Patch Tuesday Analysis for August 2008
The bad guys - or security researchers depending on how you see them - have been busy this month. As usual most of the 11 patches deal with workstation vulnerabilities, 5 specific to Office. 4 vulnerabilities are public and 2 currently being exploited in attacks. With MS08-050 (Windows Messenger) you might be tempted to just set the kill-bit. However this workaround will also break remote assistance; if that matters to you opt for the patch. 043 (Excel) is another one to pay attention to. One of its vulnerabilites deals with the fact that XLSX files continue to store remote data session passwords (e.g. ODBC connections) even after you tell Excel not to.
If you manage servers pay attention to 047 (IPSec) if you use IP Security Policies and definitely pay attention to 049 (EventSystem). I wish I could provide more information the impact of disabling the EventSystem but what I can tell you is this is not the same thing as the Event Logging Service. Per MS - "Microsoft Windows Event System is a service that manages method calls and event subscriptions between Windows and applications on the system."
Finally, if you manage security for Sharepoint, check out the 043 (Excel) vulnerability which can allow arbitrary code to run on the Sharepoint server through a spreadsheet used in a webpart. Complicated world, eh?
Do you use a patch management system other than WSUS? If so let me know what you like about it and what you don't? What advantages over WSUS does it offer?
Check out my new whitepaper: Filling the Gap in Exchange Auditing. The security of your Exchange infrastructure and its content is critical. But organizations have largely neglected to look at the internal risks and events that impact the availability, integrity, and confidentiality of e-mail messages and the e-mail system. And native tools for auditing non-owner mailbox access and configuration changes are lacking.
Thanks as always for reading and best wishes on security,
Randy Franklin Smith
| Bulletin | Exploit Types
/Technologies Affected | System Types Affected | Exploit
details public?
/ Being exploited? | Comprehensive,
practical
workaround
available? | MS severity rating | Products Affected | Notes | Randy's recommendation | MS08-044
924090 | Arbitrary code
/ Office | Workstations
Terminal Servers
| No/No | No | Critical | Office 2000
Office XP
Office 2003
Office Converter Pack
| Multiple vulnerabilities addressed | Patch after normal testing | MS08-051
949785 | Arbitrary code
/ Office Powerpoint | Workstations
Terminal Servers
| No/No | No | Critical | Office 2000
Office XP
Office 2003
Office 2007
| None | Patch after testing | MS08-049
950974 | Arbitrary code
/ Windows | Workstations
Terminal Servers
Servers
| No/No | Yes | Important | Win2000
XP
Win2003
Vista
Win2008
| Workaround disables eventsystem; Restart Req’d | Patch after testing | MS08-048
951066 | Information disclosure
/ Windows Outlook Express, Mail | Workstations
Terminal Servers
| No/No | Yes | Important | Win2000
XP
Win2003
Vista
Win2008
| None | Patch after testing | MS08-046
952944 | Arbitrary code
/ Windows | Workstations
Terminal Servers
| No/No | No | Critical | Win2000
XP
Win2003
| Restart Req’d | Patch after testing | MS08-047
953733 | Information disclosure
/ Windows IPsec | Workstations
Terminal Servers
Servers
| No/No | No | Important | Vista
Win2008
| Restart Req’d | Patch after testing | MS08-045
953838 | Arbitrary code
/ Internet Explorer | Workstations
Terminal Servers
| Yes/No | No | Critical | Win2000
XP
Win2003
Vista
Win2008
| Cumulative Update addresses multiple vulnerabilities | Patch after testing | MS08-042
954048 | Arbitrary code
/ Office | Workstations
Terminal Servers
| Yes/Yes | No | Important | Office XP
Office 2003
| Word component | Patch after minimal testing | MS08-043
954066 | Arbitrary code
/ Office | Workstations
Terminal Servers
Servers
| No/No | No | Critical | Office 2000
Office XP
Office 2003
Office 2007
Office Sharepoint Server 2007
| Excel component; Multiple vulnerabilities | Patch after testing | MS08-041
955617 | Arbitrary code
/ Office | Workstations
Terminal Servers
| Yes/Yes | Yes | Critical | Office 2000
Office XP
Office 2003
| Snapshot viewer also affected | Set Kill bit for ActiveX control; Patch after normal testing | MS08-050
955702 | Information disclosure
/ Windows Messenger | Workstations
Terminal Servers
| Yes/No | Yes | Important | Win2000
XP
Win2003
| Restart Req’d | Set Kill Bit or Patch after normal testing |
Receive Randy's same-day, independent analysis each Patch Tuesday
Email:
We will not share your address. Unsubscribe anytime.
|
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
access them?"
-Susan D.
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
Tom C.
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Tuesday Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.
|