December 09, 2008, 4:30 PM — Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest update since it switched to a regular monthly update schedule more than five years ago.
Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system. Of the five others, three were judged "important," the next step down, and two were pegged "moderate." The patches were issued in eight updates for Windows, Internet Explorer (IE), Office, SharePoint, Windows Media, and the company's most popular development tools, Visual Basic and Visual Studio.
Researchers agreed that one of the Windows updates should be tops on everyone's to-do list. "There are a few that will stick out for a lot of people," said Andrew Storms, director of security operations at nCircle Network Security Inc. "The GDI is one."
MS08-071, which contains two separate vulnerabilities, both critical, updates the Graphics Device Interface (GDI), the core graphics rendering component of Windows. GDI has been repeatedly patched by Microsoft, most recently in September.
"This looks very similar to MS08-021," said Storms, referring to an April update that patched two more GDI bugs. Like that earlier fix, as well as the one in September, hackers could exploit the vulnerabilities by duping users into opening or viewing malicious WMF (Windows Metafile) images.
"[MS08-071] is something similar to what we saw with WMF files once before this year, and once last year, too," said Amol Sarwate, manager of Qualys Inc.'s vulnerability lab. "It's in the core kernel, it's always there, it's in all versions of Windows and the attack vector is pretty high." Like Storms, Sarwate put the update at the top of his list.
The long-running patch job on GDI will, said Storms, inevitably prompt some to ask whether Microsoft's vaunted SDL (Security Development Lifecycle) process, under which it scrutinizes code as its written for bugs, really works. "Is SDL functioning? I don't know," Storms admitted. "Without seeing the code analysis, it's difficult to presume it's not."
"Yes, I think that's a fair question," said Wolfgang Kandek, the chief technology officer for Qualys. "But is it realistic to expect Microsoft to find everything? No, it's not."
Storms said the IE update, MS08-073, would be his next highest update priorty, simply because of the number of vulnerabilities it fixes -- four, all critical -- and because of the dominance of Microsoft's browser. After that, it gets murkier. "GDI and IE are certainly top of the list, but beyond that it's a toss-up," he said. "It's going to be difficult for people in the trenches to understand what to go after the first and second."
Qualys' Sarwarte and Kandek, meanwhile, staked out MS08-070 as the second-most-interesting update among today's eight. "This is a far-reaching vulnerability," said Kandek, who noted that while end users won't be installing this update for Visual Basic, it can potentially affect anyone who browses the Internet with IE.
"Microsoft's telling developers that they need to update their development system and the Visual Basic runtimes, then notify users of the ActiveX controls that they've created," said Kandek, talking about the technology that provides IE with add-on functionality. "And again, all [hackers] have to do is just come up with a malicious Web site with vulnerable ActiveX controls."
The Visual Basic update patches a total of six bugs, all ranked critical.
Other bulletins include updates that patch Microsoft Word's file format ( MS08-072, with a total of eight vulnerabilities), Microsoft Excel's file format ( MS08-074, three vulnerabilities), Windows Media ( MS08-076, two vulnerabilities), SharePoint ( MS08-077, with one bug) and Windows Search ( MS08-075, which deals with two vulnerabilities).
Some caught the eye of researchers. "The reason why I'm expecting questions about whether SDL is working is because of MS08-076," said Storms, referring to the two-patch update for Windows Media. "Both those bugs are very similar to what we've seen before in other Microsoft products."
Eric Schultze, the chief technology officer of Shavlik Technologies, agreed. "This is closely related to a security patch from last month -- MS08-068," said Schultze in an e-mail today. That bug, which Microsoft fixed in November, was in how the Server Message Block (SMB) protocol handled credentials when a user connected to an attacker's SMB server. At the time, Schultze and others claimed that the bug went back at least seven years.
"It's similar to the MS08-068 attack, but uses different communication mechanisms to logon to the computers," Schultze added. "Microsoft says that Windows Media Player doesn't play by the same rules as the operating system, and that's why this issue wasn't fixed in November. I'd get this one patched right away.
Storms, however, pointed to MS08-075, which patches Windows Search, the integrated desktop search function, in Windows Vista and Windows Server 2008. He found the update interesting, not so much because it only affects Microsoft's newest operating system, but because one of its two patches fixed a flaw in yet another protocol, this time "search-ms."
"There have been issues prior with protocol handlers in Windows," said Storms. "Why would Microsoft make it possible for a protocol handler to call my local file system? What's the validity of that?"
As Storms said, Microsoft has had to patch several protocol handler vulnerabilities in the last 13 months, starting with one in November 2007 in Windows XP and Server 2003 that the company argued for months was not its responsibility to fix.
This month's eight security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
