Archived Blog

Patch Tuesday - October 2008

10.16.2008 - 6:40 PM

Microsoft recently published its monthly security bulletin for October '08. Here's a quick overview of what this means to the Web's landscape, i.e., the threats posed to the Webscape. Microsoft has patched vulnerabilities all over the place in their product line, ranging from Internet Explorer, MS Office, Active Directory, SMB (the protocol), to the Windows kernel. Let's take a look at the vulnerabilities that can be exploited over the Web.

Internet Explorer

This bulletin includes a cumulative security update for IE (MS05-058), labeled with a severity rating of "critical".

NOTE: Please keep in mind that these vulnerabilities are not technically limited to only IE. Since MS Outlook automatically displays emails in HTML, Outlook users may also be susceptible!

The first four vulnerabilities are cross-domain vulnerabilities. What this means is that if you have the habit of surfing the Web with multiple windows/tabs open like I do, the information from one Web site could be stolen by another. For instance, if you logged on to your bank Web site to check on your balance in one browser window, one of your other browser windows could be silently be stealing your banking information. And seriously, who doesn't have more than one browser tab/window opened while surfing the Web these days?

The four vulnerabilities are:
To top it off, we have two more memory corruption vulnerabilities. What this means is that if your browser was accidentally fed a specially crafted code from malicious Web site, the attacker would be able to execute any code he/she desires (usually a Trojan), and have complete control of your desktop. The two vulnerabilities are:

MS Office Excel

Excel as a Web threat? I'm including Excel as an item on this post because it's very common for people to pass around Excel spreadsheets by means of attaching it to an email, a shared network drive, or one of the many Web 2.0 file sharing services. Occasionally, you'll also see one of those forward/chain emails of Excel funnies that spread virally, so just take this as a word of caution.

So what do these vulnerabilities allow an attacker to do? Well, by specially crafting a malicious .xls file, the attacker could present you with what you were expecting (the actual data, the internet joke, etc.), while silently taking complete control of your desktop by means of installing a Trojan. That is, open an .xls attachment = oops, my desktop is infected.

The Excel vulnerabilities patched this month:
All of the Excel vulnerabilities mentioned above also come with the complimentary severity rating of "critical". We'll be on the lookout for these being exploited in the wild, and keep y'all posted - right here on our blog. Grab our RSS feed or subscribe via email to keep abreast of emerging Web threats.

Security Researcher: Jay Liew

Bookmark This Post: