cyberwart

Today I was sort of surprised that basic CYA steps I use for pen testing weren’t immediately obvious to others. Maybe I’m exceptionally paranoid and worry to much but I thought I’d share some thoughts on the CYA business end of things.

1. Always start with a signed contract and rules of engagement. Do nothing without having this document.
2. Always read the Statement of Work (SoW) and the Rules of Engagement (RoE). These define both what you have to do and what you can’t do.
3. Always keep your PoC happy. Everything is much easier if your contact is happy. Make sure you ask them up front what they hope to get out of the engagement and check in to see that you’re meeting the objectives.
4. For any variation in the RoE/Contract feel it out verbally with the PoC first. If all is well, follow up with an email confirming what you heard and CC the project management. (good pen testers sometimes cheat, but this is how things should be done…)
5. Check with your management that your variations are cool. Sometimes actions are too risky for them and sometimes they don’t want to do free labor. This item really depends on your management.
6. If you put any tools or accounts on boxes notate it all in a spreadsheet as you do it. Track state, install, md5, uninstall — always uninstall/remove anything you create.

For the most part, I’ve avoided general ranting on my blog. However tonight I feel compelled. First, hearing Amherst people rant about politics is hilarious. Foremost, being from DC I hear strong arguments about the difficulties of executing effective public policy. There are idealist, but their grounded in realities. For example, I’m hugely liberal and I think issues such as homlessness should be fought. The difficulty is that as aid goes up, people are more inclined to rely on the safety net and the problem compounds. Here they seem to ignore such realities.

The thing that really suprises me is that they only theorize the systems. I’m probably overly inclined to build models and I’m fully aware of their flaws, but I can’t imagine a simulation would be worse of than pure brain power. Maybe I should go build one for the fun of it. I actually think it would be kind of interesting. I could roughly model a town or something with people, topology, income, political drive, etc. Add some randomness and see how things (d)evolve. Economic and political theory are amusing enough. I bet it could keep my attention long enough to build…now if only I didn’t have 10 other projects.

Adam talked me into buying a Macbook. It’s not overly hard to talk me into buying technology so lets not give him too much credit. Really, all I needed was a laptop that could do basic Internet type stuff and run VMware. As you may have read earlier, we were swamped with scanning so I had to push two boxes to be scanning machines, which left me with limited ability to do real work or to stay up on business stuff like email.

So my experience so far: Everyone knows Macs are pretty. They’re light and have small sleek form factor. The display is lovely. They keyboard is spacious and easy to use. The touchpad took a bit to get use to, but overall I’m not happy with it. It’s multi-touch capable and overall a nifty tool once you learn how to use it.

Software is actually good. Vmware Fusion is nicer and more responsive than either VMware Workstation or Server. Graphics run far faster and it’s a nicer experience. Additionally, you can use “Unity” and run Windows software on the Mac desktop. The only thing that really irks me is that there isn’t a Vmware-server-console or a Firefox/Safari plugin to access VMware server easily. So access is through a contrived VM in a VM type thing or over X11. It’s ugly, but it’s been fairly successful.

Port is my friend. It installs basically everything you might want. It has some quirks, but being a Gentoo guy I’m use to a certain amount of pain when moving to a new OS. Port builds from source and usually works — once you learn a few tricks. I have Wireshark, libpcap, libnet, scapy, python, CANVAS, metasploit, kismet, nmap, and hping working. Nessus has an install for Mac.

My Verizon Mobile Card works fine

MS Office is fine. It looks a little different but it’s Office.

Hardware is blazing. I have 4 gigs of Ram. A 250 gb hard drive and a 2.4Ghz Core duo.

Overall, I think it’s a very positive experience and I’d recommend it if you have a bit of tim to invest in getting familiar with the OS and getting the tools that you need onto the box.

Everyone loves to beat up on Microsoft. Hell, I do… sorry Carric. But Microsoft is slowly getting it’s software in order and organizations are learning to patch it very quickly. Personally,  love doing exploit development on small custom software. But in a recent case, I saw a larger software package with a known bug but no exploit.

In particular, I’m talking about the command execution vuln released in October for BrightStor ARCServe. BID 31684.

To actually exploit the bug use Nessus/Nasl

Find the file: arcserve_command_exec.nasl

Copy it somewhere and edit. Change the following:

1. Ditch the requirements. Comment out
   #script_require_keys(”Host/OS/smb”)
   #script_require_ports (6504);
2. Manually set the hostname
   host = kb_smb_name(); to host = “hostname”; Note, and IP won’t work
3. Change the cmd
   cmd = “ifconfig”; to whatever you want
4. Change the output to use the display() function so you can see what happens
5. Run the NASL
   nasl -t target_ip_or_hostname yournasl.nasl

Yes, this is a bit clunky, but it’s a fairly quick way to execute arbitrary commands on the remote system. RPC (IMO) is difficult and I’d rather not deal with it if some else already has.

I’ve decided that I truly HATE most vulnerability scanners. Generally I don’t trust the things, but they’ve always done a fair job of giving me a checkbox for patches and by providing a little guidance on how to attack a network. Well recently we’re had to scan multiple class B networks both internally and externally. It’s been brutal. Nothing finishes, results vary. It sucks hardcore.

I’ve noticed a few things. First, it’s almost impossible to by vuln scanning software these days. Everyone wants to sell an appliance .As a consultant that doesn’t really work for me. I need to take the software with me on a laptop into a client site. An appliance makes the software basically useless.

So our Qualys box is out of the mix. Next we moved onto Nessus. Who doesn’t love Nessus? It’s not flashy but it gets the job done… right? Well no. It crashed. Over and over. It wouldn’t save state and if it crashed you had to restart.

Fuck.

Sure you say, do small bunches at once. Well this shouldn’t matter. It irked me that Nessus didn’t do the host management/scanning properly itself. Manually manging it is nuts. But worse, If you break scans into small bunches, you then have to merge all the results at the end.

Next I tried an old FS image. Well that can pause scans and resume them after a crash, but it’s had previous known issues. Further, it won’t finish. It’s hung at 99% done for days. I’ve checked and it’s still running scans and producing results but 99% for days.

I find it sad that a team of pen testers, some previously software developers, and all experienced with the tools can’t get them to work effectively.

As most of my friends know, I have a tendency to run late. Well I was running late the other day holding up my friend, Adam Pridgen. He was patiently waiting for me in the hotel lobby and started playing with the kiosk. I beleive the particular software is kiosksafe. I had ran into it before and knew that it did a fair job. The software not only remaps/intercepts kep strokes but it also appears to run some sort of rootkit. When a particular API is called — or possibly a window has a certain name, the software locks the site down. It’s most unfortunate.

I threw iKat at it for fun. I saw iKat at defcon and always wanted to give it a try. It did a fair job of crashing the hell out of the Kiosk but it gave me fairly limited results.

Everyone knows the typical file-menu type hacks trying to find something that opens up  the system in a somewhat clever manner. Those didn’t work, but Office had potential. So I decided to play. In the end, I got a fair amount of access with a Word doc.

First, change the default configuration paths for Word. This just makes sure Word opens up with high level access. I generally set it to C:\

The below screenshots show most of the process

Double click the icon and hopefully it works for you. cmd.exe sometimes has issues but IE, Windows Media Player, etc work a little better

Sample word doc provided shortly.

I had the opportunity to teach class at a University last week. It was an interesting experience. A friend of mine, Adam Pridgen, co lectured with me. The class was a senior level seminar type class on computer security. I wasn’t sure exactly what to expect going into the class, but I had done a previous intro to penetration testing so I updated that and went in.
The class started with an intro presentation by one of the students. It appears the students update the class with a somewhat recent security topic. In this case, it was a 5 minute overview of the uTorrent overflow. I was immediately nervous as I only had 10-15% of my slides at the in-depth exploitation/fuzzing level. I was worried that I would bore the class or not be able to speak with enough knowledge of particular exploits straight from memory. After the student got past the first slide or two, there were some contradictions and inaccuracies. The students didn’t jump on it so I figured I wasn’t in too much trouble.

Shortly there after, Adam and I were introduced and we went into our thing. We talked about some of the common mistakes that really enable attackers to compromise networks. We discussed some of the tools and techniques we used – giving examples of situations where we had used them. Unfortunately, I don’t think they really connected. The professor got into it, but not the students. Between a couple non-public bugs/attacks and the story of the power company CEO ignoring the out-briefing until I showed a screenshot of his email – I thought we were golden. But I guess such is the state of computer security education right now.

From MS:

Version: 3.0

This bulletin summary lists security bulletins released for October 2008.

With the release of the bulletins for October 2008, this bulletin summary replaces the bulletin advance notification originally issued October 9, 2008. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft is hosting a webcast to address customer questions on these bulletins on October 15, 2008, at 11:00 AM Pacific Time (US & Canada). Register now for the October Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

For the out-of-band security bulletin added to Version 3.0 of this bulletin summary, Microsoft is hosting a webcast to address customer questions on October 23, 2008, at 1:00 PM Pacific Time (US & Canada). Register now for the Out-of-Band Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

Bulletin Information

Executive Summaries

The security bulletins for this month are as follows, in order of severity:

Critical (5)

Bulletin Identifier	Microsoft Security Bulletin MS08-067
Bulletin Title	Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Executive Summary	This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-060
Bulletin Title	Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
Executive Summary	This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker gains access to an affected network. This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-058
Bulletin Title	Cumulative Security Update for Internet Explorer (956390)
Executive Summary	This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. The vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows, Internet Explorer. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-059
Bulletin Title	Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
Executive Summary	This security update resolves a privately reported vulnerability in Microsoft Host Integration Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update may require a restart.
Affected Software	Microsoft Host Integration Server. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-057
Bulletin Title	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
Executive Summary	This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update does not require a restart.
Affected Software	Microsoft Office. For more information, see the Affected Software and Download Locations section.

Top of section

Important (6)

Bulletin Identifier	Microsoft Security Bulletin MS08-066
Bulletin Title	Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
Executive Summary	This security update resolves a privately reported vulnerability in the Microsoft Ancillary Function Driver. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Maximum Severity Rating	Important
Impact of Vulnerability	Elevation of Privilege
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-061
Bulletin Title	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
Executive Summary	This security update resolves one publicly disclosed and two privately reported vulnerabilities in the Windows kernel. A local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users.
Maximum Severity Rating	Important
Impact of Vulnerability	Elevation of Privilege
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-062
Bulletin Title	Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
Executive Summary	This update resolves a privately reported vulnerability in the Windows Internet Printing Service that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Maximum Severity Rating	Important
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-063
Bulletin Title	Vulnerability in SMB Could Allow Remote Code Execution (957095)
Executive Summary	This security update resolves a privately reported vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.
Maximum Severity Rating	Important
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-064
Bulletin Title	Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
Executive Summary	This security update resolves a privately reported vulnerability in Virtual Address Descriptor. The vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
Maximum Severity Rating	Important
Impact of Vulnerability	Elevation of Privilege
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-065
Bulletin Title	Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
Executive Summary	This security update resolves a privately reported vulnerability in the Message Queuing Service (MSMQ) on Microsoft Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.
Maximum Severity Rating	Important
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Top of section

Moderate (1)

Bulletin Identifier	Microsoft Security Bulletin MS08-056
Bulletin Title	Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
Executive Summary	This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site.
Maximum Severity Rating	Moderate
Impact of Vulnerability	Information Disclosure
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update does not require a restart.
Affected Software	Microsoft Office. For more information, see the Affected Software and Download Locations section.

Top of section

Top of section

Exploitability Index

How do I use this table?

Use this table to learn about the likelihood of functioning exploit code to be released for each of the security updates that you may need to install. You should review each of the assessments below, in accordance with your specific configuration, in order to prioritize your deployment. For more information about what these ratings mean, and how they are determined, please see Microsoft Exploit Index.

Bulletin ID	Bulletin Title	CVE ID	Exploitability Index Assessment	Key Notes
MS08-056	Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)	CVE-2008-4020	2 - Inconsistent exploit code likely	Functioning exploit code could be created. However, the severity impact is limited as the vulnerability allows spoofing in a dialog in specific Web application scenarios only. As a result, this may get little attention from attackers.
MS08-057	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)	CVE-2008-4019	1 - Consistent exploit code likely
MS08-057	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)	CVE-2008-3471	2 - Inconsistent exploit code likely
MS08-057	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)	CVE-2008-3477	2 - Inconsistent exploit code likely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-2947	(Public at bulletin release)
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3472	1 - Consistent exploit code likely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3473	1 - Consistent exploit code likely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3475	2 - Inconsistent exploit code likely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3474	3 - Functioning exploit code unlikely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3476	3 - Functioning exploit code unlikely
MS08-059	Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)	CVE-2008-3466	1 - Consistent exploit code likely	While only specific types of enterprise customers would likely install Host Integration Server, functioning exploit code is likely to be created.
MS08-060	Vulnerability in Active Directory Could Allow Remote Code Execution (957280)	CVE-2008-4023	2 - Inconsistent exploit code likely	Triggering the vulnerability to cause a denial of service condition is likely. However, creating functioning exploit code to leverage remote code execution is difficult due to not being able to control a needed write address.
MS08-061	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)	CVE-2008-2250	1 - Consistent exploit code likely
MS08-061	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)	CVE-2008-2252	1 - Consistent exploit code likely	Functioning exploit is most likely to be created for multiprocessor systems.
MS08-061	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)	CVE-2008-2251	3 - Functioning exploit code unlikely	Triggering the vulnerability may be possible, but successful, functioning exploit code is very difficult to create.
MS08-062	Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)	CVE-2008-1446	1 - Consistent exploit code likely	Consistent exploit code has been discovered in limited, targeted attacks. While the Internet Printing Protocol (IPP) service is enabled by default, access to this service using IIS also requires authentication by default on all platforms.
MS08-063	Vulnerability in SMB Could Allow Remote Code Execution (957095)	CVE-2008-4038	2 - Inconsistent exploit code likely
MS08-064	Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)	CVE-2008-4036	2 - Inconsistent exploit code likely
MS08-065	Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)	CVE-2008-3479	3 - Functioning exploit code unlikely	While information disclosure might be possible, obtaining useful content from memory is not always possible. The memory corruption issue can be triggered, but remote code execution is difficult to gain.
MS08-066	Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)	CVE-2008-3464	1 - Consistent exploit code likely
MS08-067	Vulnerability in Server Service Could Allow Remote Code Execution (958644)	CVE-2008-4250	1 - Consistent exploit code likely	Consistent exploit code has been discovered in limited, targeted attacks, affecting Windows XP and Windows Server 2003. While this service is enabled by default on all affected platforms, exploitation is most likely on Microsoft Windows 2000, Windows XP, and Windows Server 2003. Default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of UAC that enforce additional levels of integrity. This protection is in place even if the UAC prompt is disabled. Even after authentication, ASLR and DEP enhancements will present obstacles to exploitation.

Top of section

Affected Software and Download Locations

How do I use this table?

Use this table to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates are required. If a software program or component is listed, then the available software update is hyperlinked and the severity rating of the software update is also listed.

Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system.

Windows Operating System and Components

Microsoft Windows 2000
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Microsoft Windows 2000 Service Pack 4	Microsoft Windows 2000 Service Pack 4 (Critical)	Active Directory on Microsoft Windows 2000 Server Service Pack 4 (Critical)	Microsoft Internet Explorer 5.01 Service Pack 4 (Critical) Microsoft Internet Explorer 6 Service Pack 1 (Critical)	Not applicable	Microsoft Windows 2000 Service Pack 4 (Important)	Microsoft Windows 2000 Service Pack 4 (Important)	Microsoft Windows 2000 Service Pack 4 (Important)	Not applicable	Microsoft Windows 2000 Service Pack 4 (Important)
Windows XP
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Windows XP Service Pack 2 and Windows XP Service Pack 3	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Critical)	Not applicable	Microsoft Internet Explorer 6 (Critical) Windows Internet Explorer 7 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Not applicable
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Critical)	Not applicable	Microsoft Internet Explorer 6 (Critical) Windows Internet Explorer 7 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Not applicable
Windows Server 2003
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Critical)	Not applicable	Microsoft Internet Explorer 6 (Moderate) Windows Internet Explorer 7 (Low)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Not applicable
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Critical)	Not applicable	Microsoft Internet Explorer 6 (Moderate) Windows Internet Explorer 7 (Low)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Not applicable
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Critical)	Not applicable	Microsoft Internet Explorer 6 (Moderate) Windows Internet Explorer 7 (Low)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Not applicable
Windows Vista
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Windows Vista and Windows Vista Service Pack 1	Windows Vista and Windows Vista Service Pack 1 (Important)	Not applicable	Windows Internet Explorer 7 (Important)	Not applicable	Windows Vista and Windows Vista Service Pack 1 (Important)	Windows Vista and Windows Vista Service Pack 1 (No severity rating)	Windows Vista and Windows Vista Service Pack 1 (Important)	Windows Vista and Windows Vista Service Pack 1 (Important)	Not applicable
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Important)	Not applicable	Windows Internet Explorer 7 (Important)	Not applicable	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Important)	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (No severity rating)	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Important)	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Important)	Not applicable
Windows Server 2008
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Windows Server 2008 for 32-bit Systems	Windows Server 2008 for 32-bit Systems* (Important)	Not applicable	Windows Internet Explorer 7** (Low)	Not applicable	Windows Server 2008 for 32-bit Systems* (Important)	Windows Server 2008 for 32-bit Systems* (Important)	Windows Server 2008 for 32-bit Systems* (Important)	Windows Server 2008 for 32-bit Systems* (Important)	Not applicable
Windows Server 2008 for x64-based Systems	Windows Server 2008 for x64-based Systems* (Important)	Not applicable	Windows Internet Explorer 7** (Low)	Not applicable	Windows Server 2008 for x64-based Systems* (Important)	Windows Server 2008 for x64-based Systems* (Important)	Windows Server 2008 for x64-based Systems* (Important)	Windows Server 2008 for x64-based Systems* (Important)	Not applicable
Windows Server 2008 for Itanium-based Systems	Windows Server 2008 for Itanium-based Systems (Important)	Not applicable	Windows Internet Explorer 7 (Low)	Not applicable	Windows Server 2008 for Itanium-based Systems (Important)	Windows Server 2008 for Itanium-based Systems (No severity rating)	Windows Server 2008 for Itanium-based Systems (Important)	Windows Server 2008 for Itanium-based Systems (Important)	Not applicable

*Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

**Windows Server 2008 server core installation not affected. The vulnerabilities addressed by these updates do not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Top of section

Microsoft Office Suites and Software

Microsoft Office Suites, Systems, and Components
Bulletin Identifier	MS08-057	MS08-056
Bulletin Maximum Severity Rating	Critical	Moderate
Microsoft Office 2000 Service Pack 3	Excel 2000 Service Pack 3 (KB955461) (Critical)	Not applicable
Microsoft Office XP Service Pack 3	Excel 2002 Service Pack 3 (KB955464) (Important)	Microsoft Office XP Service Pack 3 (KB956464) (Moderate)
Microsoft Office 2003 Service Pack 2 and Microsoft Office 2003 Service Pack 3	Excel 2003 Service Pack 2 (KB955466) (Important) Excel 2003 Service Pack 3 (KB955466) (Important)	Not applicable
2007 Microsoft Office System and 2007 Microsoft Office System Service Pack 1	Excel 2007 (KB955470) (Important) Excel 2007 Service Pack 1 (KB955470) (Important)	Not applicable
Microsoft Office for Mac
Bulletin Identifier	MS08-057	MS08-056
Bulletin Maximum Severity Rating	Critical	Moderate
Microsoft Office 2004 for Mac	Microsoft Office 2004 for Mac (KB958312) (Important)	Not applicable
Microsoft Office 2008 for Mac	Microsoft Office 2008 for Mac (KB958267) (Important)	Not applicable
Open XML File Format Converter for Mac	Open XML File Format Converter for Mac (KB958304) (Important)	Not applicable
Other Office Software
Bulletin Identifier	MS08-057	MS08-056
Bulletin Maximum Severity Rating	Critical	Moderate
Microsoft Office Excel Viewer	Microsoft Office Excel Viewer 2003 (KB955468) (Important) Microsoft Office Excel Viewer 2003 Service Pack 3 (KB955468) (Important) Microsoft Office Excel Viewer (KB955935) (Important)	Not applicable
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats	Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (KB955936) (Important) Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 (KB955936) (Important)	Not applicable
Microsoft Office SharePoint Server 2007	Microsoft Office SharePoint Server 2007* (KB955937) (Important) Microsoft Office SharePoint Server 2007 Service Pack 1* (KB955937) (Important) Microsoft Office SharePoint Server 2007 x64 Edition* (KB955937) (Important) Microsoft Office SharePoint Server 2007 x64 Edition Service Pack 1* (KB955937) (Important)	Not applicable

*This update applies to servers that have Excel Services installed, such as the default configuration of Microsoft Office SharePoint Server 2007 Enterprise and Microsoft Office SharePoint Server 2007 For Internet Sites. Microsoft Office SharePoint Server 2007 Standard does not include Excel Services.

Top of section

Microsoft Server Software

Microsoft Host Integration Server
Bulletin Identifier	MS08-059
Bulletin Maximum Severity Rating	Critical
Microsoft Host Integration Server 2000	Microsoft Host Integration Server 2000 Service Pack 2 (Server) (Critical) Microsoft Host Integration Server 2000 Administrator Client (Critical)
Microsoft Host Integration Server 2004	Microsoft Host Integration Server 2004 (Server) (Critical) Microsoft Host Integration Server 2004 Service Pack 1 (Server) (Critical) Microsoft Host Integration Server 2004 (Client) (Critical) Microsoft Host Integration Server 2004 Service Pack 1 (Client) (Critical)
Microsoft Host Integration Server 2006	Microsoft Host Integration Server 2006 for 32-bit Systems (Critical) Microsoft Host Integration Server 2006 for x64-based Systems (Critical)

Top of section

Top of section

Detection and Deployment Tools and Guidance

Security Central

Manage the software and security updates you need to deploy to the servers, desktop, and mobile computers in your organization. For more information see the TechNet Update Management Center. The TechNet Security Center provides additional information about security in Microsoft products. Consumers can visit Security At Home, where this information is also available by clicking “Latest Security Updates”.

Security updates are available from