Common and obscure: Fixes from Microsoft on Patch Tuesday
Four of the bulletins corrected "critical" vulnerabilities, a mixture of client-side and server-side issues that could be remotely exploited to execute malicious code.
Bulletin MS08-058 is a cumulative security update to remedy five Internet Explorer (IE) vulnerabilities, while MS08-057 supplies fixes for three flaws in Office Excel.
"It's the month of remote code execution bugs," Dave Marcus, security research and communications director at McAfee Avert Labs, said. "Many of the vulnerabilities addressed...could allow an attacker to gain complete control over a vulnerable computer by tricking a user to visit a malicious website or open a rigged Office file."
But perhaps the most intriguing of the remote code execution fixes comes in MS08-059, which resolves a rare vulnerability in Microsoft Host Integration Server, which offers connectivity and integration between Windows networks and IBM mainframes. The flaw could cause a system compromise if an attacker sends a specially crafted Remote Procedure Call (RPC), in which one computer talks to another, according to Microsoft.
"Any unauthenticated remote user can contact this RPC interface and start making these administrator-level calls to take complete control of the system," David Dewey, manager of IBM Internet Security Systems' X-Force research team, told SCMagazineUS.com.
Tuesday's security update also addressed three bugs, rated "important," in other, lesser-known Windows components: the Ancillary Function Driver, Internet Printing Service and Virtual Address Descriptor.
Wolfgang Kandek, CTO of vulnerability management firm Qualys, said these flaws could be a sign of things to come as it appears researchers' are focusing their attention on traditionally lesser-scrutinized areas of the Microsoft platform.
Amol Sarwate, manager of the vulnerability labs at Qualys, pointed out two other server-side holes, one of them critical. The critical one affects Active Directory; the "important" vulnerability impacts the Server Message Block (SMB) protocol.
"We're calling them old-school vulnerabilities," he said. "Nobody has to click anything. The server just processes those (malicious) packets and gets compromised."
This update was the first time Microsoft included its recently announced "Exploitability Index," which attempts to predict the likelihood of functioning exploit code.
Of the 20 vulnerabilities, eight were assessed as "consistent exploit code likely," seven as "inconsistent exploit code likely" and four as "functioning exploit code unlikely." One of the bugs fixed with the cumulative IE release was being publicly exploited prior to Tuesday's release.