By Thomas Claburn
February 12, 2008
Microsoft (NSDQ: MSFT) on Tuesday released 11 Security Bulletins that
address 17 potential vulnerabilities.
Six of the Security Bulletins are rated critical; five are rated
important. Microsoft did not include a fix for a JScript vulnerability
that the company mentioned in its pre-patch guidance last week.
The affected software includes WebDAV Mini-Redirector, Object Linking
and Embedding (OLE) Automation, Microsoft Word, Internet Explorer,
Microsoft Office Publisher, and Microsoft Office. The OLE and Word
vulnerabilities affect both Microsoft's Windows and Mac customers.
Components with important vulnerabilities include Active
Directory/Active Directory Application Mode, Transmission Control
Protocol/Internet Protocol (TCP/IP), Internet Information Services
(IIS), and Microsoft Works File Converter.
Symantec senior research manager Ben Greenbaum observed that Tuesday's
round of fixes points to the increasing use of trusted sites to
distribute malware. "While the batch of critical vulnerabilities all
require some sort of user interaction to exploit, the interaction can be
as simple as visiting a trusted Web site that has first been exploited
by an attacker," he said in an e-mail. "As consumers and enterprises
become more savvy to security risks, attackers are leveraging
alternative means to distribute malware through these trusted sites in
addition to distributing via an attachment or random link in an e-mail."
"Six of the eleven are client-side vulnerabilities," said Eric Schultze,
chief technology officer of Shavlik Technologies. "So if I open a
malicious document or visit a malicious Web site, then I'm hacked. Those
are always less interesting for me if I'm the attacker because I have to
wait for someone to visit my site or open my document."
Security bulletinsMS08-005 and MS08-006 relate to Microsoft's IIS Web
server and Schultze says that taken together, these two vulnerabilities
are more significant than Microsoft suggests. "Microsoft rates them
important; I rate them critical," he said. "They allow me as the
attacker to break onto your Web server and take complete control of it."
Don Leatham, director of solutions and strategy at Lumension, said the
Internet Explorer fix should be dealt with immediately. "We're
definitely encouraging our customers at getting MS08-010 out as soon as
possible," he said. "That looks like the one that has the most downside
if some exploits were to come out quickly. It affects IE6 and IE7, which
covers a lot of the browsers being used in a lot of organizations."
"It was a surprise seeing such a large release on the heels of such a
small release in January," said Jonathan Bitle, director of technical
account management for Qualys. "After last month, people had a nice
break. This just highlights the fact that organizations really can't
rest in terms of security."
Indeed, the absence of any fix for a high-profile Excel vulnerability
suggests than even the most up-to-date systems will continue to have
Subscribe to InfoSec News