News
        
        December's Patch Arrives,  Addressing 28 Security Bugs
        December's Patch Tuesday will be a historic security update release. But it won't be because of the size and scope of the eight patches.
        
        
			- By Jabulani Leffall
- December 09, 2008
        December's Patch Tuesday will be a historic security update  release. But it won't be because of the size and scope of the 
eight  patches, which contain six "critical" and two "important"  items. Rather, the patch will be remarkable because of the vulnerability count,  weighing in at a bulky 28 bugs. Moreover, of those 28 vulnerabilities, 23 are  rated as critical to fix. 
This December patch addresses the largest and most wide-reaching collection of bugs since Microsoft's inception of Patch Tuesday in 2003.
"What a way to end the year, eight bulletins and a whopping 28 CVEs," said Andrew Storms, director of security at nCircle, in an e-mailed statement. "The Microsoft elves have been busy and delivered everyone plenty of work to do this holiday season. All but one of the bulletins deals with client-side applications and includes all the usual suspects: IE, Office, ActiveX and GDI." 
Additionally, in the last patch cycle of 2008, seven of the eight fixes are related to remote code execution (RCE) vulnerabilities and represent a mix of fixes for Windows operating systems as well as a bevy of Microsoft Office applications. In fact, all of the critical items are RCE related. There is one elevation of privilege consideration in the important group of patches.
Ben Greenbaum, senior research manager of Symantec Security Response, said the sheer number of vulnerabilities being patched is what grabbed his attention. Unlike some of the lighter rollouts, each exploit has the potential to be dangerous if not patched, he added. 
"While Web-based attacks seem to be the main choice for opportunistic attackers, targeted attacks are often carried out via malicious Word and Excel files attached to e-mail messages," Greenbaum said. "While both of these vectors have vulnerabilities patched by the release, the number of vulnerabilities in Word and Excel provides attackers additional means to carry out these kinds of attacks."
Critical Fixes
First up is a critical Windows fix  for the graphic device interface. It resolves two privately reported  vulnerabilities triggered when a user opens a specially crafted Windows  Metafile (WMF) image or WMF-coded document. If an  attacker got through using this exploit, they could gain access rights to  install, change and delete, or they could change privileges to muck up a  Windows-based system. The fix addresses Microsoft Windows 2000 Service Pack 4,  Windows XP, Vista, and both 2003 and 2008  editions of Windows Server. 
The second critical fix covers Vista and Windows Server 2003 and 2008, and deals with  Windows search. It involves an exploit where a specially crafted and embedded  search file placed into Windows Explorer could create an opening for an RCE  incursion.
With more attacks becoming  browser-based, critical item No. 3 is a mainstay in the annual cycle of patch  releases. It's a cumulative hotfix for Internet Explorer, touching on versions of  IE ranging from IE5.1 to IE6 and IE7. The exploit takes place when a user  clicks on "evil Web pages," according to security mavens. The  applicable OS versions for this patch are Windows 2000 SP4, Windows XP, Vista, and both 2003 and 2008 editions of Windows Server. 
The fourth critical item on the  slate deals with multiple vulnerabilities. It addresses an eye-opening five  privately reported vulnerabilities, plus one publicly reported bug. The issue  lies within the ActiveX control mechanisms for several Microsoft Visual Basic  programs. The fix affects Microsoft Office FrontPage  and Microsoft Office Project. Other apps covered include Office FrontPage 2002  SP3, Office Project 2003 SP3, Office Project 2007 and Office Project 2007 SP1.
Fifth in the critical mix is a  wide-ranging hotfix for the ubiquitous word processing app Microsoft Word. The fix  addresses eight privately reported vulnerabilities in Microsoft Office  Word as well as Microsoft Office Outlook. All it takes is initializing a  corrupt Word or Rich Text Format (RTF) file and the hacker can then make short  work of an infected workstation and, by extension, the network. The patch covers several versions, such as Word 2000 SP3,  Word 2002 SP3 and each release of Word 2007. Also addressed in this fix are Word  2004 and 2008 for Mac, Office Word Viewer, PowerPoint 2007 and Word for  Microsoft Works 8.5. 
The sixth and last critical  bulletin touches on three related vulnerabilities that can be triggered if a  user opens up a malicious Excel file. It addresses vulnerabilities in Excel  2000 SP3, Excel 2002 SP3, Excel 2003 SP3, as well Excel 2007. Additionally,  Excel 2004 and 2008 for Mac and the Excel Viewer are covered. 
Important Fixes
  The No.1 important bulletin is a  cumulative update for SharePoint Server 2007 programs. This fix addresses an  elevation of privilege vulnerability where a hacker could change access  parameters in SharePoint, enabling further entry into a compromised system.
Microsoft specifically described  this fix as resolving a privately disclosed vulnerability. The fix lessens the  possibility of an attacker bypassing "authentication by browsing to  an administrative URL on a SharePoint site." 
"We believe that overall  attackers will start to focus their attention on SharePoint and these new collaboration  services as their deployment numbers grow and as operating systems mature and  become safer out-of-the-box," said Wolfgang  Kandek, chief technology officer at security firm Qualys.
The second important item and last  fix in the slate addresses two privately disclosed plug-in vulnerabilities in  most Windows Media Center  applications. The affected solutions include Windows 2000 Server, Windows Media  Player 6.4 for Windows 2000 Server, Windows Media Format Runtime 7.1 and 9.0  versions, as well as Windows Media Services 4.1. 
For Windows XP-based systems, the  affected solutions include Windows Media Player 6.4, Windows Media Format  Runtime 9.0, 9.5 and 11.
For Windows Server 2003-based  systems, the Windows   Media Center  components on the slate include Windows Media Player 6.4 and Windows Media  Format Runtime 9.5. 
For Vista  and Windows Server 2008-based system, the fix affects Windows Media Format  Runtime 11.
As an addendum to  the advanced bulletin, where five of the updates require restarts, it now  appears that all of the patches either "will" or "may"  require restarts. 
IT pros who want information on general  updates and other nonsecurity content can find it at this knowledgebase article. The KB  article describes getting updates via Microsoft Update, Windows Update and  Windows Server Update Services.   
        
        
        
        
        
        
        
        
        
        
        
        
            
        
        
                
                    About the Author
                    
                
                    
                    Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.