15 October 2008, 14:04

Bounteous October patch day at Microsoft

This October's Microsoft patch day has given administrators plenty to be getting on with. As previously announced, Microsoft has released a total of eleven security bulletins. Microsoft classifies four of the patch packages as critical. Excel executes malicious code in Excel documents (MS08-057) – the vulnerable code is also found in SharePoint Server 2007. Windows 2000 domain controllers and the Host Integration Server can be infected with arbitrary malicious code via LDAP queries (MS08-060) and crafted RPC packets (MS08-059) respectively.

Internet Explorer 5.01, 6 and 7 are again accorded a wide-ranging cumulative update which is classed as critical (MS08-058). The vulnerabilities fixed include various cross-domain vulnerabilities, but most of the fixed vulnerabilities were exploited by attackers to inject malicious code onto and gain control of users' computers when they visit a crafted web page. Some of the bugs can lead to disclosure of confidential information.

A vulnerability in MS Office which results in the software package disclosing user information or executing script actions on web pages when the user clicks on crafted CDO links is classed as "moderate" (MS08-056). Microsoft categorises the remainder of the bulletins as "important". Three vulnerabilities in the Windows kernel of all versions of Windows (MS08-061), one vulnerability in the Ancillary Function Driver (AFD) in Windows XP and Server 2003 (MS08-066) and Virtual Address Descriptor manipulation (MS08-064) can all be locally exploited to obtain elevated access privileges.

Bugs in the internet printing service in all Windows versions except Vista (MS08-062), in the SMB networking protocol (MS08-063) and in message queuing (MS08-065) can all also be exploited for remote execution of malicious code, but are classed as "important" only. Microsoft has made the patches available via the usual update mechanisms.