| COLUMN |
Inside MSRC: Microsoft addresses critical Snapshot Viewer flaw |
 |
 |
|
By Bill Sisk
12 Aug 2008 | SearchSecurity.com
|
|
In this month's column, I want to focus on key areas so that you can make quick threat assessments and devise your deployment strategies accordingly. I will discuss the severity ratings and products affected. With some, I will go into more depth to cover important issues.
|
|
|
|
|
There was an issue found at the 11th hour that did not meet our quality bar for broad distribution.
Bill Sisk,
response communication manager, Microsoft Security Response Center (MSRC)
|
|
|
|
|
|
|
|
|
|
Keep in mind that I will prioritize based on Microsoft's rating system. However, our rating system only serves as a framework for you to make assessments, not a de facto recipe for you to follow to the letter. What may be rated as Important by us may be a top priority for your unique environment, and what we rate as Critical may not be a priority for you. I have conferred with hundreds of customers regarding risk assessment and deployment strategies, and they have confirmed this reality. I will touch on this a bit more at the end of the column, but first, let's take a look at what we have this month.
The August bulletin release is comprised of 11 security bulletins, six with a cumulative rating of Critical and five with the cumulative ratting of Important.
You may recall in the Advanced Notification Service (ANS) we noted a total of 12 security bulletins releasing this month. The Media Player Bulletin was pulled from the August release. There was an issue found at the 11th hour that did not meet our quality bar for broad distribution. While we regret having to pull this update from the line-up, we are committed to releasing only the high-quality updates that our customers expect.
MS08-041
This bulletin, rated Critical, addresses a publicly exploited remote code execution vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access, and is related to Microsoft Security Advisory (955179). The Snapshot Viewer provides the ability to view an Access report without having Microsoft Access installed. The Snapshot Viewer is in all support versions of Access. However, it is not installed by default. There are several effective workarounds noted in the bulletin as a stop gap measure until the update can be applied.
There is also a downloadable, standalone version of the Snapshot Viewer for which an update is not ready to be released. Please see the bulletin for additional information.
2007 Microsoft Office System and 2007 Microsoft Office System Service Pack 1 are not vulnerable.
MS08-042
This bulletin, which is rated as Important, addresses a remote code execution vulnerability in Microsoft Word. The vulnerability can be exploited by a user opening a malicious file. However, the affected product versions prompt the user before the file is opened, and the bulletin therefore has a severity rating of Important. We first reported this vulnerability to you via Microsoft Security Advisory (953635). As a workaround, use Microsoft Office Word 2003 Viewer or Microsoft Office Word 2003 Viewer Service Pack 3 to open and view Microsoft Word files.
There are a number of product versions that are not affected, such as the 2007 Microsoft Office System and the 2007 Microsoft Office System Service Pack 1.
MS08-043
This bulletin addresses several remote code execution vulnerabilities in Microsoft Excel, with a cumulative rating of Critical. Of note, only Microsoft Office Excel 2000 Service Pack 3 is rated as Critical. All other supported versions are rated as Important.
Microsoft SharePoint services are also affected, because Excel Services in Microsoft Office SharePoint Server uses code that is based on the vulnerable Excel client. See the bulletin for comprehensive details.
MS08-044
This bulletin addresses several remote code execution vulnerabilities in Microsoft Office Filters with a cumulative severity rating of Critical. However, only Microsoft Office 2000 Service Pack 3 is rated as Critical. This rating for Office 2000 can be mitigated if the Office Document Open Confirmation Tool for Office 2000 is installed. With this tool installed, users will be prompted with Open, Save or Cancel before opening a document. In addition, there are several workarounds detailed in the bulletin.
MS08-045
This bulletin is pretty straightforward — it addresses several vulnerabilities rated as Critical in Internet Explorer, of which one has been publically disclosed (CVE-2008-2259). The vulnerabilities can be exploited by a user viewing a malicious webpage.
MS08-046
This bulletin addresses a remote code execution vulnerability, rated as Critical, in the Microsoft Windows Image Color Management System. The vulnerability could allow remote code execution if a user opens a specially crafted image file. This threat of exploitation can be mitigated by turning off metafile processing by modifying the registry. However, Microsoft Security Update MS07-017 must be applied before this registry setting can be changed.
MS08-047
This bulletin addresses an information disclosure vulnerability in IPsec that is rated as Important. An attacker would need administrator privileges or depend on an Administrator unknowingly misconfiguring an IPsec rule set, causing information to be transmitted in the clear. Needless to say, the attacker would need to monitor network traffic.
,p>As a side note, this bulletin is a good example of where our rating of Important may be a higher priority for your environment, especially if you are in a high-security environment that heavily depends on IPsec.
MS08-048
This security update addresses a vulnerability in Outlook Express and Windows Mail with a cumulative rating of Important that could allow for information disclosure. Please see the bulletin for more details regarding ratings, since some systems have a severity rating of Low.
MS08-049
This bulletin, rated as Important, addresses vulnerabilities in Microsoft Windows Event System that could allow remote code execution. An attacker must have valid logon credentials to the vulnerable system to exploit this vulnerability. There are workarounds you can employ, should you need them, while you plan and work through testing and deployment planning.
MS08-050
This security update addresses a publicly disclosed, information disclosure vulnerability in Windows Messenger and is rated as Important. Office Communicator is not affected by this vulnerability. In addition, Windows Vista and Windows 2008 systems are not affected.
MS08-051
This security update, which is rated as Critical, addresses a remote code execution vulnerability in Microsoft PowerPoint. Only Microsoft Office 2000 Service Pack 3 is rated as Critical. This rating for Office 2000 can be mitigated if the Office Document Open Confirmation Tool for Office 2000 is installed. With this tool installed, users will be prompted with Open, Save or Cancel before opening a document.
New Security Initiatives Announced
On a final, more personal note, I attended this year's Black Hat USA 2008 conference. If you were there or were keeping tabs on what's what in the security world, you know that we announced some new initiatives to help protect customers by helping making the security ecosystem at large more safe.
In the time leading up to Black Hat a lot of passionate folks worked arduously to bring these initiatives to fruition — inexhaustible, passionate folks that really care about protecting customers. These new initiatives are an outward reflection of all the hard work that has been done to secure our customers and the security ecosystem at large. Check out what's been brewing. One of the initiatives introduces an additional data set to aid in your risk assessments.
Also, please take a moment and register for our regular monthly security bulletin Webcast, which will be held on Wednesday, Aug. 13, at 11 a.m. PDT.
Christopher Budd and Adrian Stone will review information about each bulletin to further aid in your planning and deployment. Immediately following the review session, they will answer your questions with information from our assembled panel of experts. If you aren't able to view the live webcast, it will also be available on-demand.
Please take a moment and mark your calendars for the September 2008 monthly bulletin. The release is scheduled for Sept. 9 and the advance notification is scheduled for Thursday, Sept. 4. Look for the September edition of this column on release day with information to help you with your planning and deployment of the most recent security bulletins.
|
