Microsoft April patch day: five critical and three important

As previously announced, Microsoft released eight security updates on April Patch Tuesday. Five of them are rated "critical" and patch vulnerabilities that permit attackers to execute arbitrary malicious code with user rights via the internet. One of the three most important updates fixes a hole in the Windows kernel that makes it possible to gain complete administrative control over a system.

Bulletins MS08-023 and MS08-024 pertain to vulnerabilities that affect all versions of Internet Explorer in all versions of Windows. In order to pick up malicious code, users have to browse a manipulated website using Internet Explorer. The data stream handling error in IE that MS08-024 refers to is rated "critical" for all versions. In MS08-023, the Redmond developers address two IE problems in one go. First, the hxvz.dll ActiveX module can corrupt memory, enabling malicious code to be injected. Second, the update sets a kill bit for two vulnerable Yahoo ActiveX controls. According to the bulletin, this was requested by Yahoo.a

For Windows 2000 and XP, Microsoft rated both ActiveX problems as "critical". On Server 2003, which users seldom use for browsing, it is rated merely as "moderate". Under Vista and Windows Server 2008 the vulnerabilities are rated as "important" and "low", respectively, probably because they are more difficult to exploit in those versions due to new security mechanisms.

A critical security hole in VBScript 5.6 and JScript 5.6 (MS08-022) also crops up when browsing with IE, but not under Vista or Server 2008. MS08-021 describes two holes in the graphics device interface (GDI). Displaying specially crafted EMF or WMF image files can cause a buffer overflow that attackers can use to inject arbitrary malicious code. The GDI errors affect all versions of Windows and are also rated as "critical". In order to exploit the critical vulnerability described in MS08-018 in Project 2000 Service Release 1, 2002 SP 1 and 2003 SP 2, attackers have to persuade their victims to open a manipulated project file.

The three updates classified as "important" affect the Windows kernel (MS08-025), the Windows DNS client (MS08-020), and Microsoft Office Visio (MS08-019). In all versions of Windows, the kernel filters some user data inadequately, allowing attackers with limited access to gain complete administrative control over a system. The DNS Client can be tricked into resolving hostnames to false IP adresses, possibly leading to a malicious webserver. According to the bulletin, Vista clients with service pack 1 and Server 2008 are not affected. The Visio component of the current Office package is also vulnerable. If a user unwittingly opens a manipulated Visio file, malicious code could be injected. The Visio Viewer is not affected.

Windows users should install the updates immediately as recommended by Microsoft in order to close the security holes described. The patches can be installed automatically using the Windows update feature or retrieved individually from Microsoft's update website.

See also:

• Microsoft Security Bulletin Summary for April 2008
• MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution
• MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution
• MS08-020: Vulnerability in DNS Client Could Allow Spoofing
• MS08-021: Vulnerabilities in GDI Could Allow Remote Code Execution
• MS08-022: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution
• MS08-023: Security Update of ActiveX Kill Bits
• MS08-024: Cumulative Security Update for Internet Explorer
• MS08-025: Vulnerability in Windows Kernel Could Allow Elevation of Privilege

(mba)