Websense.com / Security Labs / Blogs / Patch Tuesday - December 2008

Archived Blog

Patch Tuesday - December 2008

12.09.2008 - 4:45 PM

Microsoft recently published its monthly security bulletin summary for December 2008. The summary includes eight bulletins, of which six were rated "critical" and two "important". Microsoft has patched vulnerabilities all over their product portfolio, including patches for Internet Explorer, Microsoft Office, GDI, and Windows Search.

Here's a quick overview of what this means in terms of threats to the Webscape, focusing on the vulnerabilities that can be exploited over the Web.

Internet Explorer

MS08-073 is a critical cumulative security update for Internet Explorer that fixes:

If you use Internet Explorer, this means that there are now 4 additional ways for your desktop to get infected with malicious code if you happen to simply visit a malicious Web site. This is also known as a "drive-by" because it happens silently, without requiring any explicit user action beyond visiting the site.

Web threats of this kind are the focus of our research here in the Security Labs, and represent a new frontier in security as the effectiveness of traditional anti-virus software continues its decline.

Graphics Device Interface (GDI)

MS08-071 is a fix for two vulnerabilities (CVE-2008-2249, CVE-2008-3465) in Microsoft's graphics API. Why is that important and how will it affect a casual Web surfer?

Because Web sites include image files, these vulnerabilities mean that all you have to do to infect your machine is load a malicious site in your browser. Long-time readers may recall that Websense Security Labs researchers were the first to discover malicious .WMF images spreading on the Web (see the alert here) back in 2005. In 2006, we also posted a timeline of the attacks here. These latest vulnerabilities go to show that one patch does not make the problem go away for good. For a technical analysis of the .WMV exploit (MS06-001), visit this page.

Windows Search

MS08-075 is another critical patch, this time for Windows Search. This resolves two vulnerabilities (CVE-2008-4268, CVE-2008-4269) that could allow an attacker to completely take over your desktop by means of a specially-crafted search URL.

Tip: If you hover your mouse over a hyperlink on a Web site and see a URL that starts with search-ms:// (instead of http://), something might be amiss.

Microsoft Office and ActiveX

Other Microsoft products that also received band-aids include: Microsoft Office Word (MS08-072), and Excel (MS08-074), as well as Visual Basic 6.0 ActiveX Controls (MS08-070).

As always, it is a good practice to disable any ActiveX controls that you don't use. Also, resist the urge to double-click on every Word .doc (or .docx) and Excel .xls (or .xlsx) email attachment that you receive. You just never know—it might contain the latest exploit.

Security Researchers: Moti Joseph, Jay Liew

Bookmark This Post: