The so-called Patch Tuesday included four bulletins rated "critical" that affect Active Directory, Excel Host Integration Server, and Internet Explorer. Six bulletins are rated "important." The last one is rated "moderate." The "important" vulnerabilities have to do with privilege elevation and remote code execution. The "moderate" vulnerability has to do with information disclosure.
The Excel vulnerability affects various versions of Microsoft Office, including Microsoft Office for Mac 2004 and 2008. The IE patch could allow information disclosure or remote code execution if a user views a specially crafted Web page.
Of the "critical" patches, Vulnerability in Active Directory Could Allow Remote Code Execution (MS08-060) is garnering the most attention. Failure to apply the software could allow remote code execution if an attacker gains access to an affected network.
"This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers," Microsoft said in its bulletin. "If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability."
Eric Schultze, CTO of security firm Shavlik and formerly with Microsoft security, told InformationWeek he considers MS08-060 the most important in the batch.
"It's especially critical for an IT shop that has Windows [Server] 2000 domains and domain controllers," Schultze said. "You might not have them for long as any disgruntled employee can rename the files and take control of those assets without this patch."
Schultze said that Microsoft Security Bulletin MS08-063 and MS08-065, while labeled "important," is more than likely critical for a company's security. Both vulnerabilities allow for remote code execution, a favored target of hackers. MS08-063 in particular is dangerous because it impacts the Microsoft Server Message Block (SMB) protocol.
"That's the file- and printer-sharing protocol," Schultze said. "It's the protocol you use to log in and send something to the printer. So, if I go to my S drive and rename those files and give it a specifically long file name, then the moment that I do that, I can own that file server without human interaction. ... It's the first time in a long time we have seen these server-side vulnerabilities."
MS08-065 is a hole in Microsoft's Message Queuing Service (MSMQ) on Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.
Schultze also noted that five of the 11 bulletins posted by Microsoft are addressing vulnerabilities found in Windows Vista and Windows Server 2008. "This really shows us that these operating systems are impacted by legacy code that goes back to Windows 1998 or earlier," he said.
As it has done for the last few quarters, Microsoft is hosting a Webcast on Oct. 15 to address customer questions on these bulletins.
Customers are also being warned about an e-mail sent out by hackers who are posing as a Microsoft security executive.
An e-mail to many of Microsoft's customers claiming to be from Steve Lipner, Microsoft's security assurance director, is in fact a Mal/EncPk-CZ Trojan virus that allows hackers to gain remote control over an infected PC.
The note reads: "Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. Since public distribution of this update through the official website http://www.microsoft.com would have resulted in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users."
Microsoft said that it never sends out security updates by mail and warns customers not to open any attachments within the e-mail.