Microsoft patched both client and server side flaws correcting vulnerabilities in Internet Explorer and Excel and repaired problems with the Host Integration Server and Active Directory on Windows 2000 Server.
The software giant said four of the critical updates fix vulnerabilities that could lead to remote code execution by an attacker. Eleven security bulletins have been released to fix 20 flaws.
Microsoft corrected a vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. Security bulletin MS08-060 addresses a problem in the way the server allocates memory for client LDAP requests. Microsoft said a remote attacker could send a malicious LDAP request triggering a memory allocation problem. If successfully exploited, an attacker could gain access to an affected network. The vulnerability affects Microsoft Windows 2000 servers configured to be domain controllers, Microsoft said.
"This is really nasty if you have a Windows 2000 domain controller," said Eric Schultze, chief technology officer at Shavlik Technologies LLC, in Roseville , Minn. Schultze said the good news is that operating system patches are relatively easy to deploy.
A hole in Microsoft's Host Integration Server was also plugged. In bulletin MS08-059, Microsoft said the server flaw could be exploited if an attacker sends a malicious Remote Procedure Call (RPC) request. If successful, an attacker could take complete control of an affected system. The update affects all supported editions of Microsoft Host Integration Server 2000, Microsoft Host Integration Server 2004, and Microsoft Host Integration Server 2006.
In a statement to reporters, Ben Greenbaum, senior research manager, Symantec Security Response said the server side vulnerabilities deserve the greatest attention.
"…they are dangerous because they do not require any user-interaction and can lead to complete compromise of the host computer," Greenbaum said. "Once a server is compromised, the attackers typically embed further attacks against that server's users in public-facing content."
Shavlik's Schultze said several other updates also deserve attention. MS08-062 addresses an issue with Windows Internet Printing Service. The vulnerability was rated important since a user has to be logged in with administrative rights in order for an attacker to successfully exploit the flaw. But Schultze points out that Microsoft's new Exploitability Index warns that exploit code has been discovered in limited, targeted attacks. Microsoft said an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.
MS08-063 addresses a hole Microsoft Server Message Block (SMB) Protocol. Although it is also only rated important, Schultze said the protocol is used to login to systems, access corporate networks including file and printing servers and deserves attention from system administrators. The vulnerability faces an internal threat from a disgruntled employee, he said. The update affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Microsoft also corrected several remote code vulnerabilities in Internet Explorer. In bulletin MS08-058, Microsoft said five vulnerabilities were resolved. The company said an attacker would have to get a user to view a malicious Web page to exploit the flaws. The update affects IE 5.01 and IE 6 Service Pack 1 on Windows 2000 and Windows XP. Internet Explorer 7 is rated important.
Three flaws in Microsoft Excel were addressed in MS08-057. The flaw was rated critical for Excel 2000 Service Pack 3. In its bulletin, Microsoft said an attacker could exploit the flaws by getting a user to open a malicious Excel file. Once exploited, an attacker could take complete control of an affected system. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.
As a result of Microsoft's updates, Symantec Corp. informed customers of its DeepSight Threat Management System that it raised its ThreatCon level from level 1 to level 2. Symantec said Microsoft also released a Cumulative Security Update of ActiveX kill bits, essentially stopping malicious websites from opening several tools in Internet Explorer.
"Remote attackers can exploit many of the vulnerabilities that are being addressed with these security updates to execute arbitrary code," Symantec said. "Customers are strongly advised to install these updates as soon as possible."