The bulletins address 28 vulnerabilities in Windows Search, Internet Explorer, Microsoft Office, and other Microsoft software.

Thomas Claburn, Editor at Large, Enterprise Mobility

December 9, 2008

3 Min Read

Microsoft on Tuesday released eight security bulletins and one security advisory as part of its regularly scheduled patch day.

Six of the bulletins are rated "critical" and two are rated "important."

The advisory was issued to alert users that Microsoft is investigating reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.

Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 aren't affected by the advisory. The bulletins address 28 vulnerabilities in the following software: the Windows graphics device interface, Windows Search, Internet Explorer, Visual Basic 6.0 Runtime Extended Files, Word, Excel, SharePoint Server, and Windows Media Components.

Eric Schultze, CTO of Shavlik Technologies, observed in an e-mailed statement that the first five bulletins -- MS08-070 to MS08-74 -- represent client-side vulnerabilities. These could be exploited by an attacker if the user visited a malicious Web site or opened a malicious file.

MS08-075 addresses two privately reported vulnerabilities in Windows Search that could allow remote execution of malicious code if the user opens a maliciously crafted saved search file in Windows Explorer or if a the user clicks on a maliciously crafted URL.

Schultze said that MS08-075 is a variant of an attack patched in July. He said he considers it low-risk because few people save and execute a search file.

MS08-076 addresses two privately reported vulnerabilities in Windows Media Player, Windows Media Format Runtime, and Windows Media Services. The more serious of the two could allow remote code execution, but Microsoft rates this bulletin as only important because the severity of the attack is mitigated if the user doesn't have administrative rights.

If exploited, this vulnerability could be used to transmit the user's logon credentials to the attacker after the user clicked on a malicious Window Media URL.

According to Schultze, the exploit would be similar to that used to take advantage of the MS08-068 vulnerability, which was patched in November.

"Microsoft says that Windows Media Player doesn't play by the same rules as the operating system, and that's why this issue wasn't fixed in the November patch release," he said. "This issue could become very serious if attackers figure out how to create the evil URLs."

Tyler Reguly, a security research engineer with nCircle, sees MS08-077 as the most significant bulletin and believes it should be elevated from "important" to "critical." The SharePoint vulnerability, he said in an e-mailed statement, "allows an unauthenticated attacker to access administrative controls. While the successful attacker would technically elevate privilege (anonymous to administrator), this vulnerability allows access controls to be bypassed altogether. For most people, privilege escalation means elevating regular user access to administrator, which may cause administrators to patch this issue with less urgency."

Dee Liebenstein, senior director of product management for Lumension, said that all of these patches should be taken seriously. "Most of these are ranked 'highly exploitable,'" she said, referring to the exploitability index that Microsoft introduced several months ago.

She advises IT managers to install the Windows and Internet Explorer patches as soon as possible, despite the system and server restart that will be required.

Read more about:


About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights