It's patching time yet again for Microsoft, as the software giant made available no less than eight security bulletins on December 9, 2008, designed to plug vulnerabilities in a range of products including Windows Vista Service Pack 1 and Windows XP Service Pack 3. A total of six update packages are labeled with a maximum severity rating of Critical, with the remaining two considered just Important. With the eight security bulletins, Microsoft has patched 28 vulnerabilities, the most massive volume of holes since 2003.
In addition to Windows Vista SP1 and Windows XP SP3, the Redmond company indicated that a range of its software products were impacted by the December 2008 security bulletins, including additional Windows client and Server operating systems, but also Internet Explorer, Windows Media Player, various versions of the Office System including Office 2007 SP1 and Office 2008 for Mac, SharePoint Server, Office Word and Excel Viewer, also Visual Basic, and even Search Server.
Microsoft revealed that a single bulletin was set up to patch vulnerabilities for which exploit code was already available in the wild. Still, patches are, indeed, already available for security holes in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls), which can be exploited in the wild.
Windows Vista, including editions with SP1, are affected by 4 Critical, 2 Important, and 1 Moderate vulnerabilities, while Windows XP, even with SP3, is impacted by 2 Critical, 1 Important, and 2 Moderate security flaws.
Christopher Budd, security program manager, Microsoft Security Response Center, enumerated the December 2008 security bulletins releases:
· MS08-070: Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349) that is rated “Critical;”
· MS08-071: Vulnerabilities in GDI Could Allow Remote Code Execution (956802) that is rated “Critical;”
· MS08-072: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173) that is rated “Critical;”
· MS08-073: Cumulative Security Update for Internet Explorer (958215) that is rated “Critical;”
· MS08-074: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070) that is rated “Critical;”
· MS08-075: Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349) that is rated “Critical;”
· MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807) that is rated “Important;”
· MS08-077: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175) that is rated “Important.”