Monster Patch Tuesday Yields 11 Fixes for 17 Flaws

Published: February 13, 2008

by Alex Woodie

Windows administrators' love lives may have to be put on hold this week as a monstrous Patch Tuesday wave of security fixes threatens to consume their Valentine's Day. Microsoft released 11 patches addressing 17 security vulnerabilities yesterday, including seven critical patches for a range of remote code execution problems. A handful of Office flaws, new problems in IE, and two new denial of service attacks combine to make February's Patch Tuesday the biggest one in a year.

If the idea of cuddling up all night with a server or workstation appeals to you, you're going to be in hog heaven this week, according to Paul Zimski, senior director of market strategy at Lumension Security.

"This month's patches are going to require a great deal of man hours for IT admins, from determining what is affected to the testing and deployment processes," he says. "IT administrators might be spending this Valentine's Day in the office."

Zimski says the size and scope of the fixes threaten to overwhelm Windows shops. "Because so many critical patches affect so many applications," he says, "these are widespread enough to have a bigger effect than we've seen in a year and they are going to require the utmost attention and energy." If there's one positive aspect to yesterday's tidal wave of patches, it's that there's only one so-called "zero-day" flaw that's already being exploited, and it's not a critical flaw.

Let's start the fun with the critical patches first. MS08-007 addresses a critical vulnerability in the WebDAV protocol that could allow an attacker to gain full control over a computer running any recent version of Windows. The specific flaw, called the WebDAV Mini-Redirector vulnerability, was found by the COSEINC Vulnerability Research Lab of Singapore.

Another remote code execution vulnerability is fixed with MS08-008. This patch addresses the OLE Heap Overrun flaw, which is present in all recent versions of Windows except Widows Vista SP1 and Windows Server 2008. Microsoft says this flaw was discovered by Ryan Smith and Alex Wheeler of IBM's ISS X-Force subsidiary.

MS08-009 fixes a critical flaw in several versions of MS-Word that could give an attacker complete control of an affected system. This flaw, which could be exploited over e-mail and the Web, affects Word 2000, Word XP, Word 2003, and Word Viewer 2003, but doesn't affect more recent versions of the program. It was discovered by Rubén Santamarta, a European security researcher with reversemode.com, Microsoft says.

Four critical remote code execution flaws in Internet Explorer are fixed with MS08-010, which is being distributed as a cumulative security update for the Web browser. The flaws--which include the HTML Rendering Memory Corruption Vulnerability, the Property Memory Corruption Vulnerability, the Argument Handling Memory Corruption Vulnerability, and the ActiveX Object Memory Corruption Vulnerability--affect IE versions 5, 6, and 7 running across all recent versions of Windows, although Windows Server 2003's default settings will protect users from two of the vulnerabilities. The ActiveX flaw is being actively exploited, but none of the others are, according to Microsoft. Security researchers with several organizations, including Security Objectives, Tipping Point, the Zero Day Initiative, VeriSign iDefense VCP, and ADLABS were credited with bringing the problems to Microsoft's attention.

Two remote code execution vulnerabilities in Office Publisher are fixed with MS08-012. Specially crafted Publisher files could allow an attacker to gain full control over an affected system running the 2000, XP, and 2003 versions of Publisher. Microsoft says neither flaw is being exploited, and credits Fortinet Security Research with reporting the flaws.

Yet more critical security flaws in Office were revealed with MS08-0013, which fixes the Office Execution Jump remote code execution vulnerability in Office 2000, Office XP, Office 2003, and Office 2004 for Mac. This flaw could enable an attacker to gain complete control of an affected system when a malformed Office file is opened. It's not being executed, according to Microsoft, which credits Shaun Colley of NGSSoftware with reporting the problem.

Important Fixes

Microsoft lumped two denial of service (DOS) attacks into the important category this month. One of these patches, MS08-003 fixes a problem in the LDAP implementation in Active Directory running on Microsoft Windows 2000 Server, Windows Server 2003, and Windows XP. The flaw is most dangerous on Windows 2000 Server, where it garnered an "important" rating. The flaw, which was reported by Thomas Garnier of the U.S.-French security researcher SkyRecon Systems, was only given a "moderate" rating on the other operating systems.

Tyler Reguly, a security researcher with nCircle, called MS08-003 "this month's monster patch." Although it is "only" a DOS vulnerability, "the impact on availability of server and client resources could be extremely widespread in enterprise networks," Reguly warned.

Another DOS flaw was fixed with MS08-004. A problem in the TCP/IP services in Windows Vista could allow an attacker to launch a DOS attack against a victim over the Internet. Microsoft says this flaw was reported by Whitestein Technologies.

Reguly rates MS08-004 as critical because it could lead to a rogue DHCP server leaving a large number of Vista workstations unavailable. "With the large scale Vista conversions underway, this is of particular concern for large enterprises," he states.

The fun continues with MS08-005, which fixes an "important" elevation of privilege problem in the Internet Information Services (IIS) Web server that could compromise all versions of Windows (except the latest Vista SP1 and Windows Server 2008 releases). Microsoft says the flaw, known as the File Change Notification vulnerability, is not being exploited.

Another problem with IIS was reported with MS08-006, which fixes a remote code execution vulnerability that afflicts all versions of Windows XP and Windows Server 2003. This flaw, which has to do with how IIS serves ASP Web pages, is not being exploited, the company says.

Three security flaws in Microsoft Works file converter were fixed with MS08-011. Problems with validating section length headers, index tables, and field lengths could take over an affected computer. The problems, which only exist in Office 2003, Works 8.0, and Works Suite 2005, are not being exploited, and were discovered by VeriSign's iDefense team and IBM's ISS X-Force team.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot