X
Tech

Microsoft patches Vista, Windows Server 2008, IE

Microsoft delivered 10 patches including six critical ones on Tuesday. Among the critical patches for Vista, Windows Server 2008 and Internet Explorer.
Written by Larry Dignan, Contributor

Microsoft delivered 10 patches including six critical ones on Tuesday. Among the critical patches for Vista, Windows Server 2008 and Internet Explorer.

Critical patches by the CVEs:

CVE-2008-0083: Covers Windows Vista and Windows Server 2008. Microsoft says:

"A remote code execution vulnerability exists in the way that the VBScript and JScript scripting engines decode script in Web pages. This vulnerability could allow remote code execution if a user opened a specially crafted file or visited a Web site that is running specially crafted script. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Symantec flagged the vulnerability.

CVE-2008-1086: This patch covers ActiveX Kill Bits flaws and is necessary for Windows 2000, XP (various flavors), Windows Server 2003 (various flavors), Vista and Windows Server 2008. Microsoft says:

"A remote code execution vulnerability exists in the ActiveX control hxvz.dll. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user."

iDefense VCP found the vulnerability.

CVE-2008-1085: Microsoft says:

"A remote code execution vulnerability exists in Internet Explorer because of the way that it processes data streams. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user."

IE 6 and 7 are primarily impacted on multiple platforms, notably Vista and Server 2008. Secunia found the vulnerability.

CVE-2008-1088: Microsoft says: A remote code execution vulnerability exists in the way Microsoft Project handles specially crafted Project files. An attacker could exploit the vulnerability by sending a malformed file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site.

The National Cyber Security Center, The Republic of Korea found the vulnerability, which impacts Microsoft Project Server 2003, 2007, Portfolio Server 2007 and Project Server 2007.

CVE-2008-1083, CVE-2008-1087 are vulnerabilities that exist in the way GDI handles integer and filename parameters, respectively in EMF image files. Researchers at iDefense Labs, Zero Day Initiative and SkyRecon flagged these flaws.

Editorial standards