Microsoft Tuesday issued six critical patches, one less than expected, covering Windows, Office, Internet Explorer and Windows Media Player. Five other patches rated as important were delivered as part of Microsoft's monthly Patch Tuesday release.
Office was perhaps the hardest hit this month with Word, Excel, Access and PowerPoint all having vulnerabilities. Internet Explorer had one patch but six vulnerabilities. The patches mostly were centered on the client side rather than the server side.
August's release addressed 26 separate vulnerabilities in the 11 patches, the largest number of patches in one month since the 11 released in February.
Four of the August vulnerabilities were classified as zero day: MS08-041 (Access), MS08-042 (Word), MS08-045 (Internet Explorer), MS08-050 (Windows Messenger).
"Even though 50 is rated only as important, it is categorized as information theft," says Amol Sarwate, manager of vulnerabilities research lab at Qualys. "An attacker can steal the user's Messenger ID and they can use it to call people for audio and video conferences and to see all the user's chat information."
Christopher Budd, security response communications lead for Microsoft, said in a statement that the planned seventh critical patch, which Microsoft announced last week, was held back due to quality issues. The statement did not say when that patch would be released, but it is likely to find its way into the September release unless the vulnerability begins to be actively exploited.
The patch for Internet Explorer (MS08-045) addresses a combination of five privately reported vulnerabilities and one publicly disclosed vulnerability. The vulnerabilities affect Internet Explorer version 5.01, 6.0, 6.0 (SP1), and 7 on various versions of Windows including Windows 2000, XP, XP Pro, Vista, and Windows Server 2003 and 2008.
Four of the vulnerabilities deal with HTML, points out Don Leatham, director of solutions and strategy at Lumension Security. "All four can provide a hacker with remote code execution across IE 6 and 7 and across almost all versions of Windows. Every single Web page in the world has some level of HTML and so we think this is one people need to get ahead of. This is going to be a playground for hackers."
The Office vulnerabilities centered on Access, Excel, PowerPoint and Office Filters. The Filters vulnerability is rated critical for supported editions of Microsoft Office 2000. It is rated important for supported editions of Office XP, Office 2003 Service Pack 2, Project 2002 Service Pack 1, Office Converter Pack, and Works 8.
"Some of these can get nasty if left unpatched," says Jason Miller, security data team manager for Shavlik Technologies.
Miller says in addition to the Internet Explorer vulnerabilities, he would highlight those in MS08-046, which addresses flaws in the Windows Image Color Management System.
"I fully expect in the next couple of weeks, if not already, we will start to see these specialty crafted evil Web sites out there," Miller says. "With the imaging part, it could be used in inline advertising." Miller says a user can be compromised just by pulling up the Web site.
He also notes that the August security patches were a load. "If you are patching a corporate network, this is quite a lot to get your arms around," he says.
The other patch that corporate users should be concerned with is MS08-047, which addresses a vulnerability in IPsec.
"There are ways that people can build exploits that would turn an IPsec session into an open text session," Lumension's Leatham says. He says healthcare and financial services companies could classify 047 as critical given that data thought to be secure could be passed as clear text, posing a significant security risk.
Microsoft says an attacker viewing the traffic on the network might possibly be able to modify the contents of the traffic in the IPsec session. The attack would require sniffing network traffic and therefore is more likely to be carried out by an internal hacker. The 047 patch covers Vista and Windows Server 2008.
"Vista and Server 2008, which are supposed to be on the forefront of computer security, are still having security issues and patches. So being on those platforms does not mean you are more secure than being on XP and Server 2003," Shavlik's Miller says.
The patches come on top of security advisories issues last month, especially one around DNS spoofing, which is not reportedly being exploited in the wild. Security experts say corporate users should have the patch high on their list if they have not already installed it.