Hello and welcome to this month’s blog on the Microsoft patch releases. This is another fairly heavy month, with 11 bulletins covering 20 vulnerabilities.
There are 10 critical issues this month affecting Internet Explorer, Excel, Active Directory, and the RPC service of Host Integration Server. All of them are remote code-execution issues, but the issues affecting Host Integration Server and Active Directory do not require any user interaction, making them potentially the worst of the bunch. The remaining issues (rated Important and Moderate) affect Message Queuing Service, Internet Printing Protocol (IPP), Windows Kernel, Ancillary Function Driver, Virtual Address Descriptors (VADs), and Server Message Block (SMB).
As always, customers are advised to follow these security best practices:
-Block external access at the network perimeter to specific sites and computers only.
-Avoid sites of questionable or unknown integrity.
-Never open files from unknown or questionable sources.
-Run all software with the least privileges required while still maintaining functionality.
Microsoft’s summary of the October releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
Some of the notable vulnerabilities this month are:
1. MS08-058 Cumulative Security Update for Internet Explorer (956390)
CVE-2008-3472 (BID 31615) HTML Element Cross-Domain Vulnerability (MS Rating: Critical /Symantec Urgency Rating 8.5/10)
A cross-domain remote code-execution and information disclosure vulnerability affects Internet Explorer because it incorrectly interprets the origin of script code. An attacker can exploit this issue by enticing a victim into viewing a specially crafted web page. Code execution in the context of another domain or security zone is only possible when exploited through Internet Explorer 6 SP1 running on Windows 2000 SP4, otherwise a successful exploit will result in information disclosure only.
Affects: Internet Explorer 5.01 SP4, Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7.
CVE-2008-3473 (BID 31616) Microsoft Internet Explorer Event Handling Cross Domain Security Bypass Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)
A cross-domain remote code-execution and information disclosure vulnerability affects Internet Explorer because it incorrectly interprets the origin of script code. An attacker can exploit this issue by enticing a victim into viewing a specially crafted web page. Code execution in the context of another domain or security zone is only possible when exploited through Internet Explorer 6 SP1 running on Windows 2000 SP4, otherwise a successful exploit will result in information disclosure only.
Affects: Internet Explorer 5.01 SP4, Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7
CVE-2008-2947 (BID 29960) Microsoft Internet Explorer 'location' & 'location.href' Cross Domain Security Bypass Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)
This is a previously documented cross-domain security-bypass vulnerability affecting Internet Explorer originally disclosed on June 26, 2008. The problem occurs when handling the “location” or “location.href” property contained in a window object. An attacker can exploit this issue to execute arbitrary code in another browser window’s security zone.
Affects: Internet Explorer 5.01 SP4, Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7
CVE-2008-3475 (BID 31617) Microsoft Internet Explorer Uninitialized Object Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects Internet Explorer when it accesses an object that has not been properly initialized or has been deleted. An attacker can exploit this issue by tricking a victim into viewing a specially crafted web page. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Internet Explorer 6, and Internet Explorer 6 SP1
CVE-2008-3476 (BID 31618) Microsoft Internet Explorer HTML Objects Uninitialized Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects Internet Explorer because it attempts to access uninitialized memory in certain situations. An attacker can exploit this issue by tricking a victim into viewing a specially crafted web page. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Internet Explorer 5.01 SP4, Internet Explorer 6, and Internet Explorer 6 SP1
2. MS08-059 Microsoft Host Integration Server RPC Remote Code Execution Vulnerability (KB956695)
CVE-2008-3466 (BID 31620) HIS RPC Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)
A remote code execution vulnerability affects the SNA Remote Procedure Call (RPC) service of Host Integration Server. An attacker can exploit this issue by sending a malformed RPC request to the affected service. A successful exploit will result in the execution of arbitrary code in the context of the affected service. This could facilitate a complete compromise of the affected computer.
Affects: Microsoft Host Integration Server 2000 SP2, Microsoft Host Integration Server 2000 Administrator Client, Microsoft Host Integration Server 2004, Microsoft Host Integration Server 2004 SP1, Microsoft Host Integration Server 2006 32-bit, and Microsoft Host Integration Server 2006 x64.
3. MS08-057 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
CVE-2008-3477 (BID 31702) Microsoft Excel Calendar Object Validation Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects Excel when processing a VBA Performance Cache. An attacker must trick a victim into opening a malicious project file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Excel 2000 SP3, Excel 2002 SP3, and Excel 2003 SP2 and SP3
CVE-2008-3471 (BID 31705) Microsoft Excel File Format Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects Excel when processing a malformed Excel file. An attacker must trick a victim into opening a malicious file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Excel 2000 SP3, Excel 2002 SP3, Excel 2003 SP2 and SP3, Excel 2007, Excel 2007 SP1, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 SP3, Microsoft Office Excel Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac.
CVE-2008-4019 (BID 31706) Microsoft Excel Formula Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects Excel when parsing a malformed formula embedded in a cell. Specifically, a REPT function call can be exploited to cause an integer overflow. An attacker must trick an unsuspecting victim into opening a malicious file to exploit this issue. A successful exploit will result in the execution of arbitrary code in the context of the currently logged-in user.
Affects: Excel 2000 SP3, Excel 2002 SP3, Excel 2003 SP2 and SP3, Excel 2007, Excel 2007 SP1, Microsoft Office Excel Viewer 2003, Microsoft Office Excel Viewer 2003 SP3, Microsoft Office Excel Viewer, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1, Microsoft Office SharePoint Server 2007, Microsoft Office SharePoint Server 2007 SP1, Microsoft Office SharePoint Server 2007 x64 Edition, Microsoft Office SharePoint Server 2007 x64 Edition SP1*, Office 2004 for Mac, Office 2008 for Mac, Open XML File Format Converter for Mac.
4. MS08-060 Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
CVE-2008-4023 (BID 31609) Microsoft Windows Active Directory LDAP Request Handling Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)
A remote code execution vulnerability affects Active Directory on Windows 2000 because of insufficient validation of LDAP requests. A remote attacker can exploit this issue by sending a malformed LDAP packet to an affected server. A successful exploit will result in the execution of attacker-supplied code in the context of the affected service. This may facilitate a complete compromise of the affected computer.
Affects: Active Directory
More information on this and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.