Microsoft Update for December 2008

On the second Tuesday of each month, Microsoft releases security updates for both Windows and specific programs. It sends it out via the automatic Windows Update service and also makes the updates available to manually download.

The November update has fixes for 28 bugs, taking care of a total of eight problems. Each problem is rated for the potential damage it could cause if a hacker took advantage of the exploit.

This month, six of the problems, a total of 23 fixes, get the most serious ‘critical’ rating. This is the highest monthly total since 2003. Each problem could allow a hacker to carry out remote code execution, which effectively gives them complete control over a computer.

The affected programs and the ways the problems can be triggered are:

• Internet Explorer (through an infected web page)
• Microsoft Word (through a user opening an infected Word or rich text format document)
• The Graphics Device Interface, which is the main graphical component of Windows (through infected Windows Metafiles, which create images displayed in Windows)
• Windows Search (but only if a user opens a bogus saved search file)
• Microsoft Excel (through an infected Excel file)
• Visual Basic 6.0 Runtime, a Windows component (through infected web pages with Active X content)

In this month’s update, the problems are fairly widespread and affect most editions of each program. As well as making the update particularly important, this should be a strong reminder to take care with any files that come from an unknown or untrusted source.

There are also fixes for problems in Windows Media programs and Microsoft Office SharePoint Server, though these problems carry the lesser rating of ‘important’.

Wherever necessary, Microsoft issue kill bits to deal with security problems in third-party software which could cause problems in Windows. A kill bit is an entry in the Windows Registry which blocks the relevant software from running Active X content (a type of interactive feature which can be vulnerable to hacking in some cases). This month there are no kill bits in the update.

As well as rating problems for the damage they could cause if exploited, Microsoft now rates ‘exploitability’ which is a prediction of how likely it is that hackers will exploit each problem. Microsoft hopes this added detail will be particularly useful in helping IT staff decide which problems to give priority to when monitoring and updating the security on a network.

The rating considers the next 30 days, which is when there’s the biggest risk. That’s because hackers can look at the fixes, figure out exactly what the original bug was, and take advantage before everyone has applied the updates.

This month every problem except the GDI issue has at least one fix for a loophole with the top rating of ‘Consistent exploit code likely’.

For this reason, it’s absolutely vital you apply the patches for any programs you use if you don’t have your machine set to automatically download and apply updates.

Microsoft has confirmed reports that a new security gap affects any machine running a combination of Windows XP (or Windows 2003) and Internet Explorer versions 5 through 7, even if they’ve been patched with the new update. It doesn’t appear that any hackers have taken advantage of the gap, but instructions showing how to so do have appeared online.

Microsoft hasn’t ruled out issuing an emergency patch rather than waiting until the next monthly update. In the meantime, it recommends users change the security level setting in Internet Explorer 7 to ‘High’ and to change the ‘active scripting’ option to either ‘prompt before running’ or ‘disabled’.

Until a patch is issued, it may be worth using an alternative browser if you want to be particularly cautious. If you do carry on with Internet Explorer 7, you should take particular care not to follow links to unknown websites which could allow hackers to exploit the bug. Bear in mind that a text link may point to a different website to the address displayed in the text itself; if in doubt, cut and paste the address rather than click directly on the link.