Microsoft’s October 2008 Update Plugs Critical Vulnerabilities In IE, Office And Windows
On Tuesday Microsoft issued updates for least 20 security holes in Windows, Internet Explorer, Office, and other products. Among critical vulnerabilities were several in version 6 of the Internet Explorer browser when running on Windows 2000 and Windows XP. The vulnerabilities could allow attackers to remotely install malware on a machine with no interaction required from the user or to intercept transferred data. IE 7 and IE 6 running on Vista are also vulnerable but to lesser degree, Microsoft said.
Another batch of vulnerabilities affect the Excel spreadsheet program in Microsoft Office. The remote execution bug is rated critical for users of Office 2003 and important for more recent versions. Another critical vulnerability affected IE killbits in third-party applications.
The list of updates include:
MS08-056 – Cross site scripting (XSS) in the way Office XP SP3 handles the dialog window for the content-disposition:download and the cdo: protocol.
MS08-057 – Multiple vulnerabilities in Excel lead to random code execution. This also affect sharepoint server. Replaces MS08-043.
MS08-058 – Multiple vulnerabilities in MSIE lead to random code execution and or information leaks. Replaces MS08-045.
MS08-059 – RPC requests can bypass authentication and lead to random code execution.
MS08-060 – A buffer overflow in the LDAP services allows random code execution. LDAP over SSL is also afected. Replaces MS08-035.
MS08-061 – Multiple vulnerabilities in the windows kernel allow privilege escalation. Replaces MS08-025.
MS08-062 – An Interger overflow in IPP allows random code execution to authenticated users in Windows internet printing (IIS).
MS08-063 – Crafted filenames lead to random code execution in the SMB protocol. Replaces MS06-063.
MS08-064 – An integer overflow allows privilege escalation. Replaces MS07-066, MS07-022 and Advisory 932596.
MS08-065 – An input validation failure in an RPC of MSQS allows random code execution in Windows 2000 message queuing.
MS08-066 – An input validation failure allows privilege escalation in Windows ancillary function driver.
Advisory 956391 – Killbits for 3rd party (Microgaming, System Requirements Lab, PhotostockPro) as well as Microsoft ActiveX controls mentioned in MS02-044, MS08-017, MS08-041 and MS08-052.
This was the first Patch Tuesday in which Microsoft offered increased information about the likelihood of vulnerabilities actually being exploited. The company said that exploit code for a bug in Windows internet printing service is already circulating. In all, eight vulnerabilities were carried a warning that “consistent exploit code” was likely.
The updates came as miscreants started another spam wave that purported to a new “experimental private version of an update for all Microsoft Windows OS users.” It attempted to trick people into clicking on a program that installs a trojan known as Win32/Haxdoor, which logs passwords and other sensitive information typed on a PC and sends this data back to the attackers.
Users are advised to read the overview of the October 2008 Microsoft patches and update as soon as possible.
More on CyberInsecure:
November 17th, 2008 at 9:34 am
a pop-up called Software Manager
Critial Update October 2008 cmes up when I open but has no reference to Microsaoft. Is this a software scam ?