Microsoft patches 31 Windows, IE, Office security holes
link: original article - section: microsoft
Microsoft’s batch of patches this month is a big one: 10 bulletins covering a total of 31 documented vulnerabilities affecting the Windows OS, the Internet Explorer browser and the Microsoft Office productivity suite (Word, Works and Excel).
Five of the 10 bulletins are rated “critical,” Microsoft’s highest severity rating. Among the patches this month are fixes for a pair of IIS WebDav flaws that were publicly disclosed last month and cover for the CanSecWest Pwn2Own vulnerability that was used to exploit Internet Explorer on Windows 7.
Here’s the skinny on this month’s updates:
* MS08-018 (Critical): Fixes two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The more severe vulnerability could allow remote code execution. It is rated Critical for all supported editions of Microsoft Windows 2000 Server, and rated Important for supported versions of Windows XP Professional and Windows Server 2003.
* MS09-019 (Critical): Patches seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Affects IE 5.01, IE 6, IE 7 and IE 8 running on all supported editions of Windows.
* MS09-020 (Important): Fixes one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication. These vulnerabilities allow an attacker to bypass the IIS configuration that specifies which type of authentication is allowed, but not the file system-based access control list (ACL) check that verifies whether a file is accessible by a given user. Affects all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003.
