Sign in / up

back to article Bumper Patch Tuesday plugs multiple Office flaws

Critical vulnerabilities in Microsoft Office star in the latest edition of Microsoft's Patch Tuesday updates. All told, Microsoft has released six critical patches and five patches described as important, addressing a total of 26 underlying vulnerabilities. All six critical updates address code injection risks involving Access …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Roddy MacKenzie
    Paris Hilton

    Still no update on the "Microsoft Security Bulletin Advance Notification"

    It *_still_* points at the June 2008 notification despite repeated requests in July and August to update the page

    http://www.microsoft.com/technet/security/Bulletin/advance.mspx

    Good to see they "raleigh car" (as Our Maggie put it) about us at Redmond.

    Even Paris knows what month it is (give or take a bit)

    0 0
  2. Roddy MacKenzie
    Paris Hilton

    Hmmm. Eleven patches? What about the other six?

    I ran Microsoft Update on yesterday to confirm I had no outstanding patches

    I have just been informed that there are 17 high priority ("critical" & "important") and one optional (a driver) outstanding for my newly installed and fully patched copies of Windows XP, Office 2003 and Studio 2005 Express

    Here's what Microsoft Update did to my PC

    <snip>

    Installation Summary

    Successful: 18

    Failed: 0

    Remaining: 0

    --------------------------------------------------------------------------------

    Successful Updates

    Microsoft Windows XP

    Update for Windows XP (KB951618)

    Cumulative Security Update for ActiveX Killbits for Windows XP (KB953839)

    Update for Windows Media Player 11 for Windows XP (KB939683)

    Security Update for Windows Media Player 11 for Windows XP (KB936782)

    Update for Windows Media Format 11 SDK for Windows XP (KB929399)

    Windows Malicious Software Removal Tool - August 2008 (KB890830)

    Security Update for Outlook Express for Windows XP (KB951066)

    Security Update for Windows XP (KB946648)

    Security Update for Windows XP (KB952954)

    Cumulative Security Update for Internet Explorer 7 for Windows XP (KB953838)

    Security Update for Windows XP (KB950974)

    Update for Windows XP (KB951072)

    Update for Windows XP (KB952287)

    Microsoft Office 2003

    Security Update for Microsoft Office Excel 2003 (KB951548)

    Security Update for Microsoft Office 2003 (KB921598)

    Update for Microsoft Office Outlook 2003 Junk Email Filter (KB955434)

    Security Update for Microsoft Office PowerPoint 2003 (KB948988)

    Security Update for Microsoft Office Word 2003 (KB954464)

    </snip>

    13 + 5 = 11? Even Paris know this ain't right

    0 0
  3. Jodo Kast
    Go

    Patch Count for Up-to-date Users only

    I see you're using Office 2003. That's an old version.

    Are you using the Media Center version of XP? Patch count differs depending on what version you are using (Home, Pro, MCE, etc).

    0 0
  4. Roddy MacKenzie
    Paris Hilton

    @Jodo Kast

    As I stated: NO outstanding patches yesterday.

    There were, as Microsoft stated in the bulletin, only five patches for Office 2003.

    I'm using Office 2003 Standard (Volume License) on XP Pro (Volume License)

    My colleagues are getting 16-18 patches depending on their permutations of various versions of Windows (2000 Pro, XP Pro, Vista Business) and Office (2000 Std, 2000 Pro, 2003 Std, 2003 Pro, 2007 Std, 2007 Pro, 2007 Basic and probably some other versions too)

    I haven't tried patching our 2003 Server boxes yet, but I'm expecting anything from 8 to 18 patches (They don't have M$ Office, but some have Excel 2003 Viewer and/or Word 2003 Viewer)

    0 0
  5. John Tate

    Patch Tuesday - some findings on impact on applications

    ChangeBase AOK Application Compatibility Lab Results – Patch Tuesday Update.

    August 13th 2008

    As part of the August release of the regularly scheduled Microsoft Updates, there are currently eleven patches being released; six with the maximum rating of Critical and related to the Windows operating system and five with the maximum rating of Important that are related to Office. We have used AOK to test for the Windows patches

    It should be noted that patch MS08-047 relates to VISTA. The other five relate to XP (SP1/2/3)

    Here is a brief summary of the patches that affect the Microsoft Windows operating system;

    1) Microsoft Security Bulletin MS08-045

    Description: Cumulative Security Update for Internet Explorer (953838). This security update resolves five privately reported vulnerabilities and one publicly disclosed vulnerability. All of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

    2) Microsoft Security Bulletin MS08-046

    Description: Vulnerability in Microsoft Windows Image Colour Management System Could Allow Remote Code Execution (952954). This update resolves a privately reported vulnerability in the Microsoft Image Colour Management (ICM) system that could allow remote code execution in the context of the current user.

    3) Microsoft Security Bulletin MS08-047

    Description: Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733). This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied.

    4) Microsoft Security Bulletin MS08-048

    Description: Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733). This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text.

    5) Microsoft Security Bulletin MS08-049

    Description: Vulnerabilities in Event System Could Allow Remote Code Execution (950974). This update resolves two privately reported vulnerabilities in Microsoft Windows Event System that could allow remote code execution.

    6) Microsoft Security Bulletin MS08-050

    Description: Vulnerability in Windows Messenger Could Allow Information Disclosure (955702). This security update resolves a publicly reported vulnerability in supported versions of Windows Messenger. As a result of this vulnerability, scripting of an ActiveX control could allow information disclosure in the context of the logged-on user.

    Note: These are not all of the patches that have been released by Microsoft today as the following only apply to Microsoft Office products;

    • Microsoft Security Bulletin MS08-042

    • Microsoft Security Bulletin MS08-041

    • Microsoft Security Bulletin MS08-043

    • Microsoft Security Bulletin MS08-051

    • Microsoft Security Bulletin MS08-044

    We have used the ChangeBase AOK Workbench to analyse each of the Windows patches against a sample of approximately 700 unique application packages with the intention of providing some insight into the following questions;

    1. What patches when released are likely to cause my applications to fail?

    2. What patches contain files and settings shared by individual applications I am running?

    For clarity, a number of software vendors and developers use shared Microsoft code in their applications – for example subsets of IE7. Hence if this embedded code for example has a security issue that the patch is resolving the application will need checking by the software vendor or in house development team.

    3. Which applications have a dependency on the software that has been updated? For example many applications use Internet Explorer as part of their functionality – say to produce a management report. If Microsoft update IE7 with a new patch this can cause problems when this action is carried out in the software application

    4. What order should I test my applications?

    5. What patches should I test most and why?

    Results

    The following table details the results from the ChangeBase AOK Patch Impact Analysis and includes information on what application packages in the sample portfolio;

    • What is the total number of applications affected by each patch?

    • What applications also include files and configuration data that were embedded in the patch update?

    • What applications had specific dependencies on changes includes in these updates

    No of apps %age number with shared number

    apps affected code with dependancies

    MS08-045 585 32% 3 235

    MS08-046 12 <1% <1% N/A

    MS08-047 6 <1% <1% N/A

    MS08-048 20 <1% <1% N/A

    MS08-049 7 <1% <1% N/A

    MS08-050 9 <1% <1% N/A

    Special Notes:

    • MS08-046 Security Update for Windows Server 2003 raised a specific driver issues with Fujitsu 4340 colour scanners (mscms.dll)

    • MS08-048 Security Update for Windows Mail raised a specific DLL conflict with Microsoft Digital Image software

    • MS08-050 Security Update for Windows XP raised an application conflict with Microsoft Messenger

    Recommendations

    1. Immediately test core applications affected by MS08-045 with dependancies, in this case on IE7

    2. Ideally test all other applications affected by this patch with dependancies

    3. Test applications with shared code for the new DLL/driver updates

    4. Test applications using Fujitsu colour scanners/Microsoft Digital Image software and Microsoft Messenger as above

    Conclusion

    From the results derived from the ChangeBase AOK Patch Impact Analysis, it appears that the following patch updates could be deployed with relatively light testing and with an expected minimal impact on the application portfolio; MS08-46, MS08-47, MS08-48, MS08-49 and MS08-50. However, the Microsoft Internet Explorer 7 Update IE7 (MS08-045) includes files and configuration data that are a direct dependency for a large number of applications. This could mean that these applications may be adversely affected by the MS08-045 update and this patch should be fully tested prior to deployment to production environments.

    About the ChangeBASE Application Compatibility Lab

    ChangeBASE launched last month our ACL to allow us to rapidly assess the impact of new operating system code releases on a portfolio of applications. We have loaded c. 700 applications into this Lab and can use AOK to test the impact of new releases on these in minutes.

    0 0
  6. Jodo Kast
    Flame

    @Roddy MacKenzie

    If you are in the UK, yesterday is today in the United States.

    So Patch Tuesday in the UK is actually Patch Wednesday.

    Counting errors and time errors? Yikes! LOL

    0 0
  7. s. pam Silver badge
    Dead Vulture

    Super Flop Tuesday for Mac Office 2008

    Whilst the PeeCee community may have been dancing in the aisles for new security protection, MSFT also released Office 2008 12.1.2 which fixes a few "critical security" bugs, and also a number of very annoying XML/HTTP issues.

    Sure would be nice if it would INSTALL -- instead all legitimate users in our company who had 12.1.1 are getting an error message that 12.1.2 is "missing a critical install component for your system and will NOT install".

    This means after you've faffed around getting 160MB update to your Mac, it will NOT install. Oh well, guess we're better off than VMware users......

    0 0
  8. The Aussie Paradox
    Black Helicopters

    Interesting

    It's interesting how MS are foisting a Critical MS Office 2007 patch on my computers... considering I don't have any Office product installed. Unless they are patching my OpenOffice application as a "community service"?

    Mine is the one with the Boy Scout for Community services rendered to free applicaitons badge pinned to it.

    0 0
This topic is closed for new posts.

Other stories you might like