 |
|
||||
|
Heed this Pre-Holiday Patch TuesdayBy Pedro HernandezDecember 9, 2008
"MS08-077 affecting SharePoint is the most important and most interesting in my opinion, due to its wide deployment. Microsoft is calling this an 'Elevation of Privilege' which scores as 'Important,' but I believe it is scored too low," states Tyler Reguly, Security Research Engineer for computer network security firm nCircle. According to Microsoft, MS08-07 involves flaws in both 32-bit and 64-bit versions of Sharepoint Server 2007 and Search Server 2008 that could subject organizations to a denial of service scenario or data breach "if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site." Reguly explains the potential fallout. "The vulnerability allows an unauthenticated attacker to access administrative controls. While the successful attacker would technically elevate privilege (anonymous to administrator), this vulnerability allows access controls to be bypassed altogether. For most people, privilege escalation means elevating regular user access to administrator, which may cause Administrators to patch this issue with less urgency." The other important update involves Windows Media Player and associated components (MS08-076). This month's hefty batch of critical bulletins includes Office vulnerabilities that affect the manner in which Word handles RTF files (MS08-072) and flaws in Excel that can open the door to malicious spreadsheet files (MS08-074). ActiveX is once again the subject of a patch, this time surrounding ActiveX controls for the Microsoft Visual Basic 6.0 Runtime Extended Files (MS08-070), and Windows' graphics rendering components are being patched for a potential susceptibility to potentially malicious WMF files (MS08-071). Lastly, Internet Explorer receives a cumulative update (MS08-073) that squashes several vulnerabilities that make Web surfing dangerous and Windows Search is patched for a flaw in the way it handles malicious URLs or saved search files via Explorer (MS08-075). Altogether, this Patch Tuesday serves a wake up call for online shoppers and well-wishers as they take to the Internet this holiday season, according to nCircle's Director of Security, Andrew Storms. "What a way to end the year, 8 bulletins and a whopping 28 CVEs. The Microsoft elves have been busy and delivered everyone plenty of work to do this holiday season. All but one of the bulletins affect client-side applications and include all the usual suspects: IE, Office, ActiveX and GDI," says Storms. "It’s going to be important for users to be especially vigilant this holiday season. ‘Tis the season for lots of holiday Internet wishes in e-cards and unfamiliar websites loaded with flashy animation and holiday songs. Given the number of client side bugs with Microsoft products just patched, everyone should expect the attackers to celebrate the holiday season in their attack strategies," he adds. Microsoft's webcast, which will discuss the latest vulnerabilities and updates, is scheduled for December 10, 2008, at 11:00 AM Pacific Time. On the malware front, Microsoft has added detection for the FakeXPA and Yektel Trojans to its Malicious Software Removal Tool.
|
|
|
|
Email
Print
Digg This
Add to del.icio.us
Microsoft is ending 2008 with a bang, delivering eight updates, six of them rated 'critical.' But it is an 'important' vulnerability that has one security researcher sounding the alarm for businesses that take collaboration to heart.
