December 2008 patch day

Microsoft has released 8 security bulletins today, 6 of which are rated Critical. However, it’s the non Critical patches that are more interesting this month – we’ll get to those in a minute.

The first 5 bulletins are all ‘client-side’ vulnerabilities. This means a user’s computer can be exploited if they visit an evil website or open a malicious document. Applications which are vulnerable to this evil content include: Active-X controls (part of your browser), graphic images (hosted on websites or in documents), Word, Outlook, Excel, and Internet Explorer. In most cases, the new patches replaces older security patches released earlier in 2008.

The 6th bulletin (MS08-075) is specific to Windows Vista and Windows Server 2008, and is a variant of an attack that was discussed and patched in July of 2008. In this case, saving and executing an evil windows search file can lead to your system being compromised. Not many people typically do this, so I consider this low risk. Why Microsoft didn’t catch this variant back in July, I’ll never know.

The 7th bulletin released this month (MS08-076) is very interesting and is closely related to a security patch from last month – MS08-068. This new flaw enables attackers to gain access to your computer password and allows them to remotely access your system without your knowledge. This can happen if you click on an evil URL related to Windows Media items (typically audio and/or video clips). In this scenario, when a user clicks on an evil link, their password, or representations of their password, are sent to an evil server where the attacker can replay these credentials to log back on to the user’s computer. It’s similar to the 08-068 attack (credential reply), but uses different communication mechanisms to logon to the computers. Microsoft says that windows media player doesn’t play by the same rules as the Operating System, and that’s why this issue wasn’t fixed in the November patch release. This issue could become very serious if attackers figure out how to create the evil URLs. I’d get this one patched right away (even though Microsoft only rates this as Important).

The last bulletin for this month (MS08-077) relates to SharePoint 2008 and Search Server 2008. A flaw exists in the security controls of these applications that might allow users to access parts of the Sharepoint or Search servers and execute some administrative tasks. These tasks, while not allowing users direct access to protected information, could cause the server to stop responding to legitimate requests, or could provide additional information to attackers, such as email addresses of the users on the system.

I’d recommend patching MS08-076, as well as MS08-070 through 75, as soon as possible. Corporations and hosting services that use Sharepoint 2007 should install MS08-077 as soon as they can.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: