Microsoft issued 11 security bulletins, including six critical fixes that plug flaws in Microsoft Access, Office, Excel and Internet Explorer.
The updates were part of Microsoft's monthly bulletins, regularly released on the second Tuesday of each month. They plug critical flaws that could be exploited remotely by attackers to access important files and take control of a system. Microsoft issued one less fix than it announced in its advance notification last week, choosing to hold off on issuing a patch to repair a Windows Media Player vulnerability.
"There was an issue found at the 11th hour that did not meet our quality bar for broad distribution," said Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC).
The August patches were focused on client side vulnerabilities, giving IT administrators a break from patching servers, said Jason Miller, the security data team manager at Roseville, Minn.-based Shavlik Technologies LLC. Miller said an update to plug a vulnerability that could cause systems to ignore Internet Protocol Security (IPsec) policies and transmit network traffic in clear text could be the most difficult to deploy. The update affects several network facing systems, Miller said. Although the vulnerability is rated important, it could be used by an attacker to sniff useful information to further compromise the affected system or network, Microsoft said.
A zero-day flaw in Microsoft Access being actively exploited by attackers has been plugged. Microsoft addressed an ActiveX vulnerability in its Shapshot Viewer, describing the problem in its MS08-041 bulletin. The tool is used to view database report snapshots that are created with any version of Microsoft Access. The flaw impacts Internet Explorer 7 users that have the ActiveX control installed and Internet Explorer 6 users. In July, Microsoft warned customers of active, targeted attacks taking advantage of the vulnerability. Just a week after the warning, Symantec Corp. issued an advisory saying the Neosploit exploit toolkit was tweaked by its makers, automating an exploit to take advantage of the flaw.
Ben Greenbaum, senior research manager at Symantec Security Response, said attackers had fine-tuned their exploits, resulting in more widespread attacks in recent weeks.
"The nature of the control allows the attacker to install it and exploit the vulnerability without any user-interaction," Greenbaum said.
The ActiveX control is not installed by default. It is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007, according to Microsoft. The vulnerability affects the Snapshot Viewer in Microsoft Office Access 2000, Microsoft Office Access 2002 and Microsoft Office Access 2003.
Several remote code execution vulnerabilities in Microsoft Excel were also addressed in MS08-043 bulletin. Microsoft Office Excel 2000 Service Pack 3 is rated as "Critical." All other supported versions are rated as "Important," Microsoft said. The vulnerability affects Microsoft SharePoint services. The flaws could be exploited if a user opens a specially crafted Excel file. If exploited successfully, an attacker could install programs, view, change or delete data and create new accounts with full user rights, Microsoft said.
Five critical and important flaws in Microsoft Office 2000 Service Pack 3 could be exploited by an attacker remotely to gain access to system information. The flaws were addressed in MS08-044 bulletin. Microsoft office has several PICT-format image file processing errors, which allow an attacker to take complete control of a system. When Office opens the PICT image file, it corrupts system memory, which enables the flaw. Microsoft said the Office Document Open Confirmation Tool mitigates the flaw by prompting users to open, save or cancel before opening a document.
Several critical flaws in Internet Explorer were addressed in MS08-045 bulletin. The memory corruption vulnerabilities could be exploited by an attacker who constructs a malicious Web page and convinces users to visit the website by duping them into clicking a link in an email or instant message. Once exploited, the attacker could gain the same user rights as the logged-on user. A component handling vulnerability was also addressed by the update. Internet Explorer has a problem processing print previews, allowing an attacker to exploit the vulnerability.
Microsoft said last week that it plans to implement two new security programs, giving antivirus (AV), security vendors and some customers early access to soon-to-be-patched vulnerabilities, and producing a new exploitability index. Both programs are expected in October.
The Microsoft Active Protection Program (MAPP) will be open to security companies that provide defensive technology to large customer bases, meaning antivirus, intrusion detection system (IDS) and intrusion prevention system (IPS) vendors.
Microsoft also plans to add an exploitability index to its monthly security advisories. The index ranks vulnerabilities based on the likelihood of someone developing working exploit code for the Microsoft flaws within 30 days immediately following the patch release. Each vulnerability will be assigned one of three labels: consistent, meaning it's likely that reliable exploit code will be developed; inconsistent, meaning some code may appear, but likely won't work against all machines; and unlikely, meaning there's little chance of usable code being developed.
Vincent Weafer, vice president of Symantec Security Response, called the programs a positive move toward expediting user protection.
"Early notification of all potential mitigations for disclosed vulnerabilities, especially those critical in nature, can only help to better protect enterprise and consumer computer users globally," Weafer said.