Microsoft has released six critical patches and five patches described as important, addressing a total of 26 vulnerabilities. All six critical updates address code injection risks involving Access, Excel, Microsoft Office and Internet Explorer.
Full bulletin can be found here. Here’s the brief summary of critical flaws:
CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2259 and CVE-2008-2258: These patches fix IE 5 through 7 on various flavors of Windows and address HTML objects memory corruption vulnerabilities as well as memory corruption issues.
CVE-2008-3004, CVE-2008-3005, CVE-2008-3006, CVE-2008-3003: These patches address four vulnerabilities in Excel that led to remote code executions. An attacker could take advantage of the way Excel processed array indexes, values loaded into memory, records values and connects to third party data.
CVE-2008-0120, CVE-2008-0121 and CVE-2008-1455: Microsoft says: This security update resolves three privately reported vulnerabilities in Microsoft Office PowerPoint and Microsoft Office PowerPoint Viewer that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Office 2000, 2003 and 2007 are impacted.
CVE-2008-3019, CVE-2008-3018, CVE-2008-3021, CVE-2008-3020, CVE-2008-3460: Microsoft patched vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. Office 2000, 2003 and Project 2002 are impacted.
CVE-2008-2245: Microsoft fixed a remote code execution vulnerability in the way that Microsoft Color Management System (MSCMS) module of the Microsoft ICM component handles memory allocation. The vulnerability could allow remote code execution if a user opens a specially crafted image file. Software affected includes Windows 2000, XP, and Server 2003.
CVE-2008-2463: This patch addresses a snapshot viewer arbitrary file download vulnerability in Microsoft Access. It’s an ActiveX control that’s found in Office 2000, XP, Access and Office 2003.
Both servers and (particularly) desktops will need patching to defend against the flaws, which affect the full range of Windows systems and many versions of Office. The total number of vulnerabilities addressed by the patch batch is the highest in two years.
Two of the patches cover vulnerabilities which had already been actively exploited by hackers, according to net security firm McAfee. Opening a rigged image or Office file as well as drive-by download attacks are all possible exploit scenarios for these flaws, which cover bugs in the ActiveX Control of Snapshot Viewer for Microsoft Access and a flaw in Word. Microsoft, for some reason, rates the Word flaw only as “important” rather than critical.
McAfee reckons that updates that fix image processing flaws and a cumulative update for Internet Explorer are also likely targets for attacks and ought to receive prompt triage by sysadmins.
Microsoft originally planned to publish twelve bulletins on Tuesday because of a “last minute quality issue”, a posting on Microsoft’s Security Response Centre Blog explains.
More on CyberInsecure: