10.12.08

Unpatched Internet Explorer 7 Vulnerability Exploited As Microsoft Patch Fixes 28 Security Vulnerabilities


Microsoft released today patches for at least 28 vulnerabilities affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player. According to a warning from security researchers, malicious hackers are exploiting an unpatched zero-day flaw in Microsoft’s Internet Explorer 7 browser to launch a new wave of malware attacks.
Of the 28 flaws, 23 could be used to launch remote code execution attacks with minimal user action. Most of the bulletins address client-side flaws that could be exploited via the browser or if a user opens a booby-trapped file, a rigged RTF (Rich Text Format) Word file for example.
Here are the details and overview of the December 2008 Microsoft patches:
MS08-070 (Critical) Multiple vulnerabilities in activeX controls from visual basic 6.0’s runtime allow random code execution. Also affects Visual studio, Foxpro, Frontpage, and MS Project. The vulnerable files are distributed with 3rd party applications as well. Affected: Visual Basic Active X (CVE-2008-3704, CVE-2008-4252, CVE-2008-4256, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255). CVE-2008-3704 Exploit code publicly available since August 2008.
MS08-071 (Critical) Multiple overflow vulnerabilities allow code execution with the rights of the logged on user via crafted WMF files. Replaces MS08-021. Affected: GDI (CVE-2008-3465, CVE-2008-2249) No publicly known exploits.
MS08-072 (Critical) A multitude of vulnerabilities allow random code execution in office (and via extension Outlook). Also affects the mac versions of office (Office 2004 and Office 2008). Replaces MS08-026, MS08-042, MS08-052 and MS08-057. Affected: MS Word (CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4028, CVE-2008-4030, CVE-2008-4837, CVE-2008-4031). No publicly known exploits.
MS08-073 (Critical) Multiple vulnerabilities allow random code execution with the rights of the logged on user. Replaces MS08-058. Affected: MS Internet Explorer (CVE-2008-4258, CVE-2008-4259, CVE-2008-4261, CVE-2008-4260). No publicly known exploits.
MS08-074 (Critical) Multiple vulnerabilities allo allow random code execution in MS Office. Also affects the mac versions of office (Office 2004 and Office 2008). Replaces MS08-058. Affected: Excel (CVE-2008-4265, CVE-2008-4264, CVE-2008-4266) No publicly known exploits.
MS08-075 (Critical) Multiple vulnerabilities allow random code execution with the rights of the logged on user. Replaces MS08-038. Affected:Windows explorer (CVE-2008-4269, CVE-2008-4268). No publicly known exploits.
MS08-076 (Important) Multiple vulnerabilities allow random code execution with the rights of the logged-on user. Affected: WMC media player (CVE-2008-3010, CVE-2008-3009). No publicly known exploits.
MS08-077 (Important) Bypassing authentication is possible on sharepoint servers. Replaces MS07-059. Affected: Sharepoint (CVE-2008-4032). Microsoft’s workaround publicizes more details in here.
Users running IE 7 on Windows XP SP2 can still be infected by a Trojan downloader that exploits unpatched IE7 vulnerability. The exploit was published the same day Microsoft patched a wide range of vulnerabilities mentioned above. The bug exploits the way IE handles XML (Extensible Markup Language). For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw.
In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations. Currently there is public proof-of-concept code and the attacks may become more widespread (some hacked Chinese-language websites already infect visitors).

No comments: