COLUMN

Inside MSRC: Microsoft issues guidance on critical flaws

By Bill Sisk 09 Dec 2008 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

As the year comes to a close, I will be providing guidance for the last time in '08 on how to get your systems protected. In particular, I will offer key information to help you with your risk assessments and deployment strategies.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In this month's column I will review the eight security bulletins that were released; six rated as critical and two as important. I will also briefly touch on the new detections we released for the Malicious Software Removal Tool.

Make sure you check with your third-party application vendors that utilize these controls. You will be able to obtain their updates. Additionally, developers who redistribute these controls should update their applications to use these newer versions. As a side note, it is possible to prevent these vulnerable controls from running in Internet Explorer.

About Inside MSRC: As part of a special partnership with SearchSecurity.com, Bill Sisk, the response communication manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates. Also see: Inside MSRC: Microsoft addresses XML Core Services flaw, RPC flaw  Inside MSRC: Microsoft issues advice for critical server flaws Inside MSRC: Microsoft provides guidance on GDI flaws

I encourage you to download and use the Microsoft Baseline Security Analyzer (MBSA) to help identify systems with the vulnerable controls in some of the Microsoft products listed in the bulletin.

MS08-071
The Graphics Device Interface (GDI) contains two vulnerabilities that could allow for remote code execution if a user views a specially crafted Windows Metafile Format (WMF) file. This vulnerability affects all supported versions of Microsoft Windows. Reading email in plain text will help mitigate the risk this vulnerability poses, but it is still important to deploy this update as soon as possible. Testing the update is also important because GDI is sort of the "plumbing" in Microsoft Windows that enables applications to render graphics and text on both the monitor and the printer.

MS08-071>MS08-072
Microsoft Word contains several vulnerabilities that would allow for remote code execution if a user opened a specially crafted Rich Text Format (RTF) Word document or viewed a specially crafted RTF formatted email. In addition, there are several vulnerabilities that allow for remote code execution if a user opens a specially crafted Word file of any type.

A workaround is to read email in plain text. There is also a way to prevent Microsoft Word from loading RTF formatted documents.

In general, ".search-ms" files are created when a user saves a search performed on a Windows Vista or Windows 2008 system. For example, I created and saved a search file to my desktop that pulls everything associated to my wife's name. So whenever she claims that I did not send her something, I can just double-click on the search file and get myself out of trouble. The only problem is I can never seem to find the info that I know I sent.

In closing, please take a moment and register for our monthly security bulletin webcast, which will be held on Wednesday, Dec. 10, at 11 a.m. PDT.

Christopher Budd and Adrian Stone will review information about each bulletin to further aid in your planning and deployment. Immediately following the review session they will answer your questions with information from our assembled panel of experts. If you are not able to view the live webcast, it will also be available on demand.

In addition, please take a moment and mark your calendars for the January 2008 monthly bulletin release scheduled for Tuesday Jan. 13, and the advance notification scheduled for Thursday, Jan. 8. Look for the January edition of this column on release day for information to help you plan and deploy the most recent security bulletins.

On a final note, our number one priority is to protect customers and make the security ecosystem at large more secure -- there are security researchers that feel the same way. With this in mind, I want to mention that almost all of the vulnerabilities addressed in the bulletins were responsibly disclosed. I would like to give a warm thank you to those who worked with us on this release. As usual, they are listed at the bottom of each bulletin.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary