Microsoft Rolls Out Eight Patches for 10 Vulnerabilities
- By Jabulani Leffall
- April 8, 2008
, today Microsoft rolled out five "critical" and three "important"
patches for Windows Server 2008, Vista, Office, Internet Explorer and other
software as part of its regularly scheduled Patch Tuesday release.
The eight-patch rollout is significant in that Redmond has now released 25
fixes in the first four months of 2008 -- a pace well on track to exceed 2007's
69 security bulletins.
St. Paul, Minn.-based Shavlik Technologies' Chief Technology Officer Eric Schultze
cites today's release as a good news/bad news affair.
"All eight bulletins this month are client-side vulnerabilities. In other
words, your system is safe unless a user logs in and opens documents, reads
e-mail or visits an evil Web site on that computer. Systems where no one logs
on and does this are safe," Schultze said. "[But] of the five
OS-related vulnerabilities this month, four impact Vista and Windows Server
2008. This doesn't speak well for the debut of Windows Server 2008."
For the critical patches, client-side fixes with remote code execution (RCE)
implications remain prominent across a wide swath of applications, such as Office
and IE. Several versions of the Windows OS are also at issue this month.
The first critical issue (MS08-018)
affects Microsoft Office Project, a workflow and project tracking program. Redmond
says the patch resolves a "privately reported vulnerability" in Project
that could allow the often-cited "remote code execution" (RCE) attack
if a user falls victim to a hacker-created Project file. Those who operate the
system on an administrative level are at a greater risk than normal system end
users, the company said. Project 2000 Service Release 1 and the 2002 Service
Pack 1 version, along with 2003 SP2, are all included in the patch.
Critical patch No. 2 (MS08-021)
fixes two graphic device interface (GDI) vulnerabilities that were privately
reported to Microsoft. The issue affects all supported releases of XP and Windows
Server 2003, as well as Vista, Windows Server 2008 and Windows 2000 SP4.
Microsoft Security Response's Tim Rains said in an e-mailed statement that
an incursion exploiting these vulnerabilities could "allow remote code
execution if a user opens a specially crafted Enhanced Metafile Format (EMF)
or Windows Metafile Format (WMF) image file."
The third critical patch (MS08-022)
-- pertaining to RCE exploits that would affect Visual Basic or VBScript and
JScripting engines -- was announced in a February advance bulletin and then
pulled back on that Patch Tuesday, but made this month's slate. VBScript and
JScript are used to write browser functions embedded in, or included in, hypertext
markup language (HTML) pages. The issue affects VBScript 5.1 and 5.6, as well
as JScript 5.1 and 5.6. Related OS versions under this patch umbrella are Windows
2000 SP4, XP SP2 and XP Professional SP2, and all Windows Server 2003 versions.
VBScript and JScript are used mainly by Web developers working with IE. For
this reason, the second and third critical patches are of particular concern
to Symantec Security Response.
"These are ripe for the picking for browser-based attacks," said
Symantec Senior Research Manager Ben Greenbaum in an interview today. "And
the main issue for us is that we continue to see these client-side vulnerabilities
with dire consequences as attackers become more Web bound."
And Web-bound hacking is exactly what the final two critical patches hope
to deflect as they both deal with IE. The fourth patch (MS08-023)
will plug up the application in the form of ActiveX Kill Bits, thereby preventing
any incursions of RCE-based bugs for IE 5.01 SP4 and IE 6 SP1. There is also
a special kill bit update for the browser-based Yahoo Music Jukebox product
application. The fix also affects XP SP2 and XP Professional SP2 on a critical
level, with Windows Server 2003 versions and both Vista SP1 editions designated
as either "moderate" or "important" in severity. Lastly,
it touches all versions of Windows Server 2008, albeit with a "low"
The last critical fix (MS08-024)
is a cumulative patch for IE. Once again, RCE implications are prevalent in
all IE versions -- 5 through 7 -- that are currently in circulation. The related
operating systems affected are Windows 2000 SP4, both XP SP2 releases, all Windows
Server 2003 SP1 releases, both Vista SP1 releases and all versions of Windows
As noted in the patch
preview last Thursday, the three important-rated patches represent a hodgepodge
of security preparedness measures as they attempt to block spoofing, elevation
of privilege and RCE attacks.
The first important patch (MS08-020)
combats a privately reported vulnerability in Windows Domain Name System (DNS)
that could allow it to fall victim to a spoof attack known in the hacking community
as a "masquerade ball" -- an entry through a vector point after
which an attacker or programmed bug masks itself as legitimate to gain entry
into a workstation or network. This bulletin touches all Windows Server 2003
releases and Vista primary releases, as well as Windows 2000 SP4, XP and XP
Professional SP2 releases.
The second important patch (MS08-025) is designed to mitigate "elevation of privilege" risk in the Windows Kernel, where hackers can circumvent access controls and upgrade their user profile to gain carte blanche control of the system as an administrator or super user. This fix affects all the same operating systems as the first important patch with the exception that it also touches all three Windows Server 2008 releases.
Shavlik's Schultze said this patch is of particular concern: "From what
I can tell, this vulnerability erases the mitigation that MS provides for all
earlier patches [where Microsoft said] 'the evil code will only execute with
the permissions of the logged on user.' Therefore, you are safer if you are
logged on with a non-administrative account? This proves that's baloney."
The last important patch (MS08-019)
affects Visio, the diagramming and imaging program for Windows. The RCE patch
affects XP Office 2003 and 2007 Office systems. The specific application versions
are Visio 2002 SP3, 2003 SP2 and SP3, and Visio 2007 and 2007 SP1.
Web Attacks March On
Experts say the increase in vulnerabilities -- 10 were covered by these
eight patches -- and the move to the Web as a primary vector by hackers will
be one of the overriding security themes of 2008.
Referring to the VBScript
and JScript flaws mentioned above, Symantec's Greenbaum said client-side, Web-based
attack vulnerabilities will be the ones that stand out going forward.
"An attacker need only compromise and modify any Web page, which when
viewed by a user in a browser that uses these engines, will result in the execution
of attacker-supplied code on the user's computer," he said. "This
is particularly troublesome given the increased focus by attackers in the last
year and earlier this year on compromising trusted
Web sites and inserting attacks into these sites that leverage vulnerabilities
just like these."
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.