August 12, 2008, 4:15 PM — Microsoft Tuesday released its largest security in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE) Windows Messenger and other software.
"Today is a perfect storm of client-side issues," said Amol Sarwate , manger of Qualys Inc.'s vulnerabilities research lab. "Most or all of Microsoft's client-side applications are affected or patched."
At least two of the vulnerabilities have already been exploited in the wild, Microsoft acknowledged. Those two, plus another pair, said one security researcher, should be considered "zero-day" bugs since technical details about the flaws had been circulating prior to today.
"It's all about the count today," Sarwate said. "This is the largest update in 2008, and the largest in the last 18 months. We have two that we know have been exploited and four zero-days."
Even though today's updates -- 11 total bulletins, six of which were tagged as "critical," Microsoft's highest threat ranging -- set a 2008 record, Microsoft left one expected fix off the table: Last week, it said it would patch one or more critical flaws in Windows Media Player 11, the version bundled with Windows Vista.
Microsoft has yanked updates at the last minute in the past, and typically cites reliability concerns with the patch or says it was not able to wrap up testing in time. So it did today: "The bulletin has been removed prior to today's bulletin release because of a last minute quality issue," said Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC) in an e-mail.
Of today's 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word that the company confirmed in a July 8 security advisory . The former was patched by MS08-041 , while the latter was fixed by MS08-042.
The Snapshot Viewer and Word vulnerabilities have been exploited by attackers, making them especially important to patch, Sarwate said.
Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., saw two major themes in the massive update. "There's a lot of file parsing vulnerabilities here," he said, " and a ton of replacement bulletins."
File format bugs are not new to Microsoft's software, especially the applications in its Office suite, but the number patched today -- a full dozen altogether -- took him by surprise. "Every Office product got touched today," Storms said. "The good thing is that if Office 2007 [applications] are affected, they're less affected, because the file format changed with that version."
"They'll continue to pop up," he added, "because the file formats, the older formats in particular, have been so well documented outside of Microsoft," Storms said.
On the theme of replacement bulletins, Storms noted that seven of the 11 updates unveiled today replace earlier Microsoft security patches. "It's not unusual to have a few, and by 'a few' I think of one or two, maybe three, but we're looking at a full deck here.
"It tells me that one of the best ways to find new vulnerabilities continues to be to look at what Microsoft has patched in the past, and what they might have missed when they did," Storms said.
That tactic pays dividends, he argued, and pointed to the large number of replacement updates as proof. "Absolutely this works. You look in the same area of code as the fix Microsoft applied. Maybe the function call they patched here is being used somewhere else."
While Microsoft addressed six critical vulnerabilities in its IE browser today with MS08-045 it did not tackle a bug first reported in 2006 that returned to the limelight in May 2008 when security researcher Aviv Raff claimed that it could be combined with the so-called "carpet bomb" flaw in Apple Inc.'s Safari. Apple and Mozilla Corp. have patched their browsers to prevent the kind of blended threats that Raff has outlined.
Microsoft also issued a separate security advisory today that announced it had set the "kill bits" for a pair of third-party ActiveX controls from Hewlett-Packard Co. and Aurigma Inc. The practice, which debuted in April, lets Microsoft disable vulnerable ActiveX controls remotely through its Windows Update service.