Patch Tuesday Analysis for August 2008

The bad guys - or security researchers depending on how you see them - have been busy this month.  As usual most of the 11 patches deal with workstation vulnerabilities, 5 specific to Office.  4 vulnerabilities are public and 2 currently being exploited in attacks.  With MS08-050 (Windows Messenger) you might be tempted to just set the kill-bit.  However this workaround will also break remote assistance; if that matters to you opt for the patch.  043 (Excel) is another one to pay attention to.  One of its vulnerabilites deals with the fact that XLSX files continue to store remote data session passwords (e.g. ODBC connections) even after you tell Excel not to. 
 
If you manage servers pay attention to 047 (IPSec) if you use IP Security Policies and definitely pay attention to 049 (EventSystem).  I wish I could provide more information the impact of disabling the EventSystem but what I can tell you is this is not the same thing as the Event Logging Service.  Per MS - "Microsoft Windows Event System is a service that manages method calls and event subscriptions between Windows and applications on the system."
 
Finally, if you manage security for Sharepoint, check out the 043 (Excel) vulnerability which can allow arbitrary code to run on the Sharepoint server through a spreadsheet used in a webpart.  Complicated world, eh?

Do you use a patch management system other than WSUS?  If so let me know what you like about it and what you don't?  What advantages over WSUS does it offer? 

Check out my new whitepaper: Filling the Gap in Exchange Auditing.  The security of your Exchange infrastructure and its content is critical. But organizations have largely neglected to look at the internal risks and events that impact the availability, integrity, and confidentiality of e-mail messages and the e-mail system. And native tools for auditing non-owner mailbox access and configuration changes are lacking.

Thanks as always for reading and best wishes on security,
Randy Franklin Smith

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS08-044

924090
Arbitrary code

/ Office
Workstations
Terminal Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Office Converter Pack
Multiple vulnerabilities addressedPatch after normal testing
MS08-051

949785
Arbitrary code

/ Office Powerpoint
Workstations
Terminal Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Office 2007
NonePatch after testing
MS08-049

950974
Arbitrary code

/ Windows
Workstations
Terminal Servers
Servers
No/NoYesImportant Win2000
XP
Win2003
Vista
Win2008
Workaround disables eventsystem; Restart Req’dPatch after testing
MS08-048

951066
Information disclosure

/ Windows Outlook Express, Mail
Workstations
Terminal Servers
No/NoYesImportant Win2000
XP
Win2003
Vista
Win2008
NonePatch after testing
MS08-046

952944
Arbitrary code

/ Windows
Workstations
Terminal Servers
No/NoNoCritical Win2000
XP
Win2003
Restart Req’dPatch after testing
MS08-047

953733
Information disclosure

/ Windows IPsec
Workstations
Terminal Servers
Servers
No/NoNoImportant Vista
Win2008
Restart Req’dPatch after testing
MS08-045

953838
Arbitrary code

/ Internet Explorer
Workstations
Terminal Servers
Yes/NoNoCritical Win2000
XP
Win2003
Vista
Win2008
Cumulative Update addresses multiple vulnerabilitiesPatch after testing
MS08-042

954048
Arbitrary code

/ Office
Workstations
Terminal Servers
Yes/YesNoImportant Office XP
Office 2003
Word componentPatch after minimal testing
MS08-043

954066
Arbitrary code

/ Office
Workstations
Terminal Servers
Servers
No/NoNoCritical Office 2000
Office XP
Office 2003
Office 2007
Office Sharepoint Server 2007
Excel component; Multiple vulnerabilitiesPatch after testing
MS08-041

955617
Arbitrary code

/ Office
Workstations
Terminal Servers
Yes/YesYesCritical Office 2000
Office XP
Office 2003
Snapshot viewer also affectedSet Kill bit for ActiveX control; Patch after normal testing
MS08-050

955702
Information disclosure

/ Windows Messenger
Workstations
Terminal Servers
Yes/NoYesImportant Win2000
XP
Win2003
Restart Req’dSet Kill Bit or Patch after normal testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.