iTnews

Microsoft fixes 26 flaws, five critical, in August patch cycle

By Dan Kaplan on Aug 13, 2008 9:50AM
Microsoft fixes 26 flaws, five critical, in August patch cycle

In its largest security update in 18 months, Microsoft on Tuesday delivered 11 patches to resolve 26 vulnerabilities in its operating system and related components.

Microsoft has delivered 11 patches to resolve 26 vulnerabilities in its operating system and related components.

Five of the fixes addressed flaws rated “critical,” meaning they could be exploited to execute remote code. Keeping with the theme of recent updates from the software giant, most of the bugs affect client software, not the server, and attackers likely will opt for social engineering to launch exploits.

The most major of the “critical” patches appears to be bulletin MS08-045, a cumulative update for security holes in Internet Explorer (IE), Don Leatham, director of solutions and strategy at patch management provider Lumension Security, told SCMagazineUS.com on Tuesday.

The patch corrects five bugs in IE, four of which are based on HTML, the core language of the internet, he said. Attackers could exploit the vulnerabilities to silently infect victims with malware without any user interaction required.

“As your IE is rendering those HTML instructions, there could be malicious code embedded in those pages that will allow code to be downloaded and executed on that web page without the user's knowledge or intervention,” Leatham said.

Administrators should also play close attention to bulletin MS08-041, which addresses a “critical” vulnerability in the ActiveX control for the Snapshot Viewer in Microsoft Access, and MS08-042, which involves a hole in Word rated as "important."

Both flaws have been exploited to launch limited attacks during the past month, Microsoft has said.

Aside from the Access and Word fixes, the update also remedies issues in Excel, PowerPoint, Office Filters and Outlook Express.

“I think this is really like a perfect storm for Microsoft Office because each and every component is affected,” Amol Sarwate, manager of Qualys' vulnerability labs, told SCMagazineUS.com.

Yet another critical fix comes in MS08-046, which resolves a vulnerability in Microsoft Image Color Management system. A successful attacker could dupe a victim into visiting a malicious website, enabling the attacker to take control of an affected system.

The update plugs two “important” vulnerabilities. Perhaps the most unique is an IPsec vulnerability, which could lead to information disclosure.

The flaw, which involves the way certain Windows Internet Protocol Security rules are handled, could be taken advantage of to disable IPsec tunneling, forcing text to be delivered in the clear.

“Since there is broad reliance on IPsec to establish secure encrypted communications, for companies sharing critical information among remote offices, this one is especially important to look at,” Leatham said.

Sarwate said administrators also should prioritise MS08-050, which sews up a vulnerability in Windows Messenger that was being actively exploited in limited attacks.

“This could allow attackers to steal Windows Messenger user IDs and then invite other people to audio and video conferences pretending to be the victim,” Sarwate said. “This is sort of a different vulnerability that we have not seen too many times before. It could also allow the attackers to look at the chat sessions [of victims].”

Jason Miller, security data team manager at patch-management software provider Shavlik Technologies, said end-users can expect to see a rise in specially crafted websites hosting Tuesday's patched vulnerabilities – if they have not already gone live.

“Usually all it takes is one person finding out, then they give [the exploit code] to everyone else,” he said.

Tuesday's bountiful update should also serve as another reminder to patch for a highly severe DNS design flaw, reported by researcher Dan Kaminsky. Microsoft, along with scores of other vendors, issued a fix in July, but some corporations may have been slow to patch because Microsoft labeled the patch “important,” not “critical,” Leatham said.

See original article on scmagazineus.com
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
1126augustfixflawsmicrosoftpatchsecuritytuesday

Partner Content

Vast majority of surveyed firms still rely on password authentication
Promoted Content Vast majority of surveyed firms still rely on password authentication
DoT Victoria turns to Oracle to implement unified cloud-based platform
Promoted Content DoT Victoria turns to Oracle to implement unified cloud-based platform
The case for postponing mainframe migration has eroded
Partner Content The case for postponing mainframe migration has eroded
How a 'micro data centre' enables your business, your way
Promoted Content How a 'micro data centre' enables your business, your way

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Dan Kaplan
Aug 13 2008
9:50AM
0 Comments

Related Articles

  • Microsoft security patches breaking authentication
  • Intel memory firmware bug hits hundreds of products
  • Active Directory defaults lead to no-fix PrivEsc vulnerability
  • Microsoft fixes remote code exec bug in Azure database connector
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

Westpac promotes its head of technology to mortgage role

Westpac promotes its head of technology to mortgage role

Digital Nation

Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.