Microsoft plugs IE, Office in big patch haul

Microsoft patched 26 vulnerabilities with its latest patch including 20 flaws that were deemed critical.

Here’s the rundown of critical flaws (full bulletin):

  • CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2259 and CVE-2008-2258: These patches fix IE 5 through 7 on various flavors of Windows and address HTML objects memory corruption vulnerabilities as well as memory corruption issues.
  • CVE-2008-3004, CVE-2008-3005, CVE-2008-3006, CVE-2008-3003: These patches address four vulnerabilities in Excel that led to remote code executions. An attacker could take advantage of the way Excel processed array indexes, values loaded into memory, records values and connects to third party data.
  • CVE-2008-0120, CVE-2008-0121 and CVE-2008-1455: Microsoft says: “This security update resolves three privately reported vulnerabilities in Microsoft Office PowerPoint and Microsoft Office PowerPoint Viewer that could allow remote code execution if a user opens a specially crafted PowerPoint file. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” Office 2000, 2003, 2007 impacted.
  • CVE-2008-3019, CVE-2008-3018, CVE-2008-3021, CVE-2008-3020, CVE-2008-3460: Microsoft patched vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using Microsoft Office. Office 2000, 2003 and Project 2002 are impacted.
  • CVE-2008-2245: Microsoft fixed a remote code execution vulnerability in the way that Microsoft Color Management System (MSCMS) module of the Microsoft ICM component handles memory allocation. The vulnerability could allow remote code execution if a user opens a specially crafted image file. Software affected includes Windows 2000, XP, and Server 2003.
  • CVE-2008-2463: This patch addresses a snapshot viewer arbitrary file download vulnerability in Microsoft Access. It’s an ActiveX control that’s found in Office 2000, XP, Access and Office 2003.
[Source: zdnet]