Microsoft plugs Office leaks; Delivers 4 critical patches

Microsoft plugs Office leaks; Delivers 4 critical patches

Summary: Microsoft on Tuesday delivered four critical patches for vulnerabilities Office and Windows XP. There were six patches delivered.

SHARE:
22

Microsoft on Tuesday delivered four critical patches for vulnerabilities Office and Windows XP. There were six patches delivered.

Here's a look by the CVE:

CVE-2008-1091: Microsoft patched an object parsing vulnerability in Microsoft Word. Affected software includes Office 2000, 2003 and 2007. Microsoft explains:

A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted Rich Text Format (.rtf) files. The vulnerability could allow remote code execution if a user opens a specially crafted .rtf file with malformed strings in Word or previews a specially crafted .rtf file with malformed strings in rich text e-mail. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The Zero Day Initiative gets credit for the find.

CVE-2008-1434: Microsoft's update addresses a Word cascading style sheet vulnerability. Microsoft says: "A remote code execution vulnerability exists in the way that Microsoft Word handles specially crafted Word files. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed CSS value." Jun Mao, working with iDefense Labs, gets credit.

CVE-2008-0119: Microsoft fixed a vulnerability in Microsoft Publisher. Microsoft says:

A remote code execution vulnerability exists in the way Microsoft Publisher validates object header data. An attacker could exploit the vulnerability by sending a specially crafted Publisher file which could be included as an e-mail attachment, or hosted on a specially crafted or compromised Web site. If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

Cocoruder of Fortinet Security Research gets credit for the find. Office 2000, 2003, 2007 impacted.

CVE-2007-6026: Microsoft patched Windows 2000 Service Pack 4, Windows XP and Windows Server 2003 due to a buffer overrun vulnerability. Microsoft says:

A buffer overrun vulnerability exists in the Microsoft Jet Database Engine (Jet) that could allow remote code execution on an affected system. An attacker could exploit the vulnerability by creating a specially crafted database query and sending it through an application that is using Jet on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

CERT, ISC/SANS and Aaron Portnoy of TippingPoint DVLabs get credit for reporting the issue.

Two moderate vulnerabilities were patched affecting Microsoft Live OneCare, Antigen, Windows Defender and Forefront.

CVE-2008-1437: Microsoft says:

A denial of service vulnerability exists in the way that the Microsoft Malware Protection Engine processes specially crafted files. An attacker could exploit the vulnerability by constructing a specially crafted file that could allow denial of service when received by the target computer system and scanned by the Microsoft Malware Protection Engine. An attacker who successfully exploited this vulnerability could cause the Microsoft Malware Protection Engine to stop responding and automatically restart.

And CVE-2008-1438: Same vulnerability except this one allows an "attacker who successfully exploited this vulnerability could cause disk-space exhaustion, leading to a denial of service condition and automatic restart."

Topics: Security, Microsoft, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • And... conspicuously absent from the list?

    Windows Vista - again.

    More secure? definitely.
    Runs well? Absolutely?
    Trouble-free? Not nearly.
    Better value? Absolutely.

    Windows Vista - it just works.
    Confused by religion
    • Actually...

      This is talking Office, not Windows XP or Vista, and if you noticed Office 2007 was included, which most Vista users probably use.
      As for:
      More Secure? than what? XP but probably not Linux
      Runs Well? Good enough
      Truble-free? I'd agree with you.
      Value? ABSOLUTELY NOT. (I'm sorry you've been ripped off!)

      Windows Vista may just work but so does all the other operating system, like Mac OS, Linux - they all just work!!!!!
      mrdt
      • If you read carefully...

        This is one of the patches:

        "CVE-2007-6026: Microsoft patched Windows 2000 Service Pack 4, Windows XP and Windows Server 2003 due to a buffer overrun vulnerability. Microsoft says:..."

        Value is in the eye of the beholder - I am getting excellent value for my Vista machines - especially the Tablet. Sorry you feel you were ripped off - or don't you use Vista?
        Confused by religion
        • yes and...

          I guess you are not concerned with the first patch listed CVE-2008-1091. Nowhere did I read that Vista wasn't included, as it had to do with Outlook 2007, Word 2007, etc.

          I agree that value is in the eye of the beholder, I'm glad you believe you're getting excellent value, but did you really look into all the options, or did you just go to the store and pick what was available?
          Last year, at the non-profit organization I worked at, we were purchasing new desktops, I had recommended Vista with Office 2007 (I'm all about staying up to date), my boss decided to stick with XP. I have friends that decided to upgrade to Vista, and they don't really see much added value over XP. I was going to upgrade my computer at home, but when I did my research, I picked Linux. I didn't have to agree with MS outrageous license and did have to pay their outrageous retail sticker price. Oh, my computer has all the same capabilities as your Vista, eyecandy and all. What did I pay, no not free, I decided to buy my copy, I think I paid $10. Now that's value.
          mrdt
          • Value Plus

            Sorry Milly thats what I call value!
            mpgme
    • Yes, conspicuously is the word.

      That privilege escalation vulnerability just keep on going.

      http://secunia.com/product/13223/?task=advisories

      Awesome logic there. Absence of patches does not mean there is no need to patch.
      odubtaig
      • Lame

        That privilege escalation vulnerability you're hinging your argument on is pretty damn weak. It requires all sorts of prerequisites to work (A person with regular use account can not just log on and exploit it), and it can be prevented with simple administration measures.

        Given the fact that is was first discovered on April 17, and it is hardly critical, your apparent shock over it not being patched makes me think you are reaching in an attempt to justify your choices.

        Got anything of substance?

        ...
        toadlife
        • Nope

          Nothing more than the point that an absence of patches does not mean there's nothing to be patched.
          odubtaig
    • not for long

      Not for long my dear.

      Just a few more....
      X41
    • *snicker*

      [i]Windows Vista - it just works.[/i]

      http://www.msnbc.msn.com/id/24596745/
      Chad_z
      • The article disproves what he said how?

        I didn't see anything in the article that contradicted what he said. Perhaps you'd be so good as to point it out? Thanks.
        ye
        • Obviously you don't read...

          Vista taxes all but the most modern PCs with hefty processing and memory requirements. Many of GM's PCs can't even run the system. "By the time we'd replace them, Windows 7 might be ready anyway," Killeen says. Then there are compatibility problems with all the software that needs to run on Windows.

          *** THEN THERE ARE COMPATIBILITY PROBLEMS ***

          I emphasised that because if you missed it the first time you read through the article, you'd probably miss it here too..

          And I would suppose next your arguements will be "oh well mustn't be anything since they didn't go into detail about the 'compatibility problems' they had" ...

          You people need to get a better grip on reality. The numbers touted for "Vista" include upgrade/software assurance from microsoft. It doesn't mean that the OS **is** being used, it means it *can be* by corporations that have software assurance.

          The only place Vista has numbers is in the systems sold to the avg joe ... and in those cases, the avg joe doesn't get to pick the OS they have installed.. no.. the AVG Joe has to purchase based on purse. 499 for a laptop with vista or 799 for a laptop preinstalled with XP?

          Microsoft's Vista is just not worth the upgrade. XP runs perfectly fine on every machine I have or have access to.
          TG2
      • So Corporate America marketshare is now the standard?

        So Corporate America marketshare is now the standard for how well things work? In that case, I guess Linux and OS X don't work [b]at all[/b], Vista works fairly well, and XP works better than every other OS combined!!

        Or... would you like to rethink your logic?
        NonZealot
      • Re: *snicker*

        [i]"We're considering bypassing Vista and going straight to Windows 7," says GM's Chief Systems & Technology Officer Fred Killeen.[/i]

        Not "we're considering going to Mac", or "we're considering Linux". Still a win for Microsoft...

        [i]"it's nothing new for companies like GM to skip releases of Windows, says Mike Nash, a corporate vice-president at Microsoft."[/i]

        Business as usual. What was your point again?
        Real World
        • That's right another pick and choose poster

          Vista taxes all but the most modern PCs with hefty processing and memory requirements. Many of GM's PCs can't even run the system. "By the time we'd replace them, Windows 7 might be ready anyway," Killeen says. Then there are compatibility problems with all the software that needs to run on Windows.

          **** so ****

          You'll pick and choose to be selective in representing, Officer Barbrady, that there's nothing to see there, Mr. or Ms. "Real World"

          Obviously you decided to overlook the "compatibility problems with all the software that needs to run..."

          Part of the "skip" was due to compatibility problems between Vista and other apps. Or that the cost to make perfectly working PC's into vista dogs, and then have to replace or upgrade all of the applications too, just to make them work where perfectly working PC's are now..

          Selective snickering just to pretend there isn't more in the story is just plain stupid and childish "Real World". Read the story, you MISSED the point.. oh.. and how well does your company do Real World, when you're spending twice as much for an upgrade just to get your PC's on Vista..

          no.. I'm sure your answer is.. "you bought new pc's that already have vista on them" Well then, that was your life cycle.. you didn't get sold the bill of goods that today's PC will work fine with the Next OS ... oh maybe a memory upgrade.. (oh but then the apps again... gotta love it when you can't run the applications you already own)
          TG2
          • Wow

            You used a lot of words to speculate on why I quoted the sections of the article I did. Let me save you the trouble: it doesn't matter why they wait to install (or even skip over) a version of Windows. That wasn't my point. The point is that they will be buying another version of Windows, and until they do, they will continue to run Windows.

            Thanks for playing...
            Real World
  • Good news for Mac users of MS Office

    http://biz.yahoo.com/prnews/080513/aqtu077.html?.v=48

    VBA is back!
    No_Ax_to_Grind
    • Unfortunately it's not for Office 2008.

      It will return in the next version and who knows when that will be.
      ye
  • Lame

    That privilege escalation vulnerability you're hinging your argument on is pretty damn weak. It requires all sorts of prerequisites to work (A person with regular use account can not just log on and exploit it), and it can be prevented with simple administration measures.

    Given the fact that is was first discovered on April 17, and it is hardly critical, your apparent shock over it not being patched makes me think you are reaching in an attempt to justify your choices.

    Got anything of substance?
    toadlife
    • Ooops - meant to repy above (ignore)

      ...
      toadlife