Multiple versions of Windows are affected by the security updates Microsoft released Tuesday, including Vista. But vulnerability management experts say IT administrators should place the highest urgency on patches for Microsoft Office and Internet Explorer, given the wide attack surface those programs provide.
The software giant released 11 security updates in all, six of them for critical flaws attackers could exploit to take complete control of targeted machines. That's one shy of the 12 updates Microsoft predicted in last week's advance bulletin.
Don Leatham, director of solutions and strategy for patch management vendor Lumension Security, is most concerned about the Office and Internet Explorer flaws addressed in several critical bulletins. Attackers have shown in recent years that they'd rather target applications than go directly for the throat of the operating system, he said.
"More and more critical flaws are affecting the application layer and so that's what the attackers are focusing on," he said. "That said, IT professionals should make the Office and IE patches their top priority."
Jonathan Bitle, director of technical account management at Qualys Inc., agreed, noting that it's easiest for attackers to target uneducated users through those types of flaws.
"The weakest point in the enterprise is the end user, which is why application flaws are so popular among attackers," he said. "User education to this day is not considered a critical part of the security program at most organizations and flaws like the ones patched this month show why that's a mistake."
It also illustrates the need for a layered security program instead of relying solely on vendor patches, he said.
Critical bulletins summarized
Six of this month's security updates fix critical vulnerabilities in Windows, Office, Visual Basic and Internet Explorer:
MS08-007 addresses a flaw attackers could exploit in the Windows WebDAV mini-redirector to hijack targeted machines and install programs; view, change, or delete data; or create new accounts with full user rights. Microsoft said this is a critical security update for all supported editions of Windows XP and Windows Vista and an important security update for all supported editions of Windows Server 2003. The update modifies how the mini-redirector handles long path names.
MS08-008 addresses a Windows flaw attackers could exploit by tricking the user into viewing a Web site rigged with malware. The flaw lies within the operating system's Object Linking and Embedding (OLE) automation function. Microsoft said this is a critical security update for all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2004 for Mac, and Visual Basic 6. Microsoft addressed the problem by adding a check on memory requests within OLE Automation.
MS08-009 addresses a flaw attackers could exploit in Microsoft Word to launch malicious code if a user opens an infected Word file. Microsoft said this is a critical security update for supported editions of Microsoft Office 2000 and an important security update for Microsoft Office XP, Microsoft Office 2003, and Microsoft Office Word Viewer 2003. The update addresses the problem by modifying how Word handles specially crafted files.
MS08-010 is a cumulative update for Internet Explorer, fixing several flaws attackers could exploit to run malicious code on targeted machines when the user views a specially crafted Web page using the browser. Microsoft addressed the problem by modifying how Internet Explorer handles HTML and validates data, and by setting the kill bit for an ActiveX control.
MS08-012 addresses two Microsoft Office Publisher flaws an attacker could exploit to launch malicious code on targeted machines when the user opens an infected Publisher file. Microsoft said this is a critical update for Office Publisher 2000; Office Publisher 2002 and Office Publisher 2003 Service Pack 2. The security update fixes the problem by modifying how Office Publisher handles specially crafted files.
MS08-013 addresses a Microsoft Office flaw attackers could exploit to run malicious code on targeted machines when the user opens an Office file with a malformed object inserted into the document. Microsoft said this is a critical security update for all supported editions of Microsoft Office 2000 and an important security update for Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2004 for Mac. Microsoft fixed the problem by modifying how Office loads documents with inserted objects.
Important bulletins summarized
Five of this month's security updates are for "important" flaws in Windows, Office and Microsoft Works:
MS08-003 addresses a flaw in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003 and Active Directory Application Mode (ADAM) when installed on Windows XP and Windows Server 2003 systems. Attackers could exploit the flaw to cause a denial of service.
MS08-004 addresses a flaw attackers could exploit in Windows Vista's Transmission Control Protocol/Internet Protocol (TCP/IP) processing function to stop the operating system from responding and trigger a restart. Microsoft fixed the problem by validating the IP address provided by a DHCP server or assigned by command or API at the local machine.
MS08-006 address local and remote flaws attackers could exploit in Internet Information Services (IIS) to hijack a targeted machine. Microsoft said this is an important update for Internet Information Services 5.0 on Windows 2000, Internet Information Services 5.1 on Windows XP, Internet Information Server 6.0 on Windows Server 2003; and Internet Information Services 7.0 on Windows Vista. MS08-006 applies to Internet Information Services running on all supported editions of Windows XP and Windows Server 2003.
MS08-011 addresses three flaws attackers could exploit in the Microsoft Works File Converter to run malicious code when the user opens an infected .wps file with an affected version of Microsoft Office, Works or Microsoft Works Suite.