Information Security News: Microsoft's Patch Tuesday Includes 11 Security Bulletins

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/news/showArticle.jhtml?articleID=206502000

By Thomas Claburn
InformationWeek
February 12, 2008 

Microsoft (NSDQ: MSFT) on Tuesday released 11 Security Bulletins that 
address 17 potential vulnerabilities.

Six of the Security Bulletins are rated critical; five are rated 
important. Microsoft did not include a fix for a JScript vulnerability 
that the company mentioned in its pre-patch guidance last week.

The affected software includes WebDAV Mini-Redirector, Object Linking 
and Embedding (OLE) Automation, Microsoft Word, Internet Explorer, 
Microsoft Office Publisher, and Microsoft Office. The OLE and Word 
vulnerabilities affect both Microsoft's Windows and Mac customers.

Components with important vulnerabilities include Active 
Directory/Active Directory Application Mode, Transmission Control 
Protocol/Internet Protocol (TCP/IP), Internet Information Services 
(IIS), and Microsoft Works File Converter.

Symantec senior research manager Ben Greenbaum observed that Tuesday's 
round of fixes points to the increasing use of trusted sites to 
distribute malware. "While the batch of critical vulnerabilities all 
require some sort of user interaction to exploit, the interaction can be 
as simple as visiting a trusted Web site that has first been exploited 
by an attacker," he said in an e-mail. "As consumers and enterprises 
become more savvy to security risks, attackers are leveraging 
alternative means to distribute malware through these trusted sites in 
addition to distributing via an attachment or random link in an e-mail."

"Six of the eleven are client-side vulnerabilities," said Eric Schultze, 
chief technology officer of Shavlik Technologies. "So if I open a 
malicious document or visit a malicious Web site, then I'm hacked. Those 
are always less interesting for me if I'm the attacker because I have to 
wait for someone to visit my site or open my document."

Security bulletinsMS08-005 and MS08-006 relate to Microsoft's IIS Web 
server and Schultze says that taken together, these two vulnerabilities 
are more significant than Microsoft suggests. "Microsoft rates them 
important; I rate them critical," he said. "They allow me as the 
attacker to break onto your Web server and take complete control of it."

Don Leatham, director of solutions and strategy at Lumension, said the 
Internet Explorer fix should be dealt with immediately. "We're 
definitely encouraging our customers at getting MS08-010 out as soon as 
possible," he said. "That looks like the one that has the most downside 
if some exploits were to come out quickly. It affects IE6 and IE7, which 
covers a lot of the browsers being used in a lot of organizations."

"It was a surprise seeing such a large release on the heels of such a 
small release in January," said Jonathan Bitle, director of technical 
account management for Qualys. "After last month, people had a nice 
break. This just highlights the fact that organizations really can't 
rest in terms of security."

Indeed, the absence of any fix for a high-profile Excel vulnerability 
suggests than even the most up-to-date systems will continue to have 
holes.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn