December's Patch Arrives, Addressing 28 Security Bugs

December's Patch Tuesday will be a historic security update release. But it won't be because of the size and scope of the eight patches, which contain six "critical" and two "important" items. Rather, the patch will be remarkable because of the vulnerability count, weighing in at a bulky 28 bugs. Moreover, of those 28 vulnerabilities, 23 are rated as critical to fix.

This December patch addresses the largest and most wide-reaching collection of bugs since Microsoft's inception of Patch Tuesday in 2003.

"What a way to end the year, eight bulletins and a whopping 28 CVEs," said Andrew Storms, director of security at nCircle, in an e-mailed statement. "The Microsoft elves have been busy and delivered everyone plenty of work to do this holiday season. All but one of the bulletins deals with client-side applications and includes all the usual suspects: IE, Office, ActiveX and GDI."

Additionally, in the last patch cycle of 2008, seven of the eight fixes are related to remote code execution (RCE) vulnerabilities and represent a mix of fixes for Windows operating systems as well as a bevy of Microsoft Office applications. In fact, all of the critical items are RCE related. There is one elevation of privilege consideration in the important group of patches.

Ben Greenbaum, senior research manager of Symantec Security Response, said the sheer number of vulnerabilities being patched is what grabbed his attention. Unlike some of the lighter rollouts, each exploit has the potential to be dangerous if not patched, he added.

"While Web-based attacks seem to be the main choice for opportunistic attackers, targeted attacks are often carried out via malicious Word and Excel files attached to e-mail messages," Greenbaum said. "While both of these vectors have vulnerabilities patched by the release, the number of vulnerabilities in Word and Excel provides attackers additional means to carry out these kinds of attacks."

Critical Fixes
First up is a critical Windows fix for the graphic device interface. It resolves two privately reported vulnerabilities triggered when a user opens a specially crafted Windows Metafile (WMF) image or WMF-coded document. If an attacker got through using this exploit, they could gain access rights to install, change and delete, or they could change privileges to muck up a Windows-based system. The fix addresses Microsoft Windows 2000 Service Pack 4, Windows XP, Vista, and both 2003 and 2008 editions of Windows Server.

The second critical fix covers Vista and Windows Server 2003 and 2008, and deals with Windows search. It involves an exploit where a specially crafted and embedded search file placed into Windows Explorer could create an opening for an RCE incursion.

With more attacks becoming browser-based, critical item No. 3 is a mainstay in the annual cycle of patch releases. It's a cumulative hotfix for Internet Explorer, touching on versions of IE ranging from IE5.1 to IE6 and IE7. The exploit takes place when a user clicks on "evil Web pages," according to security mavens. The applicable OS versions for this patch are Windows 2000 SP4, Windows XP, Vista, and both 2003 and 2008 editions of Windows Server.

The fourth critical item on the slate deals with multiple vulnerabilities. It addresses an eye-opening five privately reported vulnerabilities, plus one publicly reported bug. The issue lies within the ActiveX control mechanisms for several Microsoft Visual Basic programs. The fix affects Microsoft Office FrontPage and Microsoft Office Project. Other apps covered include Office FrontPage 2002 SP3, Office Project 2003 SP3, Office Project 2007 and Office Project 2007 SP1.

Fifth in the critical mix is a wide-ranging hotfix for the ubiquitous word processing app Microsoft Word. The fix addresses eight privately reported vulnerabilities in Microsoft Office Word as well as Microsoft Office Outlook. All it takes is initializing a corrupt Word or Rich Text Format (RTF) file and the hacker can then make short work of an infected workstation and, by extension, the network. The patch covers several versions, such as Word 2000 SP3, Word 2002 SP3 and each release of Word 2007. Also addressed in this fix are Word 2004 and 2008 for Mac, Office Word Viewer, PowerPoint 2007 and Word for Microsoft Works 8.5.

The sixth and last critical bulletin touches on three related vulnerabilities that can be triggered if a user opens up a malicious Excel file. It addresses vulnerabilities in Excel 2000 SP3, Excel 2002 SP3, Excel 2003 SP3, as well Excel 2007. Additionally, Excel 2004 and 2008 for Mac and the Excel Viewer are covered.

Important Fixes
The No.1 important bulletin is a cumulative update for SharePoint Server 2007 programs. This fix addresses an elevation of privilege vulnerability where a hacker could change access parameters in SharePoint, enabling further entry into a compromised system.

Microsoft specifically described this fix as resolving a privately disclosed vulnerability. The fix lessens the possibility of an attacker bypassing "authentication by browsing to an administrative URL on a SharePoint site."

"We believe that overall attackers will start to focus their attention on SharePoint and these new collaboration services as their deployment numbers grow and as operating systems mature and become safer out-of-the-box," said Wolfgang Kandek, chief technology officer at security firm Qualys.

The second important item and last fix in the slate addresses two privately disclosed plug-in vulnerabilities in most Windows Media Center applications. The affected solutions include Windows 2000 Server, Windows Media Player 6.4 for Windows 2000 Server, Windows Media Format Runtime 7.1 and 9.0 versions, as well as Windows Media Services 4.1.

For Windows XP-based systems, the affected solutions include Windows Media Player 6.4, Windows Media Format Runtime 9.0, 9.5 and 11.

For Windows Server 2003-based systems, the Windows Media Center components on the slate include Windows Media Player 6.4 and Windows Media Format Runtime 9.5.

For Vista and Windows Server 2008-based system, the fix affects Windows Media Format Runtime 11.

As an addendum to the advanced bulletin, where five of the updates require restarts, it now appears that all of the patches either "will" or "may" require restarts.

IT pros who want information on general updates and other nonsecurity content can find it at this knowledgebase article. The KB article describes getting updates via Microsoft Update, Windows Update and Windows Server Update Services.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.