Microsoft Nabs 28 Flaws in Year’s Last Patch Haul

Patch Tuesday

Microsoft users are getting an early present from the software giant this December — that is, if you consider the biggest security fix list of the year to be a gift.

The company today released its Patch Tuesday fixes for December, and it’s a large one, with eight different security bulletins addressing 28 vulnerabilities.

The Internet Explorer browser gets tagged for four issues with a critical severity rating — the maximum. The first of the four IE issues, described as a “Parameter Validation Memory Corruption Vulnerability,” deals with a security flaw in the way that IE Web navigation works.

According to Microsoft’s advisory, an attacker could exploit the vulnerability by constructing a specially crafted Web page that can allow for remote code execution if visited by an unprotected user.

The second IE issue fixed by Microsoft, titled, “HTML Objects Memory Corruption Vulnerability,” addresses the potential for remote code execution in how IE accesses uninitialized memory in certain circumstances.

Microsoft also tackled one flaw it called “Uninitialized Memory Corruption Vulnerability,” which stems from a problem in how the browser accesses an object that has been deleted, as well as “HTML Rendering Memory Corruption Vulnerability,” which centers on a security hole in how IE embeds objects into a Web page.

“The security update addresses these vulnerabilities by modifying the way that Internet Explorer validates parameters, handles the error resulting in the exploitable condition, and handles extra data when embedding objects in Web pages,” Microsoft stated in its advisory on the IE fixes.

The problems affect Internet Explorer versions 5, 6 and 7. Microsoft has not identified whether or not the Internet Explorer 8 Beta 2 browser is at risk, and has not issued an update for the beta.

ActiveX, search and Office

In addition to the IE-specific fixes, Microsoft this month is also patching five issues that affect ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files. ActiveX is widely used within IE and across Web sites as a mechanism for dynamic functionality.

The vulnerabilities stem from memory corruption issues that could be tapped by an attacker to execute remote code. Microsoft said it fixed the issues in the update by improving validation and error handling within the ActiveX controls.

Windows Search users need to also pay attention to a pair of fixes made in this month’s updates. According to Microsoft’s advisory on the issue, an attacker could potentially take control of a user’s PC, if a user either opens, saved or clicked on a maliciously crafted saved-search file within Windows Explorer.

“The security update addresses the vulnerabilities by modifying the way that Windows Explorer frees memory when saving Windows Search files and by modifying the way that Windows Explorer interprets parameters when parsing the search-ms protocol,” Microsoft said in its advisory.

[cob:Special_Report]Microsoft Office is also high on the Patch Tuesday list of fixes. Microsoft Word and Outlook are identified as having eight vulnerabilities fixed in the update. The flaws are grouped around memory corruption and object parsing issues that could lead to a remote code execution by an attacker.

According to Microsoft’s advisory, “The security update addresses the vulnerability by modifying the way that Microsoft Office Word and Microsoft Office Outlook handle specially crafted Word and Rich Text Format (RTF) files.”

Other components of Microsoft’s Office suite are also targeted in the update. Microsoft’s Excel spreadsheet application receives three fixes relating to file format parsing flaws that could lead to an attacker gaining control of a user’s PC.

“This security update addresses these vulnerabilities by modifying the way that Microsoft Office Excel opens Excel files,” Microsoft’s advisory said.

The December Patch Tuesday update from Microsoft

is the last scheduled Microsoft security update for 2008. The total count of 28 vulnerabilities for the month is a far cry from the three it fixed with its first Patch Tuesday update of the year in January. Until today’s release, the August Patch Tuesday reported 26 vulnerabilities and had been the largest patch haul from Microsoft this year.

News Around the Web