Microsoft fixes 26 flaws with 11 patches; six are critical
Updates affect Microsoft Office suite and individual applications as well as Internet Explorer.
Microsoft on Tuesday released its August 2008 security bulletin. Bulletins rated "critical" concern Microsoft Access 2003 and earlier; Microsoft Word 2002 and 2003; Microsoft Excel; and Microsoft Office 2000, Microsoft Office XP and Microsoft Office 2003. A cumulative patch for Internet Explorer also is rated critical.
"Important" bulletins affect Windows Internet Protocol Security (IPsec); Outlook Express and Windows Mail; Microsoft Windows Event System; Windows Messenger; and Microsoft PowerPoint. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Titled "Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (955617)." This bulletin affects Snapshot Viewer for Microsoft Access and for supported versions of Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003. This update addresses the vulnerability in CVE-2008-2463. Microsoft says that "an attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user."
Titled "Vulnerability in Microsoft Word Could Allow Remote Code Execution (955048)." This bulletin only affects users of Microsoft Word 2002 and Microsoft Word 2003. The update addresses vulnerability detailed in CVE-2008-2244. Microsoft says that "an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled "Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (954066)." This bulletin affects users of Microsoft Office Excel 2000 Service Pack 3 and rated Important for Excel 2002 Service Pack 3, Excel 2003 Service Pack 2, Excel 2003 Service Pack 3, Excel Viewer 2003, Excel Viewer 2003 Service Pack 3, Excel 2007, Excel 2007 Service Pack 1, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Office Excel Viewer, and Microsoft Office SharePoint Server 2007. The update addresses the issues detailed in CVE-2008-3003, CVE-2008-3004, CVE-2008-3005, CVE-2008-3006. Microsoft says that "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Titled "Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (924090)." This bulletin affects Microsoft Office 2000, and is "important" for supported editions of Microsoft Office XP, Microsoft Office 2003 Service Pack 2, Microsoft Project 2002 Service Pack 1, Microsoft Office Converter Pack, and Microsoft Works 8. This update addresses the vulnerabilities detailed in CVE-2008-3018, CVE-2008-3019, CVE-2008-3021, CVE-2008-3022, and CVE 2008-3460. Microsoft says these vulnerabilities could allow remote code execution if a user views a specially crafted image file when using Microsoft Office.
Titled " Cumulative Security Update for Internet Explorer (953838)." This bulletin affects users of all supported releases of Internet Explorer. This update addresses the vulnerabilities detailed in CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2258, and CVE-2008-2259. Microsoft says all of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.
Titled " Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (952954)." This bulletin affects users of Microsoft Windows 2000, Windows XP, and Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-2245. Microsoft says a vulnerability in the Microsoft Image Color Management (ICM) system could allow remote code execution in the context of the current user. "If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Titled " Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)." This bulletin affects all supported versions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-2246. Microsoft says the vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text, disclosing information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the traffic. According to Microsoft: "Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system or network."
Titled "Security Update for Outlook Express and Windows Mail (951066)." This bulletin affects Windows XP and Windows Vista and is rated "low" for supported editions of Windows Server 2003 and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1448. Microsoft says this vulnerability could allow information disclosure if a user visits a specially crafted Web page using Internet Explorer.
Titled "Vulnerabilities in Event System Could Allow Remote Code Execution (950974)." This bulletin affects Windows 2000, Windows XP, Windows Server 2003, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1456 and CVE-2008-1457. Microsoft says that "an attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."
Titled "Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)" This bulletin affects Windows Messenger 4.7 and Windows Messenger 5.1 and rated Important for all supported editions of Microsoft Windows 2000 and Windows XP, and Moderate for all supported versions of Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-0028. Microsoft says that "as a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user. An attacker could change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user. An attacker could also capture the user's logon ID and remotely log on to the user's Messenger client impersonating that user."
Titled "Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (949785)." This bulletin affects Microsoft Office PowerPoint 2000 and is rated "important" for supported editions of Microsoft Office PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft Office PowerPoint 2007, Microsoft Office PowerPoint Viewer 2003, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac. This update addresses the vulnerability detailed in CVE-2008-0120, CVE-2008-0121, and CVE-2008-1455. Microsoft says an attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system: "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."