Microsoft Issues a Boatload of February Fixes

Feb 20th, 2008

Following its meager security updates in January, Microsoft came back with a huge release for February. The company released 11 security bulletins containing 17 fixes.

If there's any good news in this haul of fixes, it's that only six of the 11 bulletins are listed as "critical," and the five other fixes as "important."

Of the six critical fixes, Jonathan Bitle, manager of technical accounts for security provider Qualys, said MS08-010 stands out because it addresses four severe HTML issues in Internet Explorer. The vulnerabilities in –010 would allow a specially crafted page to perform remote code execution on the user's system.

This vulnerability affects IE from version 5.01 up to 7. "Because it affects so many systems and doesn't require doing anything more than visiting a malicious site, that worries us," Bitle told InternetNews.com.

"Most organizations these days have a fairly good security practice about not opening unknown files from unknown users," he added. "But visiting Web sites that can be exploited is still a biggest area of concern. Here you have a remote code execution with no user interaction. Keeping your users from visiting sites like this is especially difficult."

Three of the critical fixes, –MS08-008, -012 and –013, are in Microsoft Office 2000, XP and 2003, and Office for Mac 2004. The fixes do not affect the recently released Office 2007 and Office for Mac 2008. All can allow for remote code execution. The final critical fix, -007, is critical only to Windows XP and Vista but labeled important for Windows Server 2003.

Among the important fixes are two vulnerabilities to a denial of service attack that could cause the systems to restart (MS08-003 and 004). Two others affect Internet Information Services (IIS): One allows an attacker to execute arbitrary code in the context of local system (-005), and the other provides elevated user privilege (-006).

Finally, MS08-011 covers three vulnerabilities in Microsoft Works File Converter, which could allow an attacker to take control of a system.

Today's bulletins also do not affect Windows Vista SP1 and Windows Server 2008.

As with all patch releases, Microsoft has updated its Malicious Software Removal Tool -- this time to recognize the Win32/Ldpinch strain of password stealers.

Symantec calls the malware, which dates back to 2006, a low risk.