In association with heise online

09 April 2008, 13:26

Microsoft April patch day: five critical and three important

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

As previously announced, Microsoft released eight security updates on April Patch Tuesday. Five of them are rated "critical" and patch vulnerabilities that permit attackers to execute arbitrary malicious code with user rights via the internet. One of the three most important updates fixes a hole in the Windows kernel that makes it possible to gain complete administrative control over a system.

Bulletins MS08-023 and MS08-024 pertain to vulnerabilities that affect all versions of Internet Explorer in all versions of Windows. In order to pick up malicious code, users have to browse a manipulated website using Internet Explorer. The data stream handling error in IE that MS08-024 refers to is rated "critical" for all versions. In MS08-023, the Redmond developers address two IE problems in one go. First, the hxvz.dll ActiveX module can corrupt memory, enabling malicious code to be injected. Second, the update sets a kill bit for two vulnerable Yahoo ActiveX controls. According to the bulletin, this was requested by Yahoo.a

For Windows 2000 and XP, Microsoft rated both ActiveX problems as "critical". On Server 2003, which users seldom use for browsing, it is rated merely as "moderate". Under Vista and Windows Server 2008 the vulnerabilities are rated as "important" and "low", respectively, probably because they are more difficult to exploit in those versions due to new security mechanisms.

A critical security hole in VBScript 5.6 and JScript 5.6 (MS08-022) also crops up when browsing with IE, but not under Vista or Server 2008. MS08-021 describes two holes in the graphics device interface (GDI). Displaying specially crafted EMF or WMF image files can cause a buffer overflow that attackers can use to inject arbitrary malicious code. The GDI errors affect all versions of Windows and are also rated as "critical". In order to exploit the critical vulnerability described in MS08-018 in Project 2000 Service Release 1, 2002 SP 1 and 2003 SP 2, attackers have to persuade their victims to open a manipulated project file.

The three updates classified as "important" affect the Windows kernel (MS08-025), the Windows DNS client (MS08-020), and Microsoft Office Visio (MS08-019). In all versions of Windows, the kernel filters some user data inadequately, allowing attackers with limited access to gain complete administrative control over a system. The DNS Client can be tricked into resolving hostnames to false IP adresses, possibly leading to a malicious webserver. According to the bulletin, Vista clients with service pack 1 and Server 2008 are not affected. The Visio component of the current Office package is also vulnerable. If a user unwittingly opens a manipulated Visio file, malicious code could be injected. The Visio Viewer is not affected.

Windows users should install the updates immediately as recommended by Microsoft in order to close the security holes described. The patches can be installed automatically using the Windows update feature or retrieved individually from Microsoft's update website.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit