In its largest security update
in 18 months, Microsoft
on Tuesday delivered 11 patches to resolve 26 vulnerabilities in its operating system and related components.
Five of the fixes addressed flaws rated “critical,” meaning they could be exploited to execute remote code. Keeping with the theme of recent updates from the software giant, most of the bugs affect client software, not the server, and attackers likely will opt for social engineering to launch exploits.
The most major of the “critical” patches appears to be bulletin MS08-045, a cumulative update for security holes in Internet Explorer (IE), Don Leatham, director of solutions and strategy at patch management provider Lumension Security, told SCMagazineUS.com on Tuesday.
The patch corrects five bugs in IE, four of which are based on HTML, the core language of the internet, he said. Attackers could exploit the vulnerabilities to silently infect victims with malware without any user interaction required.
“As your IE is rendering those HTML instructions, there could be malicious code embedded in those pages that will allow code to be downloaded and executed on that web page without the user's knowledge or intervention,” Leatham said.
Administrators should also play close attention to bulletin MS08-041, which addresses a “critical” vulnerability in the ActiveX control for the Snapshot Viewer in Microsoft Access, and MS08-042, which involves a hole in Word rated as "important."
Both flaws have been exploited to launch limited attacks during the past month, Microsoft has said.
Aside from the Access and Word fixes, the update also remedies issues in Excel, PowerPoint, Office Filters and Outlook Express.
“I think this is really like a perfect storm for Microsoft Office because each and every component is affected,” Amol Sarwate, manager of Qualys' vulnerability labs, told SCMagazineUS.com.
Yet another critical fix comes in MS08-046, which resolves a vulnerability in Microsoft Image Color Management system. A successful attacker could dupe a victim into visiting a malicious website, enabling the attacker to take control of an affected system.
The update plugs two “important” vulnerabilities. Perhaps the most unique is an IPsec vulnerability, which could lead to information disclosure.
The flaw, which involves the way certain Windows Internet Protocol Security rules are handled, could be taken advantage of to disable IPsec
tunneling, forcing text to be delivered in the clear.
“Since there is broad reliance on IPsec to establish secure encrypted communications, for companies sharing critical information among remote offices, this one is especially important to look at,” Leatham said.
Sarwate said administrators also should prioritize MS08-050, which sews up a vulnerability in Windows Messenger that was being actively exploited in limited attacks.
“This could allow attackers to steal Windows Messenger user IDs and then invite other people to audio and video conferences pretending to be the victim,” Sarwate said. “This is sort of a different vulnerability that we have not seen too many times before. It could also allow the attackers to look at the chat sessions [of victims].”
Jason Miller, security data team manager at patch-management software provider Shavlik Technologies, said end-users can expect to see a rise in specially crafted websites hosting Tuesday's patched vulnerabilities – if they have not already gone live.
“Usually all it takes is one person finding out, then they give [the exploit code] to everyone else,” he said.
Tuesday's bountiful update should also serve as another reminder to patch for a highly severe DNS design flaw, reported
by researcher Dan Kaminsky. Microsoft, along with scores of other vendors, issued a fix in July, but some corporations may have been slow to patch because Microsoft labeled the patch “important,” not “critical,” Leatham said.