March 11, 2008
Microsoft Patch Disclosure - March 2008
This month Microsoft released four bulletins which repair a total of 12 vulnerabilities. One of these vulnerabilities has been seen within in-the-wild zero-day attacks. For more information about this zero-day threat, review the Excel Unspecified Exploit Zero-Day Tracker Entry.
Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus protected systems against exploits attempting to leverage these vulnerabilities.
Patch Precedence
Out of the four patches this month, all of the vulnerabilities are related to client-side file-format vulnerabilities. Because of the complex nature of file-format parsing, network-based IPS systems will typically be unable to fully protect end-users. Administrators and users are urged to apply the client-side updates as soon as possible to avoid potential exploitation.
As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check tomorrow's Vulnerability Expert Forum.
This Month's Bulletins
Critical
- MS08-014 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
- MS08-015 - Vulnerability in Microsoft Outlook Could Allow Remote Code Execution
- MS08-016 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
- MS08-017 - Vulnerability in Microsoft Word Could Allow Remote Code Execution
Bulletin Summary
MS08-014
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (949029)
http://www.microsoft.com/technet/security/bulletin/MS08-014.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes seven vulnerabilities within the Microsoft Excel. All seven of these vulnerabilities allow an attacker to create a malformed Excel document so that when it is opened by an unsuspecting user, could allow for the execution of arbitrary code under the context of the logged in user.
- CVE-2008-0111 - Excel Data Validation Record Vulnerability
A remote code execution vulnerability exists in the way Excel processes data validation records when loading Excel files into memory. - CVE-2008-0112 - Excel File Import Vulnerability
A remote code execution vulnerability exists in the way Excel handles data when importing files into Excel. An attacker could exploit the vulnerability by sending a malformed .slk file. - CVE-2008-0114 - Excel Style Record Vulnerability
A remote code execution vulnerability exists in the way Excel handles Style record data when opening Excel files. - CVE-2008-0115 - Excel Formula Parsing Vulnerability
A remote code execution vulnerability exists in the way Excel handles malformed formulas. - CVE-2008-0116 - Excel Rich Text Validation Vulnerability
A remote code execution vulnerability exists in the way Excel handles rich text values when loading application data into memory. - CVE-2008-0117 - Excel Conditional Formatting Vulnerability
A remote code execution vulnerability exists in the way Excel handles conditional formatting values. - CVE-2008-0081 - Macro Validation Vulnerability (Zero-Day Exploit In The Wild)
A remote code execution vulnerability exists in the way Excel handles macros when opening specially crafted Excel files.
Recommendations
At least one of these vulnerabilities has been publicly known and exploited by malicious parties within targeted attacks. Although public exploit code or details for this vulnerability have not been released in a public forum, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible after internal applications have been verified to not be adversely affected by this patch.
Resources
eEye Zero-Day Tracker: Excel Unspecified Exploit
MS08-015
Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (949031)
http://www.microsoft.com/technet/security/bulletin/MS08-015.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within the Microsoft Outlook. This vulnerability allows an attacker to create a malformed web-page so that when viewed by an unsuspecting user, could allow for the execution of arbitrary code under the context of the logged in user.
- CVE-2008-0110 - Outlook URI Vulnerability
A remote code execution exists in Outlook. The vulnerability could allow remote code execution if Outlook is passed a specially crafted mailto URI.
Recommendations
Although exploit code or details for this vulnerability have not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible after internal applications have been verified to not be adversely affected by this patch.
MS08-016
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (949030)
http://www.microsoft.com/technet/security/bulletin/MS08-016.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within the Microsoft Office. These vulnerabilities allow an attacker to create a malformed Office document so that when it is opened by an unsuspecting user, could allow for the execution of arbitrary code under the context of the logged in user.
- CVE-2008-0113 - Microsoft Office Cell Parsing Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Microsoft Office handles specially crafted Excel files. - CVE-2008-0118 - Microsoft Office Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way Microsoft Office processes malformed Office files.
Recommendations
Although exploit code or details for these vulnerabilities have not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible after internal applications have been verified to not be adversely affected by this patch.
MS08-017
Vulnerability in Microsoft Word Could Allow Remote Code Execution (947077)
http://www.microsoft.com/technet/security/bulletin/MS08-017.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within the Microsoft Office Web Components. These vulnerabilities allow an attacker to create a malformed web-page so that when it is viewed by an unsuspecting user, could allow for the execution of arbitrary code under the context of the logged in user.
- CVE-2006-4695 - Office Web Components URL Parsing Vulnerability
A remote code execution vulnerability exists in the way Microsoft Office Web Components manages memory resources when parsing specially crafted URLs. - CVE-2007-1201 - Office Web Components DataSource Vulnerability
A remote code execution vulnerability exists in the way Microsoft Office Web Components manages memory resources.
Recommendations
Although exploit code or details for this vulnerability have not been released, eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible after internal applications have been verified to not be adversely affected by this patch.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina® customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/march2008.html#audits
Blink® Unified Client Security
eEye's line of Blink® with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required. Both Blink Professional and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at
http://www.eeye.com/blink/
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/html/events/web/VEF.html .
You have received this announcement to %%emailaddr%% as a valued member of eEye's Alert: eEye Security Bulletin list. If you wish to modify your subscription settings, please visit our website:
http://www.eeye.com/sub/%%userid_%%