Microsoft issues slew of critical security patches

Microsoft Tuesday released its final eight patches of 2008, which address 28 vulnerabilities including a critical flaw in the new search component in Vista and Windows Server 2008.

Six of the eight were listed as "critical" and the final two were rated "important." The final total of patches for the year was 77.
One of the important patches, MS08-076, targets a set of vulnerabilities that when taken together can add up to a critical flaw, according to information Microsoft provided to antimalware vendors. Microsoft, however, does not base its ratings on combinations, just on the individual flaws.

The vulnerability is similar to last month's release of MS08-068, which allowed a hacker to steal a password and use it to log on to a user's machine and gain control of the PC. That flaw was nearly 7-years-old before Microsoft patched it.

The Vista and Windows Server 2008 vulnerabilities detailed in MS08-075 stand out because the affected search component was developed from scratch for those platforms under Microsoft's new edict to develop secure code. Experts, however, say the threat of exploit appears to be low.

"It shows that even in the newer code that is highly scrutinized by the security teams at Microsoft and where developers are being held to secure coding standards you can still have problems," says Wolfgang Kandek, CTO of Qualys.

On the whole, the December crop of patches is more heavily focused on user machines – laptops and desktops – then it is on the server side.

"For those that manage desktops it is a busy month," says Eric Schultze, CTO of Shavlik Technologies.

The crop of vulnerabilities also included another flaw in GDI, a component of Windows responsible for representing graphical objects.

"The exploit vector is very high," says Amol Sarwate, manager of the vulnerabilities research lab at Qualys. "You just have to view an image on a malicious Web page. And since it is in the OS, all Windows machines are affected by default."

Sarwate says MS08-070 also is of interest to corporate users because part of the attack vector can be delivered via DLLs that are used by third-party applications.

The flaw is in the runtime of Visual Basic and other development tools.

"If you develop an application that uses [those DLLs] then that application transmits those vulnerable DLLs to the client system," Kandek says. He says independent software vendors will have to patch their applications.

Paul Henry, security and forensic analyst at Lumension, says as a whole the group of patches represents "some serious issues that need to be patched immediately. It is incredibly difficult to prioritize them."

Thirteen of the 28 vulnerabilities were given the top rating on Microsoft's new "exploitability index." A ranking of "1" means that the vulnerability is an attractive target for hackers because they can create exploit code that could consistently exploit the vulnerability.

Microsoft Tuesday also released a security advisory to notify users that it is investigating reports of vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 SP4, XP SP2, Windows Server 2003 SP1, and Windows Server 2003 SP2.