Microsoft released 11 security bulletins today along with updates to address the vulnerabilities described in them. Various versions of Windows and Office are affected. The Advance Notification indicated that there would be a 7th critical update; this appears to have been removed at the last minute.
- MS08-041 Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution (Critical): A critical remote code execution vulnerability exists in Access 2000, 2002 and 2003 and the Snapshot Viewer for Microsoft Access. An attacker could use this vulnerability to effect remote code execution and, in some cases, take over the system.
- MS08-042 Vulnerability in Microsoft Word Could Allow Remote Code Execution (Important): A remote code execution vulnerability exists in Word 2002 (Office XP) and Word 2003.
- MS08-043 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (Critical): Four different vulnerabilities exist in various versions of Excel. The only critical vulnerabilities are in Excel 2000, all the rest being rated as "Important".
- MS08-044 Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (Critical): Office 2000, XP, 2003, as well as the Office Converter Pack and Works 8 are all affected by 5 related file import vulnerabilities. The vulnerabilities are rated critical only on Office 2000; all are ranked Important on all other products.
- MS08-045 Cumulative Security Update for Internet Explorer (Critical): 5 different vulnerabilities are fixed in this cumulative update. All current versions of IE are affected and at least one vulnerability is critical on all platforms, including the most recent versions of Vista and Windows Server 2008. Four of the 5 are memory-corruption vulnerabilities, generally involving code accessing uninitialized memory.
- MS08-046 Vulnerability in Microsoft Windows Image Color Management System Could Allow Remote Code Execution (Critical): A vulnerability in ICM makes it possible for an attacker to cause remote code execution on a Windows client system running Windows 2000, Windows XP or Windows Server 2003.
- MS08-047 Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (Important): An information disclosure vulnerability in Windows Vista and Windows Server 2008 could cause systems to ignore IPsec policies and transmit network traffic in clear text.
- MS08-048 Security Update for Outlook Express and Windows Mail (Important): A malicious web site could cause Outlook Express or Windows Mail to disclose information through a malicious MHTML link that could bypass IE security zone restrictions.
- MS08-049 Vulnerabilities in Event System Could Allow Remote Code Execution (Important): 2 vulnerabilities in the Windows event subsystem affect all versions of Windows. The subsystem does not properly validate input, potentially leading to remote code execution.
- MS08-050 Vulnerability in Windows Messenger Could Allow Information Disclosure (Important): An information disclosure vulnerability in most versions of Windows Messanger could allow an attacker to change state, get contact information, and initiate audio and video chat sessions without the knowledge of the logged-on user.
- MS08-051 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (Critical): 3 vulnerabilities in all versions of PowerPoint are fixed in this update. One, a code execution vulnerability, affects all versions but is rated Critical only on PowerPoint 2000. The other 2 are rated Important and affect only PowerPoint Viewer 2003.
All updates are available through Windows Update and all the other usual avenues.
No comments:
Post a Comment