Microsoft plugs 17 security holes on Patch Tuesday

Patch Tuesday came again this week, with Microsoft publishing updates that patch numerous holes in operating systems, Office packages and other software. Contrary to an announcement by Redmond last Friday, Microsoft has published eleven instead of twelve security bulletins. The updates that correspond to the bulletins remedy ten vulnerabilities rated "critical" and seven rated "high".

The cumulative security update to Security Bulletin MS08-010 closes four security holes in Internet Explorer 5, 6 and 7 under all supported operating systems. When crafted HTML pages with particular layout combinations – Microsoft does not say what they are – are displayed, an error occurs in the rendering engine that allows code to be injected and executed. The same can occur when a web page calls the property function in IE. The dxtmsft.dll ActiveX module also creates a security hole, which can be traced to an erroneous test of transferred data. In addition, there is a Killbits update for Microsoft Fox Pro ActiveX modules Foxtlib.ocx and Fpole.ocx.

In Security Bulletin MS08-008 the software vendor describes a critical security hole in object linking and embedding (OLE) automation under Windows 2000, XP, Vista, Microsoft Office 2004 for Mac and Visual Basic 6, that attackers can exploit to foist malicious code on users by means of manipulated web sites. Manipulated scripts can confuse memory management causing a partial overwrite of the heap.

Microsoft has closed holes in the Office packages as well. The update to MS08-009 remedies an error in Word that allows foreign program code to be smuggled in. The Redmond company rates the hole in Office 2000 as "critical" and in Office XP, 2003 and Word Viewer 2003 as "high". Newer versions after Office 2003 SP3, Office 2004 and 2008 for Mac are not affected. Bulletin MS08-012 describes two critical leaks in Microsoft Publisher, which also were assigned a "critical" risk level in version 2000, but are still rated only as "high" in XP and 2003 SP2.

An additional vulnerability (MS08-013) came to light in Office documents with manipulated embedded objects – Microsoft rates it as "critical" in Office 2000 and as "high" in Office XP 2003 up to SP2, and Office 2004 for Mac. More current versions and the viewer do not contain the error. The import filters for Office 2003, Works 8 and Works Suite 2005 for Works files (.wps) cannot deal with manipulated files and can execute injected malicious code. In Security Bulletin MS08-011, Microsoft assesses the potential danger of the three errors in the Works versions as "high", or "moderate" in Office 2003.

The WebDAV Mini Redirector WebDAV client integrated into the operating system can get out of step while processing crafted answer packets and cause a buffer overflow on the heap as a result. In the process, injected malicious code may be executed. The update to Security Bulletin MS08-007 remedies the error in Windows XP, Server 2003 and Vista; Windows 2000, Vista Service Pack 1 and Windows 2008 do not contain the error.

Microsoft rates the potential hazard of a vulnerability while processing crafted DHCP responses (MS08-004) in Windows Vista only as "high"; the falsified response packets can result in the affected computer crashing and restarting. Internet Information Servers (IIS) sometimes process information on ASP web sites incorrectly, allowing attackers have access to the system with IIS rights (MS08-006). According to Security Bulletin MS08-005, local users can extend their rights on systems with IIS. Versions IIS 5.0 under Windows 2000 to IIS 7 under Windows Vista are affected. A vulnerability in Active Directory makes denial of service attacks possible on affected systems (MS08-003). Under Windows XP and Server 2003 valid login data is necessary to do this, but not under Windows 2000.

Since most of the security holes enable injection and execution of malicious code, users should install the updates straight away. As long as the Windows Automatic Update has not already downloaded them, users can start Internet Explorer and surf to the Windows Update site via the browser menu and manually initiate the update.