Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Digg this story   Add to del.icio.us  
Microsoft Patch Tuesday, December 2008
Robert Keith, Symantec Security Response 2008-12-09

Hello and welcome to this month's blog on the Microsoft patch releases. As far as vulnerability counts go, this is the largest patch release since Microsoft started the "Patch Tuesday" program back in late 2003. The release contains eight bulletins covering 28 vulnerabilities.

Of those issues, 23 are rated "Critical" and affect Word, Outlook, Internet Explorer, Visual Basic ActiveX controls, GDI, Windows Search, and Excel. All of the "Critical" issues this month require some sort of user interaction, whether visiting a Web page that contains malicious content or viewing a malicious file. The remaining issues affect GDI, Windows Search, SharePoint, and Windows Explorer; they range in importance from "Important" to "Moderate."

As always, customers are advised to follow security best practices, including:

- Install vendor patches as soon as they are available
- Block external access at the network perimeter to specific sites and computers only
- Avoid sites of questionable or unknown integrity
- Never open files from unknown or questionable sources
- Run all software with the least privileges required while still maintaining functionality

Microsoft's summary of the December releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx

 

The "Critical" issues this month are:

1. MS08-070 Vulnerabilities in Visual Basic ActiveX Controls Could Allow Remote Code Execution (932349)

Multiple remote code execution vulnerabilities affect various ActiveX controls for Visual Basic 6. An attacker can exploit these issues by tricking an unsuspecting victim into viewing a malicious Web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. The issues include:

CVE-2008-4252 (BID 32591) Microsoft DataGrid ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4253 (BID 32592) Microsoft FlexGrid ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4254 (BID 32612) Microsoft Hierarchical FlexGrid ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4255 (BID 32613) Microsoft Windows Common AVI ActiveX Control File Parsing Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4256 (BID 32614) Microsoft Charts ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-3704 (BID 30674) Microsoft Visual Studio 'Msmask32.ocx' ActiveX Control Remote Buffer Overflow Vulnerability (MS Rating: Critical/Symantec Urgency Rating 8.9/10)

This is a previously public vulnerability in the MaskedEdit ActiveX control detected by Symantec on August 13, 2008, and is documented in BID 30674. A stack-based buffer overflow occurs when the control handles overly large arguments to the "Mask" parameter. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

2. MS08-071 Vulnerabilities in GDI Could Allow Remote Code Execution (956802)

CVE-2008-2249 (BID 32634) Microsoft Windows GDI WMF Integer Overflow Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI when processing a specially malformed header in a WMF file. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious WMF file. A successful exploit will result in the execution of arbitrary code in the context of the currently logged in user.

3. MS08-072 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (957173)

Multiple remote code execution vulnerabilities affect Word when handling malicious Office and Rich Text Format (RTF) files. An attacker can exploit these issues by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user. The issues include:

CVE-2008-4024 (BID 32580) Microsoft Word Malformed Record Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4026 (BID 32583) Microsoft Word Malformed Value Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4837 (BID 32584) Microsoft Word Malformed Record Value Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4025 (BID 32579) Microsoft Word RTF Malformed Control Word Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4027 (BID 32581) Microsoft Word RTF Malformed Control Word Variant 1 Remote Code Execution Vulnerabillity (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4030 (BID 32642) Microsoft Word RTF Malformed Control Word Variant 2 Remote Code Execution Vulnerabillity (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4028 (BID 32585) Microsoft Word RTF Malformed Control Word Variant 3 Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4031 (BID 32594) Microsoft Word RTF Malformed String Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

4. MS08-073 Cumulative Security Update for Internet Explorer (958215)

Multiple remote code execution vulnerabilities affect Internet Explorer. An attacker can exploit these issues by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user. The issues include:

CVE-2008-4258 (BID 32596) Microsoft Internet Explorer Navigation Method Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4259 (BID 32586) Microsoft Internet Explorer HTML Objects Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4260 (BID 32593) Microsoft Internet Explorer Deleted Object Access Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4261 (BID 32595) Microsoft Internet Explorer Embedded Object Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

5. MS08-074 Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)

Multiple remote code execution vulnerabilities affect Excel when handling malicious Excel files. An attacker can exploit these issues by tricking an unsuspecting victim into opening a malicious Excel file. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user. The issues include:

CVE-2008-4265 (BID 32618) Microsoft Excel Malformed Object Handling Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4264 (BID 32621) Microsoft Excel Formula Handling Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

CVE-2008-4266 (BID 32622) Microsoft Excel Global Array Memory Corruption Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

6. MS08-075 Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)

CVE-2008-4269 (BID 32652) Microsoft Windows Search 'search-ms' Protocol Parsing Remote Code Execution Vulnerability (MS Rating: Critical/Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Windows Explorer in the "search-ms" protocol handler. An attacker can exploit this issue by tricking a victim into viewing a Web page with a malicious "search-ms://" URI. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

 



More information on these and the other vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.




The information, views, and opinions contained on this page are those of the author and do not necessarily reflect the views and opinions of SecurityFocus.






 

Privacy Statement
Copyright 2009, SecurityFocus