Major patch day for Microsoft Office
Four of the six critical updates from Microsoft's August patch day relate to Office products – Access, Excel, PowerPoint and Office Filters. There are also critical patches for both Windows and Internet Explorer. The known vulnerability in Word is also fixed via a patch classified as important.
It has taken Microsoft more than a month to deliver a suitable patch – MS08-041, following initial reports of targeted attacks exploiting a security vulnerability in an ActiveX control for displaying Access Database Snapshots. It’s a similar story for the vulnerability in Word reported just one day later. The update described in MS08-042 is classified by Microsoft, however, as merely 'important', despite the fact that it allows code injection when opening crafted files. Why this should be remains a mystery – the 'mitigating factors' section offers no explanation for this inequality of treatment.
By contrast, the Excel vulnerabilities described in MS08-043 once more make it into the highest category. For Office 2000 at least, three of the spreadsheet's four security problems are classed as critical. The Office Filters Bulletin, MS08-044, beats even that. All five vulnerabilities, in the filters for EPS, PICT, BMP and WPG files, are classed as critical.
And so it goes on, with three vulnerabilities in PowerPoint, although only one is classed as critical – MS08-051. The similarity of the limitations to exploitation of the remote code execution vulnerabilities almost makes one wonder if similar vulnerabilities are being classed as of lower severity, on principle, where they occur in newer product versions.
The Internet Explorer team has also been busy. MS08-045 discusses six vulnerabilities – all critical, up to and including, Internet Explorer 7. It's noteworthy that five of the vulnerabilities relate to memory management problems. The sixth concerns IE's print preview function. In contrast to the Office problems, according to Microsoft the IE vulnerabilities are not yet being actively exploited.
MS08-046 relates to a critical vulnerability in the Windows Image Color Management System, which can be exploited using crafted images to inject and execute code. Vista and Server 2008 are, however, both immune to this problem.
The two vulnerabilities in the event handler also allow code injection – MS08-049. Exploitation does, however, require attackers to be logged onto the system, so requires a username and password. The remaining three important updates relate to potential disclosure of information by Outlook Express/Windows Mail – MS08-48, Windows Messenger – MS08-50 – and the IPSec protocol – MS08-047.
Microsoft appears to have put off the critical update for its Media Player announced on Friday. Microsoft does not generally give reasons for such decisions. The patches for the Office vulnerabilities, which are already being actively exploited, and for Internet Explorer, for which exploits are certain to start appearing shortly, should be installed as soon as possible.
- Security Bulletin Summary for August 2008, Microsoft summary.