Endpoint Protection

Hello and welcome to this month's blog on the Microsoft patch releases. This is a relatively light month, with four bulletins covering eight vulnerabilities.
 
All of the vulnerabilities this month are client-side issues rated "critical." Five of the issues affect the GDI+ graphics library; the rest affect Media Player, Microsoft Office, and Media Encoder. All of the issues have the potential to see active exploits, but the GDI+ vulnerabilities have the most avenues of attack and affect the most systems. The OneNote protocol handler vulnerability is fairly trivial to exploit.

As always, customers are advised to follow these security best practices:

-    Avoid sites of questionable or unknown integrity.
-    Never open files from unknown or questionable sources.
-    Run all client software with the least privileges required while still maintaining functionality.

Microsoft's summary of the September releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms08-sep.mspx

1. MS08-052 Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)

CVE-2007-5348 (BID 30138) Microsoft Windows GDI+ VML Heap-Based Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when handling gradient sizes. An attacker must trick a victim into visiting a Web site containing malicious content, opening a malicious email, or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

CVE-2008-3012 (BID 31019) Microsoft GDI+ EMF Image Processing Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when handling memory allocation. An attacker must trick a victim into visiting a Web site containing malicious content or into opening a malicious EMF image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

CVE-2008-3013 (BID 31020) Microsoft GDI+ GIF File Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when parsing indexes in specially crafted GIF image files. An attacker must trick a victim into viewing a Web site containing malicious content or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

CVE-2008-3014 (BID 31021) Microsoft GDI+ WMF Image File Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when allocating memory for WMF image files. An attacker must trick a victim into viewing a Web site containing malicious content or into opening a malicious image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Internet Explorer 6, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems*, x64-based Systems*, and Itanium-based Systems, Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

CVE-2008-3015 (BID 31022) Microsoft GDI+ BMP Integer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects GDI+ when handling integer calculations. An attacker must trick a victim into viewing a Web site containing malicious content, or into opening a malicious BMP image file to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Visio 2002 SP2, Microsoft Office PowerPoint Viewer 2003, Microsoft Works 8, Microsoft Digital Image Suite 2006, SQL 2000 Reporting Services SP2, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 for Itanium-based Systems SP2, Microsoft Report Viewer 2005 SP1 Redistributable Package, Microsoft Report Viewer 2008 Redistributable Package, and Microsoft Forefront Client Security 1.0

2. MS08-054 Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)

CVE-2008-2253 (BID 30550) Microsoft Windows Media Player SSPL File Sample Rate Remote Code-Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote code-execution vulnerability affects Media Player when handling streamed audio-only files from a server-side playlist (SSPL). An attacker must trick a victim into opening a malicious audio file from a Windows Media Server to exploit this issue. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged-in user.

Affects: Windows Media Player 11

3. MS08-055 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (955047)

CVE-2008-3007 (BID 31067) Microsoft Office OneNote URL Handler Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Office when processing the OneNote protocol handler (‘onenote://'). An attacker can exploit this issue by tricking a victim into following a malicious URL. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Office XP SP3, Microsoft Office 2003 SP2 and SP3, 2007 Microsoft Office System, 2007 Microsoft Office System SP1, Microsoft Office OneNote 2007 and Microsoft Office OneNote 2007 SP1

4. MS08-053 Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)

CVE-2008-3008 (BID 31065) Microsoft Windows Media Encoder 9 'wmex.dll' ActiveX Control Remote Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A client-side remote-code execution vulnerability affects the WMEX.DLL ActiveX control installed by Windows Media Encoder 9. An attacker must trick a victim into viewing a Web page containing malicious content to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems**, and x64-based Systems**

• More information on this and the other vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.