Whuzzup with MS08-015/KB 949031?

Microsoft has just posted an updated version of the March MS08-015 patch, specifically for Outlook 2002 (the version of Outlook in Office XP).

The new downloadable is dated August 8.

I have no idea why MS has re-posted the file. The original Security Bulletin hasn’t been changed since June. Knowledge Base article 949031, which describes the MS08-015 patch in general hasn’t been changed. Nor has KB 946985, which is specific to Outlook 2002.

Whuzzup? I dunno….

Word 0day

Microsoft just posted KB 953635, which talks about a previously unknown security hole in Word 2002 Service Pack 3 (that’s the version of Word in Office XP).

If you use Office XP, you should be aware of the problem:

Microsoft is aware of limited, targeted attacks that attempt to use this vulnerability… An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

SANS Internet Storm Center adds:

Earlier today, we found a mention of such a vulnerability in an advisory published by Symantec. Symantec published this advisory based on a sample our handler Maarten sent to our malware distribution list. The file in question was actually part of a bundle of files he sent. As far as we know, this is the only sample we had which exploits this vulnerability.

The usual advice applies: if you use Word XP Service Pack 3, don’t open documents attached to email messages, or posted on the Web. But then, you don’t open those kinds of docs anyway, do you?

Office Genuine Spyware false start

Earlier this month I wrote about Microsoft’s brave, new efforts to bring the [hack, hack] benefits of [cough, cough] Genuine Advantage technology to [groan, groan] Microsoft Office. “Microsoft will soon introduce an Office Genuine Advantage (OGA) notifications pilot program in Chile, Italy, Spain and Turkey that will be distributed through a voluntary Microsoft update.”

Golly gee. Somebody at Microsoft goofed and the Office Genuine Advantage Notifications patch got distributed to everyone running WSUS on their servers. Yes, even people outside of Chile, Italy, Spain and Turkey. More than that, the patch was pushed as a “Critical Update!”

An unsigned post on the WSUS blog now says:

On April 15th the Office Genuine Advantage (OGA) notifications update (KB949810) was inadvertently published to WSUS servers for approximately twenty-four hours. This update was intended for Microsoft Office users in the pilot countries of Italy, Spain, Turkey and Chile, but because of WSUS publication, it became available to WSUS managed clients inside and outside of these intended countries.

Sure makes me warm and fuzzy to know Microsoft is pushing those really Critical updates…

Time to get patched

Microsoft fixed the problem with March’s MS08-014 patch. The rest of the March Black Tuesday patches appear to be pretty stable.

Time to get patched up – Windows XP, Vista, Office in all flavors, plus Firefox, iTunes (don’t fall for Apple’s outrageous attempt to install Safari on your machine during the iTunes update), and Java.

Don’t install Vista Service Pack 1 just yet, though. Let’s wait for a bit longer and see if anything severe shakes out.

I’m moving us down to MS-DEFCON 4: There are isolated problems with current patches, but they are well-known and documented here. Check this site to see if you’re affected and if things look OK, go ahead and patch.

More info on that Word 0day

Four days ago I talked about a newly discovered buffer overrun security hole in the Jet Database engine that was being actively exploited in Word documents.

Microsoft just released a fascinating analysis of the hole, explaining that at its heart this is a well-known hole, but with a new twist. The original hole (a hole of a hole, eh?) wasn’t considered very pressing because you had to jump through a lot of hoops to get infected.

This new 0day Word document (of which there are two samples) takes a fresh approach on the old hole and makes it much more exploitable.

Anyway, if you’re curious, it makes interesting reading. My original comment applies: “Nothing you can do, except the usual – be very suspicious of every document you find. Yes, even Word 2007 .DOCX documents.”

Another Word 0day

Microsoft just posted Security Advisory 950627, which details an emerging 0day threat against Word 2000, Word 2002 (the version in Office XP), Word 2003, and Word 2007.

The 0day vector only works on systems running Windows 2000, XP, or Server 2003 SP1 – it doesn’t affect Vista or Server 2003 SP2.

It’s another buffer overrun security hole, this time in the Jet Database Engine. At this point, the only known ways to take advantage of the hole are via Word documents. There’s a thriving market in Word 0day security holes. It sounds like this one has been constructed very professionally, which means the threat is only directed at specific companies, and the people seeking the confidential information are, no doubt, quite capable and well-heeled.

Nothing you can do, except the usual – be very suspicious of every document you find. Yes, even Word 2007 .DOCX documents.

Just when you thought it was safe…

So I get away for a couple of days and what does Microsoft have in store when I get back?

Pandemonium.

Of course you didn’t install the March Black Tuesday crop, right?

‘Cuz if you did, you’d be worried that Excel 2003 isn’t working right.

The SANS Internet Storm Center notes that three of the four Black Tuesday Security Bulletins have no known exploits. The only bulletin that patches a known hole is the one that’s, uh, known to cause rare calculation errors in Excel 2003.

Ya cain’t win for losin’. No need to apply the patches. Wait and see what other shoes drop.

We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

Black Tuesday for Office only

Microsoft just released its usual advanced warning for Black Tuesday patches.

This month we get four security bulletins, all of them related to Office. There’s nothing on tap for Windows.

Every version of Office from XP onward is affected. Surprisingly, so are the viewers and the “Compatibility Pack” which allows you to use Office 2007 format documents in Office XP and 2003.

Get patched up (see next post), then make sure you have automatic updates turned off. Office patches are frequently problematic. Let’s wait and see what happens.