As the year comes to a close, I will be providing guidance for the last time in '08 on how to get your systems protected. In particular, I will offer key information to help you with your risk assessments and deployment strategies.
In this month's column I will review the eight security bulletins that were released; six rated as critical and two as important. I will also briefly touch on the new detections we released for the Malicious Software Removal Tool.MS08-070
This bulletin addresses five privately-reported vulnerabilities and one publicly-disclosed vulnerability in the ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files. The severity of these vulnerabilities is critical, with the possibility of remote code execution if a user views a malicious website that leverages the vulnerability. Two examples of Microsoft applications affected by these vulnerabilities are Microsoft Office Project 2007 Service Pack 1 and Microsoft Visual Studio .NET 2003 Service Pack 1.
Make sure you check with your third-party application vendors that utilize these controls. You will be able to obtain their updates. Additionally, developers who redistribute these controls should update their applications to use these newer versions. As a side note, it is possible to prevent these vulnerable controls from running in Internet Explorer.
I encourage you to download and use the Microsoft Baseline Security Analyzer (MBSA) to help identify systems with the vulnerable controls in some of the Microsoft products listed in the bulletin.
The Graphics Device Interface (GDI) contains two vulnerabilities that could allow for remote code execution if a user views a specially crafted Windows Metafile Format (WMF) file. This vulnerability affects all supported versions of Microsoft Windows. Reading email in plain text will help mitigate the risk this vulnerability poses, but it is still important to deploy this update as soon as possible. Testing the update is also important because GDI is sort of the "plumbing" in Microsoft Windows that enables applications to render graphics and text on both the monitor and the printer.
Microsoft Word contains several vulnerabilities that would allow for remote code execution if a user opened a specially crafted Rich Text Format (RTF) Word document or viewed a specially crafted RTF formatted email. In addition, there are several vulnerabilities that allow for remote code execution if a user opens a specially crafted Word file of any type.
A workaround is to read email in plain text. There is also a way to prevent Microsoft Word from loading RTF formatted documents.MS08-073
This bulletin addresses four privately-reported vulnerabilities in Internet Explorer, the worst of which is rated as Critical. The vulnerability could allow for a remote code execution if a user viewed a specially crafted Web page. There are some platforms where the vulnerability's rating is only Moderate -- Internet Explorer 6 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 are two such instances. There are also a number of workarounds for the respective vulnerabilities. MS08-074
This bulletin is similar to the one related to Microsoft Word in that a remote code execution can occur if a user opens a specially crafted file -- in this case, a Microsoft Excel file. Being that Office 2000 is affected, users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save or Cancel before opening a document. The features of the Office Document Open Confirmation Tool are incorporated in Office XP and Office 2003. MS08-075
Windows Search in Microsoft Vista and Windows 2008 contains two remote code execution vulnerabilities that are rated as Critical. One of the vulnerabilities can be exploited via a specially crafted ".search-ms" file. A successful exploit would work after a user opened and saved the specially crafted file. The bulletin has information regarding the second vulnerability addressed. I also want to note that Windows Search is an optional add-in for Windows XP and is not affected by the vulnerabilities.
In general, ".search-ms" files are created when a user saves a search performed on a Windows Vista or Windows 2008 system. For example, I created and saved a search file to my desktop that pulls everything associated to my wife's name. So whenever she claims that I did not send her something, I can just double-click on the search file and get myself out of trouble. The only problem is I can never seem to find the info that I know I sent.MS08-076
This bulletin addresses two privately reported vulnerabilities which could allow remote code execution in Windows Media Components and is rated as Important. Keep in mind the following important facts when determining the priority of this security bulletin: Windows Media Services is not installed by default, and Windows Media Player 11 is only present on the system when Desktop Experience is installed on Windows Server 2008. MS08-077
This bulletin addresses a vulnerability rated as Important in Microsoft Office SharePoint Server 2007 and Microsoft Search Server 2008 that could allow for an elevation of privilege by an unauthenticated user, which in turn would result in information disclosure or denial-of-service attack. Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Portal Server 2003 Service Pack 3 are not affected. Malicious Software Removal Tool
This month we are adding new threat families Win32/FakeXPA and Win32/Yektel to the Malicious Software Removal Tool (MSRT). For additional information click on the aforementioned malware names or visit the Microsoft Malware Protection Center (MMPC) blog.
In closing, please take a moment and register for our monthly security bulletin webcast, which will be held on Wednesday, Dec. 10, at 11 a.m. PDT.
Christopher Budd and Adrian Stone will review information about each bulletin to further aid in your planning and deployment. Immediately following the review session they will answer your questions with information from our assembled panel of experts. If you are not able to view the live webcast, it will also be available on demand.
In addition, please take a moment and mark your calendars for the January 2008 monthly bulletin release scheduled for Tuesday Jan. 13, and the advance notification scheduled for Thursday, Jan. 8. Look for the January edition of this column on release day for information to help you plan and deploy the most recent security bulletins.
On a final note, our number one priority is to protect customers and make the security ecosystem at large more secure -- there are security researchers that feel the same way. With this in mind, I want to mention that almost all of the vulnerabilities addressed in the bulletins were responsibly disclosed. I would like to give a warm thank you to those who worked with us on this release. As usual, they are listed at the bottom of each bulletin.