Microsoft update patches critical flaws affecting Word, Publisher

Critical vulnerabilities in Microsoft Jet Database Engine version 4.0 are being actively exploited in the wild.

Microsoft issued critical updates Tuesday addressing remote code execution vulnerabilities in Microsoft Jet Database Engine version 4.0 that affects Microsoft Word. The software giant also addressed a flaw in its Malware Protection Engine, which experts say should be addressed immediately.

It's relatively easy to exploit this and now that it is more known, more people will probably be jumping on board with this.
Jason Miller,
security data team managerShavlik Technologies

In MS08-026, Microsoft plugged a hole in its Jet Database Engine that was being actively exploited in targeted attacks in the wild. Microsoft said the Jet Database flaw allowed an attacker to open a Jet Database file from a Microsoft Word document or an email. In order for the vulnerability to be exploited, users would have to click on a link in an email message to navigate to a malicious website that contains a specially crafted Word file. The flaw allowed an attacker to gain the same user rights as the local user.

Microsoft's MS08-028 bulletin addresses a similar remote code execution vulnerability in the Jet Database Engine. An attacker could send a malicious database query through Visual Basic or a third party application using the database engine and gain access to a system. As a workaround before deploying the patch, companies can block .mdb files from being processed through email.

"These are the most critical. In real world environments Word documents are not blocked," said Jason Miller, the security data team manager, at Roseville, Minn.-based Shavlik Technologies. "It's going to be relatively easy to exploit this and now that it is more known, more people will probably be jumping on board with this."

Microsoft update information:
 Inside MSRC: Microsoft explains Word, Publisher flaws: Security patching programs are not much different than racquetball games, says Microsoft's Bill Sisk. It's all about devising a strategy early to maintain control.

April: Microsoft releases April trove of patches Windows, Office and IE all have patches deemed "critical" by Microsoft this month.

A Word document doesn't even have to be opened for the exploit to work. An attacker can make it work using the preview pane in Outlook 2003 and 2007, he said.

"The two main attack vectors are going to be through email and through specially crafted Web pages as well," Miller said.

A vulnerability in Microsoft Malware Protection Engine is addressed in MS08-029. The update fixes a flaw labeled "moderate" by Microsoft. Specially crafted files can cause the protection engine software to stop responding and restart when it scans them. It can also cause an denial of service by causing large temporary files to fill the machine's hard drive.

"This one should be taken very seriously," said Don Leatham, director of solutions and strategy at Lumension Security. "From an organizational wide attack standpoint, this would be a very interesting denial of service attack internally launched against an organization."

Shavlik's Miller agreed. He said the update is extremely important since an active exploit could cause the protection engine to stop alltogether. Windows Defender and Windows Live OneCare are affected on individual machines, but Microsoft Antigen runs for an Exchange server, which serves critical applications, Miller said.

"This is a security product. A security product that's supposed to defend you against these things," Miller said.

A critical update to Microsoft Publisher 2000 was addressed in the MS08-027 bulletin. The update adds an Office Document Open Confirmation Tool warns users with a message to "Open", "Save", or "Cancel" before accessing a document via Internet Explorer. Later versions of Microsoft Publisher and Word already have the feature built-in.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close