Microsoft Patch Day Brings Eight Security Bulletins

Microsoft on Tuesday released eight security bulletins and one security advisory as part of its regularly scheduled patch day.

Six of the bulletins are rated "critical" and two are rated "important."

The advisory was issued to alert users that Microsoft is investigating reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2.

Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 aren't affected by the advisory. The bulletins address 28 vulnerabilities in the following software: the Windows graphics device interface, Windows Search, Internet Explorer, Visual Basic 6.0 Runtime Extended Files, Word, Excel, SharePoint Server, and Windows Media Components.

Eric Schultze, CTO of Shavlik Technologies, observed in an e-mailed statement that the first five bulletins -- MS08-070 to MS08-74 -- represent client-side vulnerabilities. These could be exploited by an attacker if the user visited a malicious Web site or opened a malicious file.

MS08-075 addresses two privately reported vulnerabilities in Windows Search that could allow remote execution of malicious code if the user opens a maliciously crafted saved search file in Windows Explorer or if a the user clicks on a maliciously crafted URL.

Schultze said that MS08-075 is a variant of an attack patched in July. He said he considers it low-risk because few people save and execute a search file.

MS08-076 addresses two privately reported vulnerabilities in Windows Media Player, Windows Media Format Runtime, and Windows Media Services. The more serious of the two could allow remote code execution, but Microsoft rates this bulletin as only important because the severity of the attack is mitigated if the user doesn't have administrative rights.

If exploited, this vulnerability could be used to transmit the user's logon credentials to the attacker after the user clicked on a malicious Window Media URL.

According to Schultze, the exploit would be similar to that used to take advantage of the MS08-068 vulnerability, which was patched in November.

"Microsoft says that Windows Media Player doesn't play by the same rules as the operating system, and that's why this issue wasn't fixed in the November patch release," he said. "This issue could become very serious if attackers figure out how to create the evil URLs."

Tyler Reguly, a security research engineer with nCircle, sees MS08-077 as the most significant bulletin and believes it should be elevated from "important" to "critical." The SharePoint vulnerability, he said in an e-mailed statement, "allows an unauthenticated attacker to access administrative controls. While the successful attacker would technically elevate privilege (anonymous to administrator), this vulnerability allows access controls to be bypassed altogether. For most people, privilege escalation means elevating regular user access to administrator, which may cause administrators to patch this issue with less urgency."

Dee Liebenstein, senior director of product management for Lumension, said that all of these patches should be taken seriously. "Most of these are ranked 'highly exploitable,'" she said, referring to the exploitability index that Microsoft introduced several months ago.

She advises IT managers to install the Windows and Internet Explorer patches as soon as possible, despite the system and server restart that will be required.