two
Volume 6, Number 19 -- May 14, 2008

Microsoft Patches Zero Day Flaw in Windows

Published: May 14, 2008

by Alex Woodie

Microsoft yesterday issued four security patches for its products, including one patch that fixes a critical zero day vulnerability in a Windows component that is currently being exploited on the Web. All told, Microsoft patched six flaws yesterday, including four critical flaws that attackers could use to take complete control of affected systems.

If you could only install one of yesterday's patches, you would do best by installing Security Bulletin MS08-028, which fixes the zero-day flaw in Microsoft's Jet 4.0 database engine. The flaw affects only older operating systems, including Windows 2000 SP4, Windows XP SP2, Windows XP Pro X64, Windows Server 2003 SP1, Windows Server 2003 X64, and Windows Server 2003 SP1 for Itanium. More recent service packs of Windows XP and Windows Server 2003 are not affected, and neither are Vista or Server 2008.

The Jet, or Joint Engine Technology, database is a compact database engine included in the Microsoft Data Access Components (MDAC) libraries in both client and server versions of the Windows operating systems, and the core database engine for Microsoft Access. It was often used to provide structure and integrity for Visual Basic apps, Access databases, or even Word docs and e-mails. While the Jet database engine has since been replaced with entry-level versions of SQL Server in recent versions of Windows, it's still heavily used behind the scenes in older versions of Windows.

A buffer overrun in the Jet database is being exploited by attackers who trick users into opening a malformed Word file with a Jet (.mdb) file embedded into it. This is a new attack vector, Microsoft says in its security bulletin, as Jet database files with the .mdb extension were already considered unsafe files, since the original Jet flaw was corrected way back in 2004.

Microsoft credits several groups, including CERT, the SANS Institute, and Aaron Portnoy of TippingPoint Technologies with reporting the flaw. However, these credits apparently don't include the flaw's original discoverer, according to Tyler Reguly, a security researcher for the security technology firm nCircle. Reguly took Microsoft to task for its slow reaction to patching the Jet flaw, which was first brought to users' attention in a March security advisory.

"Microsoft’s initial response to this vulnerability was that they wouldn't patch. So, the original researcher released the vulnerability," Reguly says. "Now they have released a fix but refused to acknowledge the original researcher. This response flies in the face of their constant messaging about responsible disclosure."

Other critical patches issued yesterday include \r\nSecurity Bulletin MS08-026. This patch fixes two remote execution flaws in Word, including the Object Parsing vulnerability, which could enable a malformed .rtf file to compromise the system via a memory calculation error, and the Word Cascading Style Sheets vulnerability, which could allow computers to be compromised over the Web. The flaws affect Word versions 2000, 2002, 2003, 2007, and Outlook 2007. Microsoft says neither flaw had been publicly disclosed before yesterday, and credits iDefense Labs, team509, and the Zero Day Initiative with reporting the flaws.

Security Bulletin MS08-027 addresses a critical vulnerability in Microsoft Publisher that could enable an attacker to take total control of a computer running any version of Office from Office XP to Office 2007. The Publisher Object Handling vulnerability can be exploited over the Web and e-mail, but has not been exploited in the wild before Tuesday, Microsoft says. Fortinet Security Research gets credit for spotting the flaw.

The final patch issued yesterday, Security Bulletin MS08-029, fixes two moderate denial of service vulnerabilities discovered in Microsoft's Malware Protection Engine. Neither of the flaws has been exploited, says Microsoft, which credits Nevis Labs with reporting the errors.

nCircle's Reguly was surprised that Microsoft decided to patch the DoS vulnerabilities in the Malware Protection Engine, saying more severe DoS problems in other products have gone unfixed in the past. "The only reason this one is being fixed is because it affects a security product," he says.



                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
SAFEDATA

Reduce your risk with SafeData's
Backup and Recovery solution.

Our solution is what you're missing:

· It's a managed service
· We guarantee restore in 10 hours or less
· It's encrypted and off-site
· It's easily installed in one day

Call us today to try it -
we know you'll buy it.
(877) 734.5866 x117

www.safedata.net
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2009 conference, April 26 - April 30, in Reno, Nevada
Storage Guardian:  Remote backup services at a special rate of $8/compressed GB/month
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 
 

IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
The i Platform Roadmap Is a Work in Progress

IBM Loses Two Key Executives to Retirement--Really

Java Performance Is OS Agnostic on Power6 Gear

As I See It: Soothing the Savage Programmer

IBM Goes Stateless and Cooler with iDataPlex Servers

The Linux Beacon
AMD Revises Opteron Roadmaps, Pushes Out Rev Gs

New and Updated Barcelona Boxes Debut from Sun

Java Performance Is OS Agnostic on Power6 Gear

As I See It: Soothing the Savage Programmer

Virtual Server Sprawl Reeled In with Tideway Foundation 7.1

Four Hundred Stuff
Aldon Responds to Business Pressures on IT Departments

Former Magic CEO Sues as iBOLT Sales Channel Widened

MKS Updates Change Management for i OS, Warns of Big Revenue Jump

INGENICA Updates Universal Print Driver

Original Software Now Supports Mainframe in TestDrive-Assist

Big Iron
The Modern Mainframe: A Model of Space and Energy Efficiency

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Accurate Program References

Replace the Contents of a Physical File That Has Triggers

Admin Alert: How to Recreate/Restore a System Distribution Directory

System i PTF Guide
May 3, 2008: Volume 10, Number 18

April 26, 2008: Volume 10, Number 17

April 19, 2008: Volume 10, Number 16

April 12, 2008: Volume 10, Number 15

April 5, 2008: Volume 10, Number 14

March 29, 2008: Volume 10, Number 13

The Unix Guardian
Sun Delivers OpenSolaris Development Distro, Plus Support

AMD Revises Opteron Roadmaps, Pushes Out Rev Gs

IBM Loses Two Key Executives to Retirement--Really

GDCM Seeks to 'Defrag' the Data Center for Higher Efficiency

Power Systems: The Feeds and Speeds

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

SafeData
MKS
Danik Consulting
Solidcore
Vibrant Technologies


Printer Friendly Version


TABLE OF CONTENTS
Microsoft Patches Zero Day Flaw in Windows

HP More Than Doubles Services Biz with EDS Acquisition

Massive Expansion in Progress at Microsoft Data Centers

Microsoft Gives Customers a Break on New SMB Windows Packages

AMD Revises Opteron Roadmaps, Pushes Out Rev Gs

But Wait, There's More:
Busy Bill's Asian Tour . . . The EC Saga Continues as Microsoft Appeals $1.4 Billion Fine . . . VMware Tweaks Virtualization Stack, Boasts of Greenness and Sales . . . IBM and HP Do SAP ERP Bundles for SMBs . . . Live Migration Will Make Virtualization Mainstream . . .

The Windows Observer

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement