Hello and welcome to this month’s blog on the Microsoft patch releases. This time the vendor is releasing eight bulletins that cover a total of 10 vulnerabilities.

Of those, six are rated “critical”, three are “important” and one is "moderate". Although all the critical issues are noteworthy, the vulnerability in VBScript/JScript and the vulnerabilities in GDI could be the worst of the bunch. The components are installed on multiple flavors of Windows and are relatively easy to exploit. Customers are advised to follow security best practices, specifically avoiding websites of unknown and questionable integrity and refusing to accept or open files from unknown sources.

Microsoft’s summary of the April releases can be found here:
http://www.microsoft.com/technet/security/bulletin...

1. MS08-022 Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)

CVE-2008-0083 (BID 28551) Microsoft VBScript and JScript Scripting Engines Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects JScript and VBScript due to how they decode script in certain Web pages. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page or opening a malicious file. A successful attack will result in the execution of attacker-supplied code with the privileges of the currently logged in user.

Affects: VBScript/JScript 5.1 on Microsoft Windows 2000 SP4, and VBScript/JScript 5.6 on Microsoft Windows 2000 SP4, Windows XP SP2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows 2003 Server x64 Edition SP2, and Windows Server 2003 with SP1 and SP2 for Itanium-based Systems

2. MS08-021 Vulnerabilities in GDI Could Allow Remote Code Execution (948590)

CVE-2008-1083 (BID 28571) Microsoft Windows GDI Heap Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.8/10)

A client-side remote code execution vulnerability affects GDI due to how it handles integer calculations. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious EMF or WMF file. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. It may also be possible to exploit this issue in the context of SYSTEM; this will result in a complete compromise.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows 2003 Server x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008, Windows Server 2008 x64 Edition, and Windows Server 2008 for Itanium-based Systems

CVE-2008-1087 (BID 28570) Microsoft Windows GDI Stack Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.8/10)

A client-side remote code execution vulnerability affects GDI due to how it handles file name parameters. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious EMF file. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. It may also be possible to exploit this issue in the context of SYSTEM; this will result in a complete compromise.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows 2003 Server x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008, Windows Server 2008 x64 Edition, and Windows Server 2008 for Itanium-based Systems

3. MS08-024 Cumulative Security Update for Internet Explorer (947864)

CVE-2008-1085 (BID 28552) Microsoft Internet Explorer Data Stream Handling Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Internet Explorer because of the way it handles data streams. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Internet Explorer 5.01 SP4, Internet Explorer 6 SP1, Internet Explorer 6, and Internet Explorer 7

4. MS08-023 Security Update of ActiveX Killbits (948881)

CVE-2008-1086 (BID 28606) Microsoft 'hxvz.dll' ActiveX Control Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code execution vulnerability affects the ‘hxvz.dll’ component. A remote attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious web page. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Internet Explorer 5.01 SP4, Internet Explorer 6 SP1, Windows XP SP2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008, Windows Server 2008 x64 Edition, and Windows Server 2008 for Itanium-based Systems

Microsoft is also releasing an update that sets the kill bit for the third-party component Yahoo! Music Jukebox. The following CLSIDs are having their kill bit set in this release:
{5f810afc-bb5f-4416-be63-e01dd117bd6c} BIDs 27579 and 27590
{22fd7c0a-850c-4a53-9821-0b0915c96139} BID 27578

5. MS08-018 Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)

CVE-2008-1088 (BID 28607) Microsoft Project Resource Memory Allocation Variable Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code execution vulnerability affects Project when handling malformed Project files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Project 2000 SR1, Microsoft Project 2002 SP1, and Microsoft Office Project 2003 SP2

6. MS08-025 Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)

CVE-2008-1084 (BID 28554) Microsoft Windows Kernel Usermode Callback Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.6/10)

A local privilege-escalation vulnerability affects the windows kernel due to improper validation of user mode input. A local attacker can exploit this issue to execute arbitrary code with kernel-level permissions.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows 2003 Server x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Vista for Itanium-based systems, Windows Vista for Itanium-based systems SP1, Windows Server 2008, Windows Server 2008 x64 Edition, and Windows Server 2008 for Itanium-based Systems

7. MS08-020 Vulnerability in DNS Client Could Allow Spoofing (945553)

CVE-2008-0087 (BID 28553) Microsoft Windows DNS Client Service Response Spoofing Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.1/10)

A spoofing vulnerability affects DNS clients on multiple Windows platforms. The problem allows an attacker to spoof legitimate DNS responses, potentially redirecting victims to an attacker-controlled location. This may aid in phishing style attacks; other attacks are also possible.

Affects: Microsoft Windows 2000 Server SP4, Windows XP SP2, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, and Windows Vista x64 Edition


8. MS08-019 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)

CVE-2008-1089 (BID 28555) Microsoft Visio Object Header Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A client-side remote code execution vulnerability affects Visio due to how it validates object header data. An attacker must trick a victim into opening a specially crafted Visio file to exploit this issue. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office Visio 2002 SP2, 2003 SP2, 2003 SP3, 2007, and 2007 SP1

CVE-2008-1090 (BID 28556) Microsoft Visio Memory Validation Remote Code Execution Vulnerability (MS Rating: Moderate / Symantec Urgency Rating: 7.1/10)

A client-side remote code execution vulnerability affects Visio due to how it validates memory allocations when loading malformed .DXF files. An attacker must trick a victim into opening a specially crafted Visio file to exploit this issue. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office Visio 2002 SP2, 2003 SP2, 2003 SP3, 2007, and 2007 SP1

More information on this and other vulnerabilities is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.