Patch Tuesday Analysis for December 2008

Out of Band Patch for Zero Day IE Exploit (12/17/2008)

OK, this out-of-band patch is for real.  I recommend pusing MS08-078 to workstations and terminal servers ASAP.  This patch targets IE, exploit details have been public since last Patch Tuesday and it is showing up in actual, widespread attacks.  I think that's the most important stuff for you to know.

Patch Tuesday Analysis: Zero Day for Workstations and Other Issues (12/9/2008)

2 patches this month both targeted at workstations and with exploit details public.

Most of the patches are workstation focused with 2 interesting exceptions. 

Workstation exploits

First I recommend rolling out MS08-070 to all workstations and terminal servers with little or no testing because the detail exploits are public and being exploited in attacks already; this is a zero-day exploit.  Note that most all developer workstations are vulnerable as well as any end-user workstations with applications installed that redistributed the VB 6 Runtime.

MS080-076 could get really bad - really quick.  On this one I agree with Eric Shultz of Shavlik - "This new flaw enables attackers to gain access to your computer password and allows them to remotely access your system without your knowledge.  This can happen if you click on an evil URL related to Windows Media items (typically audio and/or video clips).  In this scenario, when a user clicks on an evil link, their password, or representations of their password, are sent to an evil server where the attacker can replay these credentials to log back on to the user's computer.  It's similar to the 08-068 attack (credential reply), but uses different communication mechanisms to logon to the computers.  Microsoft says that windows media player doesn't play by the same rules as the Operating System, and that's why this issue wasn't fixed in the November patch release. This issue could become very serious if attackers figure out how to create the evil URLs.  I'd get this one patched right away (even though Microsoft only rates this as Important)."
 
The other workstation patches 71-75 can benefit from your normal testing at this time for workstations.
 
Server exploits
 
If you are running Office Sharepoint Server 2007 or Search Server 2008 (including Express Edition) you need to pay attention to MS08-77.  Note that Sharepoint Services 3.0 is not vulnerabile to this MS08-077.  If you are a web server serving up streaming content through Windows Media Services then you need to install MS08--076 as soon as possible.
BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS08-070

932349
Arbitrary code

/ Visual Basic 6.0 Runtime Extended Files (ActiveX Controls)
Workstations
Terminal Servers
Yes/YesNoCritical Visual Basic 6.0
Visual Studio .NET 2002
Visual Studio .NET 2003
Visual FoxPro 9.0
FrontPage 2002
Project 2003
Project 2007
Restart requiredPatch ASAP
MS08-071

956802
Arbitrary code

/ GDI
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
Office 2000
Restart requiredPatch after testing
MS08-072

957173
Arbitrary code

/ Word
Workstations
Terminal Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Office 2007
Word Viewer
Office 2004 for Mac
Office 2008 for Mac
Comp. Pack for Office 2007
Open XML Format Converter Mac
Restart may be requiredPatch after testing
MS08-077

957175
Privilege elevation

/ Office SharePoint Server
Sharepoint Servers
No/NoNoImportant Office Sharepoint Server 2007
Search Server 2008
Restart may be requiredPatch after testing
MS08-073

958215
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
Restart requiredPatch after testing
MS08-074

959070
Arbitrary code

/ Excel
Workstations
Terminal Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Office 2007
Office 2004 for Mac
Office 2008 for Mac
Comp. Pack for Office 2007
Open XML Format Converter Mac
Excel Viewer
Restart requiredPatch after testing
MS08-075

959349
Arbitrary code

/ Windows Search
Workstations
Terminal Servers
No/NoNoCritical Vista
Win2008
Restart may be requiredPatch after testing
MS08-076

959807
Arbitrary code

/ Windows Media Components
Workstations
Terminal Servers
Win Media Services Servers
No/NoNoImportant Win2000
XP
Win2003
Vista
Win2008
Restart may be requiredPatch servers ASAP
MS08-078

960714
Arbitrary code

/ IE
Workstations
Terminal Servers
Yes/YesNoCritical Win2000
XP
Vista
Win2008
Server 2003
Server 2008
Web Server 2008
NonePatch ASAP

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.