Microsoft Patch Tuesday: Six Vulnerabilities Fixed In Four Bulletins

It's Patch Tuesday, and as promised, Microsoft issued its May security fix, addressing six vulnerabilities in four bulletins.

Three of the bulletins describe critical vulnerabilities in Microsoft Word, Microsoft Publisher, and Microsoft Jet Database Engine respectively.

The fourth details a moderate vulnerability in Microsoft's Malware Protection Engine, which powers products like Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, and Microsoft Forefront Security.

All the vulnerabilities addressed this month are client-side vulnerabilities.

MS08-026 fixes two privately reported holes in Word that could have been allowed an attacker to take control of a victim's computer using a maliciously crafted Word file.

MS08-027 fixes a privately reported vulnerability in Publisher that, similarly, could have allowed an attacker to subvert a victim's computer using a maliciously crafted Publisher file.

MS08-028 repairs a publicly reported flaw in the Microsoft Jet Database Engine (4.0) in Windows. If successfully exploited, the vulnerability could allow an attacker to execute arbitrary code, mitigated by the user's administrative rights.

MS08-029 resolves two privately reported issues affecting Microsoft Malware Protection Engine that could have allowed a remote attacker to craft a malicious file that, when scanned, could have allowed the attack to conduct a denial of service attack.

In an e-mailed statement, Ben Greenbaum, senior research manager of Symantec Security Response, stressed that the buffer-overflow bug affecting the Jet Database Engine "is especially critical since there is evidence of hackers already exploiting the vulnerability. While Microsoft database (MDB) files are blocked by default in Outlook, the file can be hidden and renamed. Users may be more inclined to open a well-recognized file type than one with the less well known .mdb extension."

Jason Miller, security data team manager at Shavlik Technologies, concurs. "The biggest thing is going to be the Jet vulnerability," he said in a phone interview. "It affects a wide range of operating systems and it's also publicly known. In addition the scenario to exploit this vulnerability can be easily done."

The first way such an attack might be launched would be through a Web site that entices a victim to download a malicious .mdb file, Miller explained. Another way would be by sending someone a malicious file via e-mail. If the recipient of such a file used Outlook 2003 or 2007 with the Preview Pane active, merely previewing the file would be enough to launch the attack.

Miller also noted that Microsoft was patching its security software. "I think that's pretty important," he said. "If you're relying on security software, you want your security software to work."

While Microsoft characterizes the vulnerability in its Malware Protection Engine as moderate in severity, Miller said that the flaw could be exploited to cause Microsoft's malware scanning software to hang, leaving the affected machine unprotected in the event of a second malware salvo.