Archive for September, 2008

Reflections on the September 2008 Microsoft patch release

All four security bulletins this month are rated Critical, and all four relate to problems when a user visits an evil website (or listens to an audio stream from a malicious website). In other words, focus on patching your end-user machines first rather than the servers in your datacenter. Since these exploits require users to perform actions on their computers, like visiting a website, servers in a datacenter are less prone to be exploited as user’s aren’t typically browsing the Internet from these servers.

Of the four bulletins released this month, MS08-052 is the most important one to patch first. MS08-052 impacts the graphics engine on Windows XP and later systems. The graphics engine is part of all Operating Systems, and is also included with Microsoft Office and Microsoft SQL Server products, among others. You may need to install multiple patches on your system to address this issue, where each patch updates a different component on your computer. Unfortunately, Microsoft hasn’t made it easy to determine which collection of patches you may need on each system – making it more likely that some systems will go unpatched for some portion of affected products. Also, the security bulletin doesn’t make it very clear as to which patches in this bulletin will be patched with WSUS vs. the patches you’ll need to install manually.

Bulletins MS08-053 and MS08-054 relate to Windows Media items. 08-053 is an improperly marked ActiveX control that can execute code on your system if you visit an evil website. 08-054 can exploit your system if you’re enjoying streaming audio files with Windows Media Player 11. (maybe cutting edge aint so grand?!)

Finally, MS08-055 is a flaw with URI protocol handling and Microsoft OneNote 2007. Similar in style to the Firefox vs. Microsoft debates from July of 2007, clicking on a hyperlink that has a URL with onenote:// as the protocol may cause code to execute on your machine (you must have OneNote installed on your machine to be vulnerable). Microsoft fixed the “shellexecute” flaw that lead to the Firefox debacle (MS07-061) – however, this new onenote:// flaw is slightly different and isn’t addressed by the MS07-061 patch.

Leave a comment »