Install Microsoft Office and IE patches first, experts say

By Bill Brenner, Senior News Writer 12 Feb 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Multiple versions of Windows are affected by the security updates Microsoft released Tuesday, including Vista. But vulnerability management experts say IT administrators should place the highest urgency on patches for Microsoft Office and Internet Explorer, given the wide attack surface those programs provide.

IT professionals should make the Office and IE patches their top priority. Don Leatham, director of solutions and strategy, Lumension Security

The software giant released 11 security updates in all, six of them for critical flaws attackers could exploit to take complete control of targeted machines. That's one shy of the 12 updates Microsoft predicted in last week's advance bulletin.

Don Leatham, director of solutions and strategy for patch management vendor Lumension Security, is most concerned about the Office and Internet Explorer flaws addressed in several critical bulletins. Attackers have shown in recent years that they'd rather target applications than go directly for the throat of the operating system, he said.

"More and more critical flaws are affecting the application layer and so that's what the attackers are focusing on," he said. "That said, IT professionals should make the Office and IE patches their top priority."

Jonathan Bitle, director of technical account management at Qualys Inc., agreed, noting that it's easiest for attackers to target uneducated users through those types of flaws.

"The weakest point in the enterprise is the end user, which is why application flaws are so popular among attackers," he said. "User education to this day is not considered a critical part of the security program at most organizations and flaws like the ones patched this month show why that's a mistake."

It also illustrates the need for a layered security program instead of relying solely on vendor patches, he said.

Critical bulletins summarized
Six of this month's security updates fix critical vulnerabilities in Windows, Office, Visual Basic and Internet Explorer:

MS08-007 addresses a flaw attackers could exploit in the Windows WebDAV mini-redirector to hijack targeted machines and install programs; view, change, or delete data; or create new accounts with full user rights. Microsoft said this is a critical security update for all supported editions of Windows XP and Windows Vista and an important security update for all supported editions of Windows Server 2003. The update modifies how the mini-redirector handles long path names.

Microsoft in the news: Inside MSRC: Microsoft outlines Internet Explorer flaws: Microsoft's Bill Sisk explains the Internet Explorer critical flaws being addressed in this month's batch of security updates. Microsoft's completion of Vista SP1 fails to excite users Microsoft celebrated the release to manufacturing of Windows Vista SP1 Monday, but IT administrators say the service pack doesn't make them want to deploy the OS. Microsoft patches Windows TCP/IP, LSASS flaws Attackers could exploit Windows TCP/IP, LSASS flaws to hijack targeted computers and do a variety of damage, Microsoft warned last month. Windows Vista is affected.     Inside MSRC: Critical Windows flaw affects XP, Vista Microsoft's Bill Sisk explains how a remote code execution vulnerability could affect Windows XP and Vista systems.

MS08-008 addresses a Windows flaw attackers could exploit by tricking the user into viewing a Web site rigged with malware. The flaw lies within the operating system's Object Linking and Embedding (OLE) automation function. Microsoft said this is a critical security update for all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2004 for Mac, and Visual Basic 6. Microsoft addressed the problem by adding a check on memory requests within OLE Automation.

MS08-009 addresses a flaw attackers could exploit in Microsoft Word to launch malicious code if a user opens an infected Word file. Microsoft said this is a critical security update for supported editions of Microsoft Office 2000 and an important security update for Microsoft Office XP, Microsoft Office 2003, and Microsoft Office Word Viewer 2003. The update addresses the problem by modifying how Word handles specially crafted files.

MS08-010 is a cumulative update for Internet Explorer, fixing several flaws attackers could exploit to run malicious code on targeted machines when the user views a specially crafted Web page using the browser. Microsoft addressed the problem by modifying how Internet Explorer handles HTML and validates data, and by setting the kill bit for an ActiveX control.

MS08-012 addresses two Microsoft Office Publisher flaws an attacker could exploit to launch malicious code on targeted machines when the user opens an infected Publisher file. Microsoft said this is a critical update for Office Publisher 2000; Office Publisher 2002 and Office Publisher 2003 Service Pack 2. The security update fixes the problem by modifying how Office Publisher handles specially crafted files.

MS08-013 addresses a Microsoft Office flaw attackers could exploit to run malicious code on targeted machines when the user opens an Office file with a malformed object inserted into the document. Microsoft said this is a critical security update for all supported editions of Microsoft Office 2000 and an important security update for Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2004 for Mac. Microsoft fixed the problem by modifying how Office loads documents with inserted objects.

Important bulletins summarized
Five of this month's security updates are for "important" flaws in Windows, Office and Microsoft Works:

MS08-003 addresses a flaw in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003 and Active Directory Application Mode (ADAM) when installed on Windows XP and Windows Server 2003 systems. Attackers could exploit the flaw to cause a denial of service.

MS08-004 addresses a flaw attackers could exploit in Windows Vista's Transmission Control Protocol/Internet Protocol (TCP/IP) processing function to stop the operating system from responding and trigger a restart. Microsoft fixed the problem by validating the IP address provided by a DHCP server or assigned by command or API at the local machine.

MS08-005 and

MS08-006 address local and remote flaws attackers could exploit in Internet Information Services (IIS) to hijack a targeted machine. Microsoft said this is an important update for Internet Information Services 5.0 on Windows 2000, Internet Information Services 5.1 on Windows XP, Internet Information Server 6.0 on Windows Server 2003; and Internet Information Services 7.0 on Windows Vista. MS08-006 applies to Internet Information Services running on all supported editions of Windows XP and Windows Server 2003.

MS08-011 addresses three flaws attackers could exploit in the Microsoft Works File Converter to run malicious code when the user opens an infected .wps file with an affected version of Microsoft Office, Works or Microsoft Works Suite.

Tags: Windows Security: Alerts, Updates and Best Practices,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering Web Browser Security Security researchers develop browser-based darknet Microsoft cracks down on click fraud ring Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates IT pros can detect, prevent website vulnerabilities, thwart attacks Stolen FTP credentials likely in massive website attacks Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert IT managers under pressure to weaken Web security policy US-CERT warns of Gumblar, Martuz drive-by exploits Google study backs browser silent auto update feature Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary