September 9, 2008
Microsoft Patch Disclosure - September 2008
This month Microsoft released 4 bulletins which repair a total of 10 vulnerabilities. None of these vulnerabilities have been seen in in-the-wild attacks.
Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from the memory-based vulnerabilities generically.
Patch Precedence
Out of the 4 patches this month, all of the vulnerabilities were related to file-format or client-side issues. Because of this, desktop administrators will likely spend the most time analyzing and patching their responsible network segments.
As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check tomorrow's Vulnerability Expert Forum.
This Month's Bulletins
Critical
- MS08-052 - Vulnerabilities in GDI+ Could Allow Remote Code Execution
- MS08-053 - Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution
- MS08-054 - Vulnerability in Windows Media Player Could Allow Remote Code Execution
- MS08-055 - Vulnerability in Microsoft Office Could Allow Remote Code Execution
Bulletin Summary
MS08-052
Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
http://www.microsoft.com/technet/security/bulletin/MS08-052.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes five vulnerabilities within Windows GDI+. These vulnerabilities allow an attacker to form a specially-crafted picture file that, when viewed by a target user, could allow for an attacker to execute arbitrary code on the remote system.
- CVE-2007-5348 - GDI+ VML Buffer Overrun Vulnerability
A remote code execution vulnerability exists in the way that GDI+ handles gradient sizes. The vulnerability could allow remote code execution if a user browses to a Web site that contains specially crafted content. - CVE-2008-3012 - GDI+ EMF Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way that GDI+ handles memory allocation. The vulnerability could allow remote code execution if a user opens a specially crafted EMF image file or browses to a Web site that contains specially crafted content. - CVE-2008-3013 - GDI+ GIF Parsing Vulnerability
A remote code execution vulnerability exists in the way that GDI+ parses GIF images. The vulnerability could allow remote code execution if a user opens a specially crafted GIF image file or browses to a Web site that contains specially crafted content. - CVE-2008-3014 - GDI+ WMF Buffer Overrun Vulnerability
A remote code execution vulnerability exists in the way that GDI+ allocates memory for WMF image files. The vulnerability could allow remote code execution if a user opens a specially crafted WMF image file or browses to a Web site that contains specially crafted content. - CVE-2008-3015 - GDI+ BMP Integer Overflow Vulnerability
A remote code execution vulnerability exists in the way that GDI+ handles integer calculations. The vulnerability could allow remote code execution if a user opens a specially crafted BMP image file.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Binary analysis on GDI+ has become much more proficient, and will likely result in a public PoC or exploit in rapid time.
MS08-053
Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
http://www.microsoft.com/technet/security/bulletin/MS08-053.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one ActiveX vulnerability within Windows Media Encoder 9. This vulnerability allows an attacker to form a specially-crafted HTML site that, when viewed by a target user, could allow for an attacker to execute arbitrary code on the remote system.
- CVE-2008-3008 - Windows Media Encoder Buffer Overrun Vulnerability
A remote code execution vulnerability exists in the WMEX.DLL ActiveX control installed by Windows Media Encoder 9 Series.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Administrators should also review the necessity of using ActiveX controls within their network or reviewing alternate technologies and protections.
MS08-054
Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
http://www.microsoft.com/technet/security/bulletin/MS08-054.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Windows Media Player. This vulnerability allows an attacker to form a specially-crafted audio stream that, if opened by an unpatched Windows Media Player client, could allow for an attacker to execute arbitrary code on the remote system.
- CVE-2008-2253 - Windows Media Player Sampling Rate Vulnerability
A remote code execution vulnerability exists in Windows Media Player 11. An attacker could exploit the vulnerability by constructing a specially crafted audio file that could allow remote code execution when streamed from a Windows Media server using Windows Media Player 11.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Network administrators should also review the possibility of disabling the RTSP protocol at a network IDS layer.
MS08-055
Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)
http://www.microsoft.com/technet/security/bulletin/MS08-055.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Medium
Description
This patch fixes one vulnerability within Microsoft Office, specifically within OneNote. This vulnerability allows an attacker to form a specially-crafted URL that, when clicked on by a target user could allow for an attacker to execute arbitrary code on the remote system under the context of the logged in user.
- CVE-2008-3007 - Uniform Resource Locator Validation Error Vulnerability
A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted URLs using the OneNote protocol handler (onenote://). The vulnerability could allow remote code execution if a user clicks a specially crafted OneNote URL.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Mitigation strategies exist to disable the 'onenote://' protocol handling. If the patch is unable to be rolled out in a timely manner, this mitigation is strongly recommended.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina® customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/september2008.html#audits
Blink® Unified Client Security
eEye's line of Blink® with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required. Both Blink Professional and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at
http://www.eeye.com/blink/
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/html/events/online_seminars/vef.html.
You have received this announcement to %%emailaddr%% as a valued member of eEye's Alert: eEye Security Bulletin list. If you wish to modify your subscription settings, please visit our website:
http://www.eeye.com/sub/%%userid_%%