Microsoft patch day: Four updates close six holes
As previously announced, Microsoft published four security bulletins along with updates for six security holes on May patch day. The Redmond developers classify four of the holes as critical because they allow attackers to inject malicious code.
Security Bulletins MS08-026 and MS08-027 remedy two security holes in Word and one in Publisher that attackers could exploit using crafted documents. The holes in Word are exploitable via crafted documents in rich text format (.rtf) or Word documents with crafted cascading style sheets (CSS). All that is needed to effect the .rtf exploit is the email preview in Outlook. Manipulated object headers in Publisher documents can exploit the application to allow injected program code to be executed. The holes affect Office 2000, XP, 2003, 2007, Word Viewer 2003, the compatibility pack for Office 2007 file formats, and Office 2004 and 2008 for Mac.
The updates include additional warnings that Word displays if a document trys to issue SQL commands. The warnings are closely related to a vulnerability in the MS Jet Engine resulting from the engine not testing an unspecified data structure that is patched by the update accompanying Bulletin MS08-028. Many applications in Windows access databases via the Jet Engine. The hole affects all versions of Windows prior to Windows XP with Service Pack 3, Server 2003 Service Pack 2. Windows Vista and Server 2008 use a version of the
msjet40.dll that is not susceptible.
Update MS08-029 plugs two denial of service holes in Microsoft's Malware Protection Engine used in the company's OneCare, Forefront, and Antigen anti-malware products, and also in Windows Defender. Both of the holes are caused by flawed testing of transferred data while processing certain data formats. The bugs can cause the engine to use the entire hard drive or can crash the computer, triggering a restart.
As is customary on patch days, Microsoft released an updated Malicious Software Removal Tool (MSRT) that detects and removes widely circulating malware. Because three of the updates patch critical holes, users and administrators should download and install them immediately, preferably using the Windows built-in automatic update service.
- Microsoft Security Bulletin Summary for May 2008, overview of the May patch day security bulletins
- Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (951207), Microsoft security bulletin
- Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (951208), Microsoft error report
- Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (950749), Microsoft error report
- Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044), Microsoft security bulletin