Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly heavy month as Microsoft is releasing 11 bulletins that cover a total of 17 vulnerabilities.

All the critical issues (10 in total) require some sort of user interaction to trigger an exploit. This can include following a link, viewing a Web page, or opening a malicious file. We have seen all of these types of issues before, so nothing new or overly exciting here. But the sheer number of critical issues being addressed this month should grab your attention. While Windows Vista is affected by only a couple of the issues, all versions of Windows are affected by at least some of the issues.



Several components of Office are affected (Office, Publisher, and Word). Microsoft is releasing a cumulative update for Internet Explorer that will cover four issues (three new issues and one update, which is the only update of all 17 vulnerabilities). The remaining issues affect OLE, and WebDAV Mini-Redirector.

The WebDAV Mini-Redirector vulnerability has the potential to be the worst of the bunch, as the vulnerable component runs with SYSTEM privileges. So following security best practices of using an account with the least amount of privileges will have no affect on this issue.

Microsoft’s summary of the February releases can be found here:

http://www.microsoft.com/technet/security/bulletin/ms08-feb.mspx

1. MS08-007 Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code execution (KB940026)

CVE-2008-0080 (BID 27670) Microsoft Windows WebDAV Mini-Redirector Heap Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.8/10)

A remote-code execution vulnerability affects WebDAV Mini-Redirector when handling responses. An attacker must trick a victim into visiting an attacker-controlled server and view malicious WebDAV components to exploit this issue. To be affected the WebClient service must be enabled on the vulnerable computer. By default, this service is not enabled on Windows Server 2003. A successful exploit will result in the execution of attacker-supplied code with SYSTEM-level privileges.

2. MS08-010 Cumulative Security Update for Internet Explorer (KB944533)

CVE-2008-0076 (BID 27668) Microsoft Internet Explorer HTML Rendering Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Internet Explorer when interpreting HTML with certain layout combinations. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

CVE-2008-0077 (BID 27666) Microsoft Internet Explorer Property Method Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Internet Explorer when handling a property method. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

CVE-2008-0078 (BID 27689) Microsoft Internet Explorer Argument Handling Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Internet Explorer when handling argument validation in image processing. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

CVE-2007-4790 (BID 25571) Microsoft Visual FoxPro FPOLE.OCX ActiveX Control Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 8.5/10)

This is a previously reported buffer-overflow vulnerability affecting the ‘FoxDoCmd()’ method of the ‘FPOLE.OCX’ ActiveX control. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

3. MS08-009 Vulnerability in Microsoft Word Could Allow Remote Code Execution (KB947077)

CVE-2008-0109 (BID 27656) Microsoft Word Unspecified Memory Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Word due to a memory calculation error when handling specially crafted Word files. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged in user.

4. MS08-012 Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (KB947085)

CVE-2008-0102 (BID 27739) Microsoft Publisher Invalid Memory Reference Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Publisher because of a failure to adequately clear out memory resources when loading files to memory. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged in user.

CVE-2008-0104 (BID 27740) Microsoft Publisher Memory Index Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Publisher due to a failure to properly validate memory index values. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged in user.

5. MS08-013 Vulnerability in Microsoft Office Could Allow Remote Code Execution (KB947108)

CVE-2008-0103 (BID 27738) Microsoft Office Execution Jump Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Office when handling a specially crafted Office document with a malformed object inserted into it. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged in user.

6. MS08-008 Vulnerability in OLE Automation Could Allow Remote Code Execution (KB947890)

CVE-2007-0065 (BID 27661) Microsoft Object Linking and Embedding (OLE) Automation Heap Based Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Object Linking and Embedding (OLE) automation when handling specially crafted script requests. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

7. MS08-006 Vulnerability in Internet Information Services Could Allow Remote Code Execution (KB942830)

CVE-2008-0075 (BID 27676) Microsoft Internet Information Services ASP Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.5/10)

A remote code-execution vulnerability affects Internet Information Services (IIS) due to how the application handles ASP pages. An attacker must have the ability to upload an arbitrary ASP page to a vulnerable server, or locate a site that performs certain actions on user-supplied input, to exploit this issue. A successful attack will result in the execution of arbitrary attacker-supplied code with the same rights as the Worker Process Identity (WPI).

8. MS08-005 Vulnerability in Internet Information Services Could Allow Elevation of Privilege (KB942831)

CVE-2008-0074 (BID 27101) Microsoft IIS File Change Notification Local Privilege Escalation Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.6/10)

A local privilege-escalation vulnerability affects Internet Information Services (IIS) when handling file change notifications in the ‘FTPRoot’, ‘NNTPFileRoot’, and ‘WWWRoot’ directories. An attacker must have the ability to write to at least one of those directories to exploit this issue. A successful attack will result in the execution of arbitrary code in the context of local system. This could facilitate a complete compromise of the affected computer.

9. MS08-004 Vulnerability in Windows TCP/IP Could Allow Denial of Service (KB946456)

CVE-2008-0084 (BID 27634) Microsoft Windows Vista DHCP Remote Denial Of Service Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A remote denial-of-service vulnerability affects TCP/IP processing in Windows Vista. An attacker can exploit this issue by creating a malicious DHCP server that returns a specially crafted packet to a vulnerable computer. A successful attack will cause the affected computer to crash.

10. MS08-003 Vulnerability in Active Directory Could Allow Denial of Service (KB946538)

CVE-2008-0088 (BID 27638) Microsoft Windows Active Directory LDAP Request Validation Remote Denial Of Service Vulnerability (MS Rating: Important / Symantec Urgency Rating: 6.4/10)

A remote denial-of-service vulnerability affects Active Directory and Active Directory Application Mode (ADAM) when handling malformed LDAP requests. An attacker can exploit this issue by sending a specially crafted request to the vulnerable server. A successful attack will result in the server becoming unresponsive to subsequent requests.

11. MS08-011 Vulnerabilities in Microsoft Office Works Converter Could Allow Remote Code Execution (KB947081)

CVE-2007-0216 (BID 27657) Microsoft Works File Converter Section Length Header Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Works File Converter due to improper validation of section length headers in ‘.wps’ files. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged in user.



CVE-2008-0105 (BID 27658) Microsoft Works File Converter Section Header Index Table Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Works File Converter due to improper validation of section header index table information in ‘.wps’ files. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged in user.



CVE-2008-0108 (BID 27659) Microsoft Works File Converter Field Length Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating: 7.1/10)

A client-side remote code-execution vulnerability affects Microsoft Works File Converter due to improper validation of field lengths information in ‘.wps’ files. A successful attack will result in the execution of attacker-supplied code in the context of the currently logged in user.



More information on this and other vulnerabilities is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.