Microsoft has released eight new security bulletins affecting Microsoft Windows, Office and Internet Explorer. Five of these bulletins are rated critical, and three are rated important.
MS08-018: Microsoft Office
MS08-019: Microsoft Visio is affected by a vulnerability rated as important that could allow an attacker to run remote code execution if a user opens a malformed Microsoft Visio file. Best practices, as noted in the bulletin, are to not open or save Visio files from unknown sources or those you receive unexpectedly from sources you would normally trust. This goes for MS08-018, also. Applying the security update as soon as possible is a critical step in protecting your systems.
MS08-020: This addresses a spoofing vulnerability in the DNS client service only. It does not apply to the DNS server service in Windows systems. At this point, one might be inclined to dismiss all server systems as criteria for risk assessment. However, this is not the case. You need to evaluate this security update for servers. The DNS client service does run on a server system -- please see the bulletin for specifics. This vulnerability is rated important for products listed in the bulletin. However, Windows Vista Service Pack 1 and Windows Server 2008 are not affected.
MS08-022: This is a critical vulnerability in VBScript and JScript Scripting Engines that could allow remote code execution if a user visits an attacker's specially crafted website. The vulnerability is in how VBScript and JScript engines decode script in Web pages. The affected files are VBScript.dll and Jscript.dll versions 5.1 and 5.6. However, version 5.7 files are not affected. Systems with Internet Explorer 7, Windows Vista, and Windows Server 2008 automatically come with VBScript.dll version 5.7 and JScript.dll version 5.7. Therefore, they are not subject to this vulnerability.
In addition, version 5.7 of VBScript.dll and JScript.dll are available on the download center for Windows 2000, Windows XP, and Windows Server 2003. These downloadable versions are not affected by the vulnerability called out in MS08-022. If you have already installed any of these versions to your respective operating systems, there is no need to install this security update -- your system is not vulnerable.
MS08-023: I would like to point out that this bulletin is new in nature. That is, it addresses a vulnerability in an ActiveX control outside of the context of an Internet Explorer bulletin. This bulletin is not related to a vulnerability in Internet Explorer. It is an ActiveX-only bulletin. The aggregate security rating for the bulletin is critical. However, the security update is rated only as important for all supported versions of Windows Vista, moderate for Windows Server 2003, and low for all supported versions of Windows Server 2008. In addition to the Microsoft ActiveX control that is being addressed, a third-party ActiveX control is also being referred to.
MS08-024: This addresses a critical vulnerability in Internet Explorer that could allow remote code execution in the way that it processes data streams. Despite the criticality of this security update, the workaround section of the bulletin offers a viable stop-gap measure for the HTML email attack vector.
MS08-021: I am addressing MS08-021 out of sequential order because it has something in common with MS08-024. Both bulletins are rated critical for all products listed in the respective bulletins. In these situations, I like to flag their importance for your immediate attention. This particular bulletin, MS08-021, addresses vulnerabilities in the Microsoft Windows graphics device interface (GDI) that affects all supported versions of Windows. These vulnerabilities could allow remote code execution if a user opens a specially crafted .emf or .wmf image file. Please note that there is a detailed work-around in the bulletin.
MS08-025: The last of the security updates fixes improper validation input passed from user mode to kernel mode that allows an elevation of privilege. The elevation of privilege cannot be accomplished remotely. The attacker must already be authorized to log on locally to the system. This update is rated as important for affected products.
One final item that I would like to bring to your attention is the fact that all of the vulnerabilities addressed in the bulletins for the April 2008 release were responsibly disclosed by various security researchers. Responsible disclosure not only protects customers but also helps protect the broader computing ecosystem. Our thanks and acknowledgements to the specific researchers are noted in each of the bulletins.