October « 2008 « cyberwart

Archive for October, 2008

MS08-067 Update

Thursday, October 23rd, 2008

From MS:

Published: October 14, 2008 | Updated: October 23, 2008

Version: 3.0

This bulletin summary lists security bulletins released for October 2008.

With the release of the bulletins for October 2008, this bulletin summary replaces the bulletin advance notification originally issued October 9, 2008. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft is hosting a webcast to address customer questions on these bulletins on October 15, 2008, at 11:00 AM Pacific Time (US & Canada). Register now for the October Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

For the out-of-band security bulletin added to Version 3.0 of this bulletin summary, Microsoft is hosting a webcast to address customer questions on October 23, 2008, at 1:00 PM Pacific Time (US & Canada). Register now for the Out-of-Band Security Bulletin Webcast. After this date, this webcast is available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

Bulletin Information

Executive Summaries

The security bulletins for this month are as follows, in order of severity:

Critical (5)

Bulletin Identifier	Microsoft Security Bulletin MS08-067
Bulletin Title	Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Executive Summary	This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-060
Bulletin Title	Vulnerability in Active Directory Could Allow Remote Code Execution (957280)
Executive Summary	This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability could allow remote code execution if an attacker gains access to an affected network. This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-058
Bulletin Title	Cumulative Security Update for Internet Explorer (956390)
Executive Summary	This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. The vulnerabilities could allow information disclosure or remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows, Internet Explorer. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-059
Bulletin Title	Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)
Executive Summary	This security update resolves a privately reported vulnerability in Microsoft Host Integration Server. The vulnerability could allow remote code execution if an attacker sent a specially crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update may require a restart.
Affected Software	Microsoft Host Integration Server. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-057
Bulletin Title	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)
Executive Summary	This security update resolves three privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Maximum Severity Rating	Critical
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update does not require a restart.
Affected Software	Microsoft Office. For more information, see the Affected Software and Download Locations section.

Top of section

Important (6)

Bulletin Identifier	Microsoft Security Bulletin MS08-066
Bulletin Title	Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)
Executive Summary	This security update resolves a privately reported vulnerability in the Microsoft Ancillary Function Driver. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Maximum Severity Rating	Important
Impact of Vulnerability	Elevation of Privilege
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-061
Bulletin Title	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
Executive Summary	This security update resolves one publicly disclosed and two privately reported vulnerabilities in the Windows kernel. A local attacker who successfully exploited these vulnerabilities could take complete control of an affected system. The vulnerabilities could not be exploited remotely or by anonymous users.
Maximum Severity Rating	Important
Impact of Vulnerability	Elevation of Privilege
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-062
Bulletin Title	Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)
Executive Summary	This update resolves a privately reported vulnerability in the Windows Internet Printing Service that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Maximum Severity Rating	Important
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-063
Bulletin Title	Vulnerability in SMB Could Allow Remote Code Execution (957095)
Executive Summary	This security update resolves a privately reported vulnerability in Microsoft Server Message Block (SMB) Protocol. The vulnerability could allow remote code execution on a server that is sharing files or folders. An attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights.
Maximum Severity Rating	Important
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-064
Bulletin Title	Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)
Executive Summary	This security update resolves a privately reported vulnerability in Virtual Address Descriptor. The vulnerability could allow elevation of privilege if a user runs a specially crafted application. An authenticated attacker who successfully exploited this vulnerability could gain elevation of privilege on an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
Maximum Severity Rating	Important
Impact of Vulnerability	Elevation of Privilege
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Bulletin Identifier	Microsoft Security Bulletin MS08-065
Bulletin Title	Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)
Executive Summary	This security update resolves a privately reported vulnerability in the Message Queuing Service (MSMQ) on Microsoft Windows 2000 systems. The vulnerability could allow remote code execution on Microsoft Windows 2000 systems with the MSMQ service enabled.
Maximum Severity Rating	Important
Impact of Vulnerability	Remote Code Execution
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update requires a restart.
Affected Software	Microsoft Windows. For more information, see the Affected Software and Download Locations section.

Top of section

Moderate (1)

Bulletin Identifier	Microsoft Security Bulletin MS08-056
Bulletin Title	Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)
Executive Summary	This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow information disclosure if a user clicks a specially crafted CDO URL. An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s browser that could spoof content, disclose information, or take any action that the user could take on the affected Web site.
Maximum Severity Rating	Moderate
Impact of Vulnerability	Information Disclosure
Detection	Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. The update does not require a restart.
Affected Software	Microsoft Office. For more information, see the Affected Software and Download Locations section.

Top of section

Exploitability Index

Bulletin ID	Bulletin Title	CVE ID	Exploitability Index Assessment	Key Notes
MS08-056	Vulnerability in Microsoft Office Could Allow Information Disclosure (957699)	CVE-2008-4020	2 – Inconsistent exploit code likely	Functioning exploit code could be created. However, the severity impact is limited as the vulnerability allows spoofing in a dialog in specific Web application scenarios only. As a result, this may get little attention from attackers.
MS08-057	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)	CVE-2008-4019	1 – Consistent exploit code likely
MS08-057	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)	CVE-2008-3471	2 – Inconsistent exploit code likely
MS08-057	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (956416)	CVE-2008-3477	2 – Inconsistent exploit code likely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-2947	(Public at bulletin release)
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3472	1 – Consistent exploit code likely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3473	1 – Consistent exploit code likely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3475	2 – Inconsistent exploit code likely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3474	3 – Functioning exploit code unlikely
MS08-058	Cumulative Security Update for Internet Explorer (956390)	CVE-2008-3476	3 – Functioning exploit code unlikely
MS08-059	Vulnerability in Host Integration Server RPC Service Could Allow Remote Code Execution (956695)	CVE-2008-3466	1 – Consistent exploit code likely	While only specific types of enterprise customers would likely install Host Integration Server, functioning exploit code is likely to be created.
MS08-060	Vulnerability in Active Directory Could Allow Remote Code Execution (957280)	CVE-2008-4023	2 – Inconsistent exploit code likely	Triggering the vulnerability to cause a denial of service condition is likely. However, creating functioning exploit code to leverage remote code execution is difficult due to not being able to control a needed write address.
MS08-061	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)	CVE-2008-2250	1 – Consistent exploit code likely
MS08-061	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)	CVE-2008-2252	1 – Consistent exploit code likely	Functioning exploit is most likely to be created for multiprocessor systems.
MS08-061	Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)	CVE-2008-2251	3 – Functioning exploit code unlikely	Triggering the vulnerability may be possible, but successful, functioning exploit code is very difficult to create.
MS08-062	Vulnerability in Windows Internet Printing Service Could Allow Remote Code Execution (953155)	CVE-2008-1446	1 – Consistent exploit code likely	Consistent exploit code has been discovered in limited, targeted attacks. While the Internet Printing Protocol (IPP) service is enabled by default, access to this service using IIS also requires authentication by default on all platforms.
MS08-063	Vulnerability in SMB Could Allow Remote Code Execution (957095)	CVE-2008-4038	2 – Inconsistent exploit code likely
MS08-064	Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841)	CVE-2008-4036	2 – Inconsistent exploit code likely
MS08-065	Vulnerability in Message Queuing Could Allow Remote Code Execution (951071)	CVE-2008-3479	3 – Functioning exploit code unlikely	While information disclosure might be possible, obtaining useful content from memory is not always possible. The memory corruption issue can be triggered, but remote code execution is difficult to gain.
MS08-066	Vulnerability in the Microsoft Ancillary Function Driver Could Allow Elevation of Privilege (956803)	CVE-2008-3464	1 – Consistent exploit code likely
MS08-067	Vulnerability in Server Service Could Allow Remote Code Execution (958644)	CVE-2008-4250	1 – Consistent exploit code likely	Consistent exploit code has been discovered in limited, targeted attacks, affecting Windows XP and Windows Server 2003. While this service is enabled by default on all affected platforms, exploitation is most likely on Microsoft Windows 2000, Windows XP, and Windows Server 2003. Default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of UAC that enforce additional levels of integrity. This protection is in place even if the UAC prompt is disabled. Even after authentication, ASLR and DEP enhancements will present obstacles to exploitation.

Affected Software and Download Locations

Microsoft Windows 2000
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Microsoft Windows 2000 Service Pack 4	Microsoft Windows 2000 Service Pack 4 (Critical)	Active Directory on Microsoft Windows 2000 Server Service Pack 4 (Critical)	Microsoft Internet Explorer 5.01 Service Pack 4 (Critical) Microsoft Internet Explorer 6 Service Pack 1 (Critical)	Not applicable	Microsoft Windows 2000 Service Pack 4 (Important)	Microsoft Windows 2000 Service Pack 4 (Important)	Microsoft Windows 2000 Service Pack 4 (Important)	Not applicable	Microsoft Windows 2000 Service Pack 4 (Important)
Windows XP
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Windows XP Service Pack 2 and Windows XP Service Pack 3	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Critical)	Not applicable	Microsoft Internet Explorer 6 (Critical) Windows Internet Explorer 7 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Windows XP Service Pack 2 and Windows XP Service Pack 3 (Important)	Not applicable
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Critical)	Not applicable	Microsoft Internet Explorer 6 (Critical) Windows Internet Explorer 7 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Important)	Not applicable
Windows Server 2003
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Critical)	Not applicable	Microsoft Internet Explorer 6 (Moderate) Windows Internet Explorer 7 (Low)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Important)	Not applicable
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Critical)	Not applicable	Microsoft Internet Explorer 6 (Moderate) Windows Internet Explorer 7 (Low)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Important)	Not applicable
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Critical)	Not applicable	Microsoft Internet Explorer 6 (Moderate) Windows Internet Explorer 7 (Low)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Important)	Not applicable
Windows Vista
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Windows Vista and Windows Vista Service Pack 1	Windows Vista and Windows Vista Service Pack 1 (Important)	Not applicable	Windows Internet Explorer 7 (Important)	Not applicable	Windows Vista and Windows Vista Service Pack 1 (Important)	Windows Vista and Windows Vista Service Pack 1 (No severity rating)	Windows Vista and Windows Vista Service Pack 1 (Important)	Windows Vista and Windows Vista Service Pack 1 (Important)	Not applicable
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Important)	Not applicable	Windows Internet Explorer 7 (Important)	Not applicable	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Important)	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (No severity rating)	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Important)	Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Important)	Not applicable
Windows Server 2008
Bulletin Identifier	MS08-067	MS08-060	MS08-058	MS08-066	MS08-061	MS08-062	MS08-063	MS08-064	MS08-065
Bulletin Maximum Severity Rating	Critical	Critical	Critical	Important	Important	Important	Important	Important	Important
Windows Server 2008 for 32-bit Systems	Windows Server 2008 for 32-bit Systems* (Important)	Not applicable	Windows Internet Explorer 7** (Low)	Not applicable	Windows Server 2008 for 32-bit Systems* (Important)	Windows Server 2008 for 32-bit Systems* (Important)	Windows Server 2008 for 32-bit Systems* (Important)	Windows Server 2008 for 32-bit Systems* (Important)	Not applicable
Windows Server 2008 for x64-based Systems	Windows Server 2008 for x64-based Systems* (Important)	Not applicable	Windows Internet Explorer 7** (Low)	Not applicable	Windows Server 2008 for x64-based Systems* (Important)	Windows Server 2008 for x64-based Systems* (Important)	Windows Server 2008 for x64-based Systems* (Important)	Windows Server 2008 for x64-based Systems* (Important)	Not applicable
Windows Server 2008 for Itanium-based Systems	Windows Server 2008 for Itanium-based Systems (Important)	Not applicable	Windows Internet Explorer 7 (Low)	Not applicable	Windows Server 2008 for Itanium-based Systems (Important)	Windows Server 2008 for Itanium-based Systems (No severity rating)	Windows Server 2008 for Itanium-based Systems (Important)	Windows Server 2008 for Itanium-based Systems (Important)	Not applicable

Microsoft Office Suites, Systems, and Components
Bulletin Identifier	MS08-057	MS08-056
Bulletin Maximum Severity Rating	Critical	Moderate
Microsoft Office 2000 Service Pack 3	Excel 2000 Service Pack 3 (KB955461) (Critical)	Not applicable
Microsoft Office XP Service Pack 3	Excel 2002 Service Pack 3 (KB955464) (Important)	Microsoft Office XP Service Pack 3 (KB956464) (Moderate)
Microsoft Office 2003 Service Pack 2 and Microsoft Office 2003 Service Pack 3	Excel 2003 Service Pack 2 (KB955466) (Important) Excel 2003 Service Pack 3 (KB955466) (Important)	Not applicable
2007 Microsoft Office System and 2007 Microsoft Office System Service Pack 1	Excel 2007 (KB955470) (Important) Excel 2007 Service Pack 1 (KB955470) (Important)	Not applicable
Microsoft Office for Mac
Bulletin Identifier	MS08-057	MS08-056
Bulletin Maximum Severity Rating	Critical	Moderate
Microsoft Office 2004 for Mac	Microsoft Office 2004 for Mac (KB958312) (Important)	Not applicable
Microsoft Office 2008 for Mac	Microsoft Office 2008 for Mac (KB958267) (Important)	Not applicable
Open XML File Format Converter for Mac	Open XML File Format Converter for Mac (KB958304) (Important)	Not applicable
Other Office Software
Bulletin Identifier	MS08-057	MS08-056
Bulletin Maximum Severity Rating	Critical	Moderate
Microsoft Office Excel Viewer	Microsoft Office Excel Viewer 2003 (KB955468) (Important) Microsoft Office Excel Viewer 2003 Service Pack 3 (KB955468) (Important) Microsoft Office Excel Viewer (KB955935) (Important)	Not applicable
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats	Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (KB955936) (Important) Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 (KB955936) (Important)	Not applicable
Microsoft Office SharePoint Server 2007	Microsoft Office SharePoint Server 2007* (KB955937) (Important) Microsoft Office SharePoint Server 2007 Service Pack 1* (KB955937) (Important) Microsoft Office SharePoint Server 2007 x64 Edition* (KB955937) (Important) Microsoft Office SharePoint Server 2007 x64 Edition Service Pack 1* (KB955937) (Important)	Not applicable

Microsoft Host Integration Server
Bulletin Identifier	MS08-059
Bulletin Maximum Severity Rating	Critical
Microsoft Host Integration Server 2000	Microsoft Host Integration Server 2000 Service Pack 2 (Server) (Critical) Microsoft Host Integration Server 2000 Administrator Client (Critical)
Microsoft Host Integration Server 2004	Microsoft Host Integration Server 2004 (Server) (Critical) Microsoft Host Integration Server 2004 Service Pack 1 (Server) (Critical) Microsoft Host Integration Server 2004 (Client) (Critical) Microsoft Host Integration Server 2004 Service Pack 1 (Client) (Critical)
Microsoft Host Integration Server 2006	Microsoft Host Integration Server 2006 for 32-bit Systems (Critical) Microsoft Host Integration Server 2006 for x64-based Systems (Critical)

Detection and Deployment Tools and Guidance

Security Central

Manage the software and security updates you need to deploy to the servers, desktop, and mobile computers in your organization. For more information see the TechNet Update Management Center. The TechNet Security Center provides additional information about security in Microsoft products. Consumers can visit Security At Home, where this information is also available by clicking “Latest Security Updates”.

Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for “security update”.

Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, “MS07-036”), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Detection and Deployment Guidance

Microsoft has provided detection and deployment guidance for this month’s security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update, such as Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), and the Extended Security Update Inventory Tool (ESUIT). For more information, see Microsoft Knowledge Base Article 910723.

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 to Windows 2000 and later operating systems.

For more information about how to deploy this security update using Windows Server Update Services, visit Windows Server Update Services.

Systems Management Server

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. The next release of SMS, System Center Configuration Manager 2007, is now available; see also System Center Configuration Manager 2007. For more information about how administrators can use SMS 2003 to deploy security updates, see SMS 2003 Security Patch Management. SMS 2.0 users can also use the Software Updates Services Feature Pack to help deploy security updates. For information about SMS, visit Microsoft Systems Management Server.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, see Deploying Software Updates Using the SMS Software Distribution Feature. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Update Compatibility Evaluator and Application Compatibility Toolkit

Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit 5.0.

The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment.

Top of section

Other Information

Microsoft Windows Malicious Software Removal Tool

Microsoft has released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Top of section

Non-Security, High-Priority Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft update, please see:

•	Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content for 2008. Includes all Windows content.
•	New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.

Top of section

Security Strategies and Community

Update Management Strategies

Security Guidance for Update Management provides additional information about Microsoft’s best-practice recommendations for applying security updates.

Obtaining Other Security Updates

Updates for other security issues are available from the following locations:

•	Security updates are available from Microsoft Download Center. You can find them most easily by doing a keyword search for “security update”.
•	Updates for consumer platforms are available from Microsoft Update.
•	You can obtain the security updates offered this month on Windows Update, from Download Center on Security and Critical Releases ISO CD Image files. For more information, see Microsoft Knowledge Base Article 913086.

IT Pro Security Community

Learn to improve security and optimize your IT infrastructure, and participate with other IT Pros on security topics in IT Pro Security Community.

Top of section

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

•	NetAgent Co., Ltd. for reporting an issue described in MS08-056
•	Joshua J. Drake of iDefense for reporting an issue described in MS08-057
•	Wushi, working with TippingPoint and the Zero Day Initiative, for reporting an issue described in MS08-057
•	Lionel d’Hauenens of Labo Skopia, working with the iDefense VCP, for reporting an issue described in MS08-057
•	David Bloom for reporting an issue described in MS08-058
•	Gregory Rubin for reporting an issue described in MS08-058
•	Ivan Fratric, working with TippingPoint and the Zero Day Initiative, for reporting an issue described in MS08-058
•	Thierry Zoller of n.runs for reporting an issue described in MS08-058
•	Lee Dagon of Composica for reporting an issue described in MS08-058
•	Stephen Fewer of Harmony Security, working with iDefense VCP, for reporting an issue described in MS08-059
•	Paul Miseiko of nCircle for reporting an issue described in MS08-060
•	Paul Caton of iShadow for reporting an issue described in MS08-061
•	Thomas Garnier of SkyRecon for reporting an issue described in MS08-061
•	CERT/CC for reporting an issue described in MS08-062
•	Joshua Morin of Codenomicon for reporting an issue described in MS08-063
•	Cody Pierce and Aaron Portnoy of TippingPoint DVLabs for reporting an issue described in MS08-065
•	Fabien Le Mentec of SkyRecon for reporting an issue described in MS08-066

Top of section

Support

•	The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
•	Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
•	International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

Top of section

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Top of section

Revisions

•	V1.0 (October 14, 2008): Bulletin summary published.
•	V2.0 (October 15, 2008): Removed the severity rating for Windows Server 2008 for Itanium-based Systems (MS08-062).
•	V2.1 (October 16, 2008): Updated the Executive Summary for Microsoft Security Bulletin MS08-062.
•	V3.0 (October 23, 2008): Added Microsoft Security Bulletin MS08-067, Vulnerability in Server Service Could Allow Remote Code Execution (958644). Also added the bulletin webcast link for this out-of-band security bulletin.

Posted in | No Comments »

Anyone have any info?

Thursday, October 23rd, 2008

There’s a lot of news going on related to MS08-067. From what I’ve seen it’s an exploit from the wild against MS Server Service over RPC. The Post has a decent write up: http://voices.washingtonpost.com/securityfix/2008/10/microsoft_to_issue_emergency_s_1.html

Please post comments if anyone knows anything more…

Posted in | No Comments »

In the news…

Thursday, October 23rd, 2008

bin Laden hacked?

Posted: 01:03 PM ET

Permalink |

Add a comment

‘Al-Ekhlass’ A website where many of al Qaeda’s jihadist messages are posted has been hacked and replaced with joker.com

Octavia Nasr | BIO
CNN senior editor for Arab affairs

A hacking war is raging on Jihadi websites. Radical Islamist sites have been attacking and getting attacked for quite some time. The website hacking practice was common in 2001 and 2002… Following the 9/11 attacks when al Qaeda used only one website to communicate its messages to supporters and foes alike. That website was called alneda.com. It was getting constantly hacked… sometimes several hackings a day. After every hacking the site managed to resurface on the net until it disappeared from the scene in 2004 to be replaced by other websites — What started as one al Qaeda-linked site mushroomed into dozens which branched out into hundreds of supporting sites that serve as dissemination centers over the internet.

Two well-known al Qaeda-linked sites are Al-Hesbah and Al-Ekhlaas. Al-Hesbah is the oldest and requires a username and password to access it. Its membership was open to the public in 2004 but became restricted over the years. This site became known as the first venue for uploaded al Qaeda messages — from Osama bin Laden video messages to statements and claims of responsibilities for attacks carried out in Afghanistan, Iraq or even Europe. Al-Ekhlaas followed with a sleeker image, and more technical bells and whistles.

The hacking war works both ways.
There are documented cases of extremist groups hacking into local websites that disagree with their messages. One case that drew the attention of western media took place about a month ago when a Sunni group hacked into the site of Shiite Iraqi Cleric Grand Ayatollah Ali al-Sistani. The group posted a Bill Maher clip making fun of an edict the cleric had made concerning a sexual subject. The group’s claim was that the cleric and his edicts are bringing shame to Islam and giving a good reason for the west to laugh at the Islamic religion.

Shortly before September of 2008, al Qaeda watchers started speculating about the next al Qaeda message which they expected to be released around the 9/11 anniversary — a practice al Qaeda and its video arm, As-Sahab, have been consistent about. The message never came partly because those websites were hacked into and completely disabled at times.

Today Al-Ekhlaas is off line, hacked into by joker.com. Trying to go to their site, you get a message saying that “this domain was registered with Joker.com.” Try it for yourself.

Al-Hesbah and a few other al Qaeda-linked sites remain in operation, not because they escaped hacking, but because they manage to resurrect themselves under different names and continue to post messages mainly from al Qaeda enthusiasts. So the drop in al Qaeda-released videos is evident, the lack of messages from al Qaeda leadership is obvious. What is not obvious is whether al Qaeda has decided to slow down production and release of videos or the hacking is so severe and pointed that it paralyzed the media activity of the terror group.

Posted in | No Comments »

Vulnerability Disclosure

Monday, October 20th, 2008

Recently I was visiting the website of a company that I do business with. Somewhere in the mix, I went from their website to another website while managing my account. I found this a little odd so I investigated. In the end, I found a vulnerability in the system that definitely ought to be reported. It’s one of those things where a criminal could make lots of money from and where my data could be stolen. While the “hack” is simple and fairly benign, given the sensitivity of the matter I can’t properly report the vulnerability.

I think it’s amusing. If I report the vuln I could be reported as a criminal. However, my motive is to protect my data and to keep the criminals out. But because of the system, we’re in a paradox. Personally, this is why I’m a moral relativist rather than Kantian.

Posted in | No Comments »

Free Ringtones

Monday, October 13th, 2008

Posted in | No Comments »

Lovely “feature”….

Friday, October 10th, 2008

http://www.dc101.com/cc-common/ringtones/?url=http%3A%2F%2Fwww.cyberwart.com/?

Posted in | No Comments »

News of the Day

Tuesday, October 7th, 2008

http://www.nextgov.com/nextgov/ng_20081007_1366.php

Air Force pursues Cyber Command again
By Bob Brewin, bbrewin@govexec.com 10/07/08
Top Air Force leadership has decided to pursue forming Cyber Command to defend Defense Department networks and to launch cyberattacks against foes after putting the project on hold in August.

Comment on this article in The Forum.The service’s leadership, including Air Force Secretary Michael Donley and Chief of Staff Gen. Norton Schwartz, made the decision last week at the Corona senior leadership conference in Colorado Springs, Colo., to continue its effort to stand up the command, said Capt. Michael Andrews, an Air Force spokesman.

The service put Cyber Command on hold in August, saying it wanted to delay the program until new senior Air Force leaders, including Schwartz, had time to make a final decision on the scope and mission of the command. Last month, sources said the Pentagon decided that the U.S. Strategic Command in Omaha, Neb., should create and run a joint Cyber Command, a move that seemingly dashed any hopes the Air Force had to own Defense’s cyber responsibilities.

In May, Deputy Secretary of Defense Gordon England wrote in a memo, “Because all the combatant commands, military departments and other defense components need the ability to work unhindered in cyberspace, the domain does not fall within the purview of any particular department or component.”

The service originally had decided to establish the Cyber Command as a separate unit within Air Force Space Command, and during the Corona conference, leadership “discussed how the Air Force will continue to develop capabilities in this new domain and train personnel to execute this new mission.”

“The conduct of cyber operations is a complex issue, as [Defense] and other interagency partners have substantial equity in the cyber arena,” Donley said. “We will continue to do our part to increase Air Force cyber capabilities and institutionalize our cyber mission.”

Andrews said the Air Force will provide more details on the Cyber Command later in October after discussions with Pentagon and congressional leadership.

http://news.cnet.com/8301-13578_3-10059987-38.html?part=rss&subj=news&tag=2547-1_3-0-20

The most extensive government report to date on whether terrorists can be identified through data mining has yielded an important conclusion: It doesn’t really work.

A National Research Council report, years in the making and scheduled to be released Tuesday, concludes that automated identification of terrorists through data mining or any other mechanism “is neither feasible as an objective nor desirable as a goal of technology development efforts.” Inevitable false positives will result in “ordinary, law-abiding citizens and businesses” being incorrectly flagged as suspects.

The whopping 352-page report, called “Protecting Individual Privacy in the Struggle Against Terrorists,” amounts to at least a partial repudiation of the Defense Department’s controversial data-mining program called Total Information Awareness, which was limited by Congress in 2003.

But the ambition of the report’s authors is far broader than just revisiting the problems of the TIA program and its successors. Instead, they aim to produce a scholarly evaluation of the current technologies that exist for data mining, their effectiveness, and how government agencies should use them to limit false positives–of the sort that can result in situations like heavily-armed SWAT teams raiding someone’s home and shooting their dogs based on the false belief that they were part of a drug ring.

The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle’s police chief; and Daryl Pregibon, a research scientist at Google.

They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do–perhaps inspired by watching too many episodes of the Fox series 24–can’t work. “If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so.”

A summary of the recommendations:

* U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.

* Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.

* To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data… At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.

* Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to “mine the miners and track the trackers.”

* Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.

* The U.S. government should periodically review the nation’s laws, policies, and procedures that protect individuals’ private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

By itself, of course, this is merely a report with non-binding recommendations that Congress and the executive branch could ignore. But NRC reports are not radical treatises written by an advocacy group; they tend to represent a working consensus of technologists and lawyers.

The great encryption debate of the 1990s was one example. The NRC’s so-called CRISIS report on encryption in 1996 concluded export controls–that treated software like Web browsers and PGP as munitions–were a failure and should be relaxed. That eventually happened two years later.

Posted in | No Comments »

Remote Connectivity

Sunday, October 5th, 2008

As you might know, I’m basically a consultant. Sometimes I spend a lot of time at remote client sites. Often my co-workers and I need to communicate. Sure sometimes we can VPN, SSH, or use a Cellular modem but that’s not always practical. Often we use messengers like Gchat or Skype to communicate.

I use to love Gchat/Gmail, but one day Google screwed me and disabled my account. I have no idea why, but I was locked out for a day without any remediation — no number, no email address, no form. Just a lock out. So i dumped Gmail. My address forwards to another account, but that’s it. The problem is my co-workers still love it. But since I’m a security guy on a cruisade I’ve thought of lots of reasons why consultants shouldn’t use Gchat/gmail:

Gmail/Gchat indexes and stores everything
Okay so you click off-the-record — do you think they really stop indexing things?

So you buy that they’re not evil and really don’t store your convo… what is still wrong with GMail/Gchat?

Google sets a cookie to track your username. So all your searches are tracked
This gives away where you are by IP and who your customer is
Gives away the number of consultants working at client side
Gives away when/how-long you’re at the client site

Personally, I’d PAY a LOT for that sort of information on my competitors. But there are still all the tools out there to intercept Gchat… and of course, none of it is encrypted.

I perfer skype. No it’s not perfect, but it’s encrypted, works, and doesn’t (obviously) try to invade my privacy.

Posted in | No Comments »

cyberwart

Archive for October, 2008

MS08-067 Update

Bulletin Information

Executive Summaries

Critical (5)

Important (6)

Moderate (1)

Exploitability Index

Affected Software and Download Locations

Windows Operating System and Components

Microsoft Office Suites and Software

Microsoft Server Software

Detection and Deployment Tools and Guidance

Other Information

Microsoft Windows Malicious Software Removal Tool

Non-Security, High-Priority Updates on MU, WU, and WSUS

Security Strategies and Community

Acknowledgments

Support

Disclaimer

Revisions

Anyone have any info?

In the news…

Vulnerability Disclosure

Free Ringtones

Lovely “feature”….

News of the Day

Remote Connectivity

Pages

Archives

Categories