Multiple versions of Windows are affected by the security updates Microsoft released Tuesday, including Vista. But vulnerability management experts say IT administrators should place the highest urgency on patches for Microsoft Office and Internet Explorer, given the wide attack surface those programs provide.
The software giant released 11 security updates in all, six of them for critical flaws attackers could exploit to take complete control of targeted machines. That's one shy of the 12 updates Microsoft predicted in last week's advance bulletin.
Don Leatham, director of solutions and strategy for patch management vendor Lumension Security, is most concerned about the Office and Internet Explorer flaws addressed in several critical bulletins. Attackers have shown in recent years that they'd rather target applications than go directly for the throat of the operating system, he said.
“More and more critical flaws are affecting the application layer and so that's what the attackers are focusing on,” he said. “That said, IT professionals should make the Office and IE patches their top priority.”
Critical bulletins summarised: Six of this month's security updates fix critical vulnerabilities in Windows, Office, Visual Basic and Internet Explorer:
MS08-007 addresses a flaw attackers could exploit in the Windows WebDAV mini-redirector to hijack targeted machines and install programs; view, change, or delete data; or create new accounts with full user rights. Microsoft said this is a critical security update for all supported editions of Windows XP and Windows Vista and an important security update for all supported editions of Windows Server 2003. The update modifies how the mini-redirector handles long path names.
MS08-008 addresses a Windows flaw attackers could exploit by tricking the user into viewing a Web site rigged with malware. The flaw lies within the operating system's Object Linking and Embedding (OLE) automation function. Microsoft said this is a critical security update for all supported editions of Windows 2000, Windows XP, Windows Vista, Microsoft Office 2004 for Mac, and Visual Basic 6. Microsoft addressed the problem by adding a check on memory requests within OLE Automation.
MS08-009 addresses a flaw attackers could exploit in Microsoft Word to launch malicious code if a user opens an infected Word file. Microsoft said this is a critical security update for supported editions of Microsoft Office 2000 and an important security update for Microsoft Office XP, Microsoft Office 2003, and Microsoft Office Word Viewer 2003. The update addresses the problem by modifying how Word handles specially crafted files.
MS08-010 is a cumulative update for Internet Explorer, fixing several flaws attackers could exploit to run malicious code on targeted machines when the user views a specially crafted Web page using the browser. Microsoft addressed the problem by modifying how Internet Explorer handles HTML and validates data, and by setting the kill bit for an ActiveX control.
MS08-012 addresses two Microsoft Office Publisher flaws an attacker could exploit to launch malicious code on targeted machines when the user opens an infected Publisher file. Microsoft said this is a critical update for Office Publisher 2000; Office Publisher 2002 and Office Publisher 2003 Service Pack 2. The security update fixes the problem by modifying how Office Publisher handles specially crafted files.
MS08-013 addresses a Microsoft Office flaw attackers could exploit to run malicious code on targeted machines when the user opens an Office file with a malformed object inserted into the document. Microsoft said this is a critical security update for all supported editions of Microsoft Office 2000 and an important security update for Microsoft Office XP, Microsoft Office 2003 and Microsoft Office 2004 for Mac. Microsoft fixed the problem by modifying how Office loads documents with inserted objects.
Microsoft, Security Update, Microsoft Office, IE, Internet Explorer, Windows Update