
Exploitability index: 1. Microsoft recommended that customers apply the update at the earliest opportunity.
Entitled 'Vulnerabilities in Windows Media Components could allow remote code execution (959807)', this bulletin is rated important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008.
This update addresses the vulnerabilities detailed in CVE-2008-3009 and CVE-2008-3010.
Microsoft said the "most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system".
MS08-077: Important
Exploitability index: 1. Microsoft recommended that customers apply the update at the earliest opportunity.
Entitled 'Vulnerability in Microsoft Office SharePoint Server could cause elevation of privilege (957175)', this bulletin is rated important for all supported editions of Office SharePoint Server 2007 and Search Server 2008.
This update addresses the vulnerability detailed in CVE-2008-4032.
Microsoft said the "vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure".
Talkback
Patching and remediation are skills every IT professional knows well. The deployment falls on the shoulders of the IT department to deploy and remediate these patches. It has the potential to consume lots of man-hours. Many companies lack the tools to enforce policies and automate patching and reporting throughout their desktops and systems. Often this challenge is draining IT resources and reducing the organisation’s ability to stay compliant with their regulations.
Consider an automated vulnerability management system, which enables a company to install and deploy all the patches on the right devices across the entire organisation within a single day. An automation process will save tens of thousands of pounds in payroll, and therefore IT can react much faster to issues and minimise downtime throughout their network environment.
This improvement in time is critical. We know that criminals are
getting better and better at exploiting vulnerabilities once they’re found. Businesses must be quick about remediation in order to keep the exploits at bay.
Automated tools alleviate the pressures from the IT department and allow for proactive, best practice procedures to be followed programmatically. An abundance of security-related costs are
eliminated within patch management and remediation solutions.