|Network Security Consulting SecurityFocus Article
Microsoft's Final Fix For 2008 A Big One
Microsoft's last regularly scheduled update for the year closed 28 documented security holes, the most flaws fixed since the software giant moved over to monthly patches, according to one security firm.
The eight software updates released by the company on Tuesday closed six security issues in the ActiveX controls for Microsoft Visual Basic 6.0's Runtime Extended Files, all of which could allow remote code execution if a user visited a malicious Web site, Microsoft stated. A second update solved four memory-corruption issues in the company's browser, Internet Explorer. Two other fixes corrected a total of 11 vulnerabilities in Microsoft Word and Excel.
All the vulnerabilities pose significant risk, said Ben Greenbaum, senior research manager for security response at Symantec, which owns SecurityFocus.
"While Web-based attacks seem to be the main choice for opportunistic attackers, targeted attacks are often carried out via malicious Word and Excel files attached to e-mail messages," Greenbaum said. "While both of these vectors have vulnerabilities patched by todays release, the number of vulnerabilities in Word and Excel provides attackers additional means to carry out these kinds of attacks."
Vulnerabilities in Microsoft Office have been a vector favored by attackers for targeted attacks in the past. Since 2006, the number of flaws in Microsoft's Office productivity suite has skyrocketed.
The eight updates also included fixes for security issues in Microsoft's graphics library, Windows' search functionality, Windows Media Components and a single vulnerability in Microsoft Office SharePoint Server.
Symantec stated that the collection of patches fixes the most vulnerabilities in a monthly update since Microsoft started its regularly scheduled patch program.
Microsoft also released an advisory warning customers that attackers are using "limited" targeted attacks exploiting a flaw in WordPad Text Converter on older versions of Windows 2000, Windows XP and Windows 2003.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos