In the last security bulletin round of this year, Microsoft
security experts address multiple vulnerabilities, six of the bulletins being
considered ‘critical.’ The bulletins are: MS08-070, MS08-071, MS08-072,
MS08-073, MS08-074, MS08-075, MS08-076 and MS08-077.
The first security bulletin refers to vulnerabilities in
Visual Basic 6.0 Runtime Extended Files – ActiveX Controls, which could allow
remote code execution if a user browsed a website that contains specially
crafted content, although this is less likely to affect users whose accounts
are configured to have fewer user rights on the system, Microsoft explained.
The vulnerability affects all supported editions of Microsoft
Visual Studio .NET 2002, Microsoft Visual Studio .NET 2003, Microsoft Visual
FoxPro 8.0, Microsoft Visual FoxPro 9.0, Microsoft Office Project 2003,
Microsoft Office Project 2007; and the Chinese Simplified (China), Chinese Pan
(Hong Kong), Chinese Traditional (Taiwan), and Korean versions of Microsoft
Office FrontPage 2002.
The MS08-071 security bulletin addresses two vulnerabilities
in DGI, which could allow remote execution when opening a specially crafted WMF
image file. This would allow the attacker full control over the affected
system, Microsoft warned.
The update is critical for all editions of Microsoft Windows
2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
MS08-072 patches vulnerabilities in Microsoft Office Word
2000 and Microsoft Office Outlook 2007 which could allow remote code execution
when opening a Word or Rich Text Format (RTF), granting the attacker complete
control over the affected system.
The update is critical for Microsoft Office Word 2000 and
Microsoft Office Outlook 2007, and important for Microsoft Office Word 2002,
Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office
Compatibility Pack, Microsoft Office Word Viewer 2003, Microsoft Works 8,
Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File
Format Converter for Mac.
Microsoft Security Bulletin MS08-073 refers to four
vulnerabilities which allow remote code execution when viewing specially
crafted Web pages using Internet Explorer, and especially affect users with
administrative rights. The bulletin is critical for Internet Explorer 5.01 and
Internet Explorer 6 Service Pack 1 for Microsoft Windows 2000 and Internet
Explorer 6 for Windows XP, but also Internet Explorer 7.
MS08-074 addresses three reported vulnerabilities in
Microsoft Office Excel, which allow remote code execution of users open
specially crafted Excel files. Attackers could get complete control of an
affected system, being able to install programs, but also view, change or
delete data, and create new accounts with full user rights.
The update is critical for all supported editions of
Microsoft Office Excel 2000, and important for all editions of Microsoft Office
Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003,
Microsoft Office Excel 2007, Microsoft Office Compatibility Pack, Microsoft
Office Excel Viewer, Microsoft Office 2004 for Mac, Microsoft Office 2008 for
Mac, and Open XML File Format Converter for Mac.
MS08-075 fixes a vulnerability in Windows Explorer in Vista
and Server 2008 that was exposed through the search-ms protocol handlers, which
extent the functionality of web browsers, security experts explained on
Microsoft’s blog.
MS08-076 addresses two vulnerabilities in the Windows Media
components Windows Media Player, Windows Media Format Runtime, and Windows
Media Services. The flaws are rated important, however, if combined, they could
lead to remote code execution, experts said.
In addition to the security bulletins, Microsoft also
published the Microsoft Security Advisor 960906 on a vulnerability in the
Wordpad Converter for Word 97 files affecting Windows 2000 SP4, Windows XP SP2
and Windows Server 2003 SP1 and SP2.
