Microsoft on Tuesday issued eight patches, five rated critical, to address 10 client-side vulnerabilities in the software giant’s components and programs.
The critical fixes remediated flaws in Microsoft Office, Windows and Internet Explorer (IE) that could allow remote attackers to install malicious code on a user’s machine.
The security bulletins included MS08-022, which corrects a flaw in the VBScript and Jscript scripting engines.
“While all the security bulletins are serious, [this one] stands out since it ships on Windows by default and is not tied to any specific user application but the operating system itself,” said Ben Greenbaum, senior research manager of Symantec Security Response. “An attacker need only compromise and modify any web page, which, when viewed by a user in a browser that uses these engines, will result in the execution of attacker-supplied code on the user’s computer.”
Microsoft also offered fixes for vulnerabilities in Office Project and GDI [Graphics Device Interface], the latter bug exploitable if a user opens a specially crafted EMF or WMF file.
There were also fixes for Active X kill bits, and that update included a kill bit for the Yahoo Music Jukebox.
Microsoft also delivered a cumulative patch for holes in IE.
Three patches labeled important also were delivered to remediate vulnerabilities in Windows and Office.
Eric Schultze, CTO of Shavlik Technologies, relaying comments from the RSA floor to SCMagazineUS.com, said that all eight bulletins this month are client-side vulnerabilities. “In other words, your system is safe unless a user logs in and opens documents, reads email or visits an evil website on that computer. Systems where no one logs on and does this are safe,” he said.
Of the five OS-related vulnerabilities this month, four impact Vista and Windows Server 2008. “This doesn’t speak well for the debut of Windows Server 2008,” he said.
Schultze added that the most critical to get installed are MS08-021, MS08-022 and MS08-024. Of these, MS08-021 is the most important, he explained, as it can be exploited by all three attack vectors: visiting an evil website, opening an evil document or reading an evil email.
“MS08-021 is a flaw in the way that image files are processed — an evil graphic file can execute code on your system. This is the third such evil graphic file attack since January of 2006,” he said.
MS08-022, he pointed out, is a flaw in jscript and vbscript in IE6 and earlier versions of IE. “Visit an evil website and you’ll get hacked. This is the patch that was delayed from the January release cycle.”
The same holds true for MS08-024. Schultze said it is a flaw in all versions of IE. “Visit an evil website and you’ll get hacked.”
Finally, MS08-025 is a privilege escalation vulnerability that can allow a user to elevate themselves from user to admin, he said.
“This can also be exploited by any of the other vulnerabilities announced this month. Visit an evil website and it can execute code on your system to make you an admin — then the evil website can do anything on your system that it wants. From what I can tell, this vulnerability erases the mitigation that MS provides for all earlier patches: ‘The evil code will only execute with the permissions of the logged on user, therefore you are safer if you are logged on with a non-administrative account.'”
“Baloney,” Schultze said in response.