Daily cyber threats and internet security news: network security, online safety and latest security alerts
October 15th, 2008

Microsoft’s October 2008 Update Plugs Critical Vulnerabilities In IE, Office And Windows

On Tuesday Microsoft issued updates for least 20 security holes in Windows, Internet Explorer, Office, and other products. Among critical vulnerabilities were several in version 6 of the Internet Explorer browser when running on Windows 2000 and Windows XP. The vulnerabilities could allow attackers to remotely install malware on a machine with no interaction required from the user or to intercept transferred data. IE 7 and IE 6 running on Vista are also vulnerable but to lesser degree, Microsoft said.

Another batch of vulnerabilities affect the Excel spreadsheet program in Microsoft Office. The remote execution bug is rated critical for users of Office 2003 and important for more recent versions. Another critical vulnerability affected IE killbits in third-party applications.

The list of updates include:

MS08-056 – Cross site scripting (XSS) in the way Office XP SP3 handles the dialog window for the content-disposition:download and the cdo: protocol.

MS08-057 – Multiple vulnerabilities in Excel lead to random code execution. This also affect sharepoint server. Replaces MS08-043.

MS08-058 – Multiple vulnerabilities in MSIE lead to random code execution and or information leaks. Replaces MS08-045.

MS08-059 – RPC requests can bypass authentication and lead to random code execution.

MS08-060 – A buffer overflow in the LDAP services allows random code execution. LDAP over SSL is also afected. Replaces MS08-035.

MS08-061 – Multiple vulnerabilities in the windows kernel allow privilege escalation. Replaces MS08-025.

MS08-062 – An Interger overflow in IPP allows random code execution to authenticated users in Windows internet printing (IIS).

MS08-063 – Crafted filenames lead to random code execution in the SMB protocol. Replaces MS06-063.

MS08-064 – An integer overflow allows privilege escalation. Replaces MS07-066, MS07-022 and Advisory 932596.

MS08-065 – An input validation failure in an RPC of MSQS allows random code execution in Windows 2000 message queuing.

MS08-066 – An input validation failure allows privilege escalation in Windows ancillary function driver.

Advisory 956391 – Killbits for 3rd party (Microgaming, System Requirements Lab, PhotostockPro) as well as Microsoft ActiveX controls mentioned in MS02-044, MS08-017, MS08-041 and MS08-052.

This was the first Patch Tuesday in which Microsoft offered increased information about the likelihood of vulnerabilities actually being exploited. The company said that exploit code for a bug in Windows internet printing service is already circulating. In all, eight vulnerabilities were carried a warning that “consistent exploit code” was likely.

The updates came as miscreants started another spam wave that purported to a new “experimental private version of an update for all Microsoft Windows OS users.” It attempted to trick people into clicking on a program that installs a trojan known as Win32/Haxdoor, which logs passwords and other sensitive information typed on a PC and sends this data back to the attackers.

Users are advised to read the overview of the October 2008 Microsoft patches and update as soon as possible.

Share this item with others:

More on CyberInsecure:
  • Microsoft’s Patch Fix Critical Vulnerabilities In IE And Office
  • Fake Microsoft-like Sites Attempt To Install Malware
  • Record Number Of Vulnerabilities Fixed In Microsoft’s Patch Tuesday
  • Firefox Update Patch 9 Security Vulnberabilities, 4 Rated Critical
  • Unpatched Internet Explorer 7 Vulnerability Exploited As Microsoft Patch Fixes 28 Security Vulnerabilities

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Microsoft’s October 2008 Update Plugs Critical Vulnerabilities In IE, Office And Windows

    One Response to “Microsoft’s October 2008 Update Plugs Critical Vulnerabilities In IE, Office And Windows”

    1. Ellen V. Moore Says:
      November 17th, 2008 at 9:34 am

      a pop-up called Software Manager
      Critial Update October 2008 cmes up when I open but has no reference to Microsaoft. Is this a software scam ?

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.