VCP
  |
  DOWNLOADS
  |
  PRESENTATIONS
  |
  CURRENT INTELLIGENCE
  |
  SERVICES
  |
  METHODOLOGY
  |
  NEWS & EVENTS
  |
  ABOUT
 
MICROSOFT SECURITY BULLETIN: DECEMBER 2008
MICROSOFT SECURITY BULLETIN: DECEMBER 2008
MICROSOFT SECURITY BULLETIN: DECEMBER 2008
 Home // News  //  Microsoft // Microsoft Security Bulletin: December 2008
Email This Page URL  Print This Page

Microsoft Corp. has released eight Security Bulletins encompassing 28 vulnerabilities. This report provides an initial summary of these pending issues.
 

Security Bulletin MS08-070: Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)
http://www.microsoft.com/technet/security/bulletin/MS08-070.mspx

CVE Number: CVE-2008-3704
iDefense Title: Microsoft Visual Basic 6.0 Runtime Extended Files Msmask32.ocx ActiveX Control Buffer Overflow Vulnerability
iDefense Master ID: 471297
iDefense Severity: HIGH

Remote exploitation of a buffer overflow vulnerability in version 6.0 of Microsoft Corp.'s Visual Basic Runtime Extended Files could allow attackers to execute arbitrary code on the targeted host.

CVE Number: CVE-2008-4252
iDefense Title: Microsoft Visual Basic 6.0 Runtime Extended Files DataGrid ActiveX Control Memory Corruption Vulnerability
iDefense Master ID: 477743
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in version 6.0 of Microsoft Corp.'s Visual Basic Runtime Extended Files could allow an attacker to execute arbitrary code on the targeted host.

CVE Number: CVE-2008-4253
iDefense Title: Microsoft Visual Basic 6.0 Runtime Extended Files FlexGrid ActiveX Control Memory Corruption Vulnerability
iDefense Master ID: 477750
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in version 6.0 of Microsoft Corp.'s Visual Basic Runtime Extended Files could allow an attacker to execute arbitrary code on the targeted host.

CVE Number: CVE-2008-4254
iDefense Title: Microsoft Visual Basic 6.0 Runtime Extended Files Hierarchical FlexGrid ActiveX Control Memory Corruption Vulnerability
iDefense Master ID: 477752
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in version 6.0 of Microsoft Corp.'s Visual Basic Runtime Extended Files could allow an attacker to execute arbitrary code on the targeted host.

CVE Number: CVE-2008-4255
iDefense Title: Microsoft Visual Basic 6.0 Runtime Extended Files Common AVI Parsing ActiveX Control Buffer Overflow Vulnerability
iDefense Master ID: 477754
iDefense Severity: HIGH

Remote exploitation of a buffer overflow vulnerability in version 6.0 of Microsoft Corp.'s Visual Basic Runtime Extended Files could allow an attacker to execute arbitrary code on the targeted host.

CVE Number: CVE-2008-4256
iDefense Title: Microsoft Visual Basic 6.0 Runtime Extended Files Charts ActiveX Control Memory Corruption Vulnerability
iDefense Master ID: 477738
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in version 6.0 of Microsoft Corp.'s Visual Basic Runtime Extended Files could allow an attacker to execute arbitrary code on the targeted host.
 

Security Bulletin MS08-071: Vulnerabilities in GDI Could Allow Remote Code Execution (956802)
http://www.microsoft.com/technet/security/bulletin/MS08-071.mspx

CVE Number: CVE-2008-2249
iDefense Title: Microsoft Windows GDI WMF Header Parsing Integer Overflow Vulnerability (iDefense Exclusive)
iDefense Master ID: 469474
iDefense Severity: HIGH
iDefense Initial Disclosure Date: May 20, 2008

Remote exploitation of an integer overflow in the GDI component of Microsoft Corp.'s Windows operating system allows attackers to execute arbitrary code with the privileges of the current user.

CVE Number: CVE-2008-3465
iDefense Title: Microsoft Windows GDI WMF Copy Heap Overflow Vulnerability
iDefense Master ID: 477764
iDefense Severity: LOW

Remote exploitation of a heap overflow in the GDI component of Microsoft Corp.'s Windows operating system allows attackers to cause a denial of service (DoS) condition.
 

Security Bulletin MS08-072: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)
http://www.microsoft.com/technet/security/bulletin/MS08-072.mspx

CVE Number: CVE-2008-4024
iDefense Title: Microsoft Office Word Memory Corruption Vulnerability
iDefense Master ID: 477739
iDefense Severity: MEDIUM

Remote exploitation of a memory corruption vulnerability in multiple versions of Microsoft Corp.'s Office allows an attacker to execute arbitrary code as the currently logged-in user.

CVE Number: CVE-2008-4025
iDefense Title: Microsoft Office Word RTF Integer Overflow Vulnerability
iDefense Master ID: 477745
iDefense Severity: MEDIUM

Remote exploitation of an integer overflow vulnerability in multiple versions of Microsoft Corp.'s Office allows an attacker to execute arbitrary code as the currently logged-in user.

CVE Number: CVE-2008-4026
iDefense Title: Microsoft Office Word Memory Corruption Vulnerability
iDefense Master ID: 477759
iDefense Severity: MEDIUM

Remote exploitation of a memory corruption vulnerability in multiple versions of Microsoft Corp.'s Office allows an attacker to execute arbitrary code as the currently logged-in user.

CVE Number: CVE-2008-4027
iDefense Title: Microsoft Office Word RTF Memory Corruption Vulnerability
iDefense Master ID: 477763
iDefense Severity: MEDIUM

Remote exploitation of a memory corruption vulnerability in multiple versions of Microsoft Corp.'s Office allows an attacker to execute arbitrary code as the currently logged-in user.

CVE Number: CVE-2008-4028
iDefense Title: Microsoft Word RTF File Object Parsing Memory Corruption Vulnerability
iDefense Master ID: 477757
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Word could allow an attacker to execute arbitrary code with the privileges of the logged-in user.

CVE Number: CVE-2008-4030
iDefense Title: Microsoft Word RTF File Object Parsing Memory Corruption Vulnerability
iDefense Master ID: 477751
iDefense Severity: MEDIUM

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Word could allow an attacker to execute arbitrary code with the privileges of the logged-in user.

CVE Number: CVE-2008-4031
iDefense Title: Microsoft Word RTF File Object Parsing Memory Corruption Vulnerability
iDefense Master ID: 477762
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Word could allow an attacker to execute arbitrary code with the privileges of the logged-in user.

CVE Number: CVE-2008-4837
iDefense Title: Microsoft Word Memory Corruption Vulnerability
iDefense Master ID: 477765
iDefense Severity: MEDIUM

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Word could allow an attacker to execute arbitrary code with the privileges of the logged-in user.
 

Security Bulletin MS08-073: Cumulative Security Update for Internet Explorer (958215)
http://www.microsoft.com/technet/security/bulletin/MS08-073.mspx

CVE Number: CVE-2008-4258
iDefense Title: Microsoft Internet Explorer Parameter Validation Memory Corruption Vulnerability
iDefense Master ID: 477737
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Internet Explorer Web browser allows attackers to execute arbitrary code within the context of the affected user.

CVE Number: CVE-2008-4259
iDefense Title: Microsoft Internet Explorer 7 HTML Objects Memory Corruption Vulnerability
iDefense Master ID: 477740
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Internet Explorer 7 could allow an attacker to execute arbitrary code with the privileges of the current user.

CVE Number: CVE-2008-4260
iDefense Title: Microsoft Internet Explorer 7 Uninitialized Memory Corruption Vulnerability
iDefense Master ID: 477741
iDefense Severity: HIGH

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Internet Explorer 7 could allow an attacker to execute arbitrary code with the privileges of the current user.

CVE Number: CVE-2008-4261
iDefense Title: Microsoft Internet Explorer EMBED tag Long File Name Extension Stack Buffer Overflow Vulnerability (iDefense Exclusive)
iDefense Master ID: 471911
iDefense Severity: HIGH
iDefense Initial Disclosure Date: Aug. 26, 2008

Remote exploitation of a stack buffer overflow vulnerability in Microsoft Corp.'s Internet Explorer Web browser allows attackers to execute arbitrary code within the context of the current user.
 

Security Bulletin MS08-074: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)
http://www.microsoft.com/technet/security/bulletin/MS08-074.mspx

CVE Number: CVE-2008-4264
iDefense Title: Microsoft Office Excel Formula Pointer Corruption Arbitrary Code Execution Vulnerability
iDefense Master ID: 477749
iDefense Severity: MEDIUM

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel, could allow an attacker to execute arbitrary code.

CVE Number: CVE-2008-4265
iDefense Title: Microsoft Excel MSODRAWINGGROUP Record Memory Corruption Vulnerability (iDefense Exclusive)
iDefense Master ID: 470781
iDefense Severity: MEDIUM
iDefense Initial Disclosure Date: July 21, 2008

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel could allows attackers to execute arbitrary code with the privileges of the current user.

CVE Number: CVE-2008-4266
iDefense Title: Microsoft Office Excel Global Array Memory Corruption Vulnerability
iDefense Master ID: 477758
iDefense Severity: MEDIUM

Remote exploitation of a memory corruption vulnerability in Microsoft Corp.'s Excel, could allow an attacker to execute arbitrary code as the currently logged-in user.
 

Security Bulletin MS08-075: Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)
http://www.microsoft.com/technet/security/bulletin/MS08-075.mspx

CVE Number: CVE-2008-4268
iDefense Title: Microsoft Windows Search Saved Search Invalid Free Vulnerability
iDefense Master ID: 477766
iDefense Severity: MEDIUM

Remote exploitation of an invalid free vulnerability in the Windows search component of Microsoft Corp.'s Windows operating system allows attackers to execute arbitrary code.

CVE Number: CVE-2008-4269
iDefense Title: Microsoft Windows Search 'search-ms' Protocol Handler Code Execution Vulnerability
iDefense Master ID: 477767
iDefense Severity: HIGH

Remote exploitation of a code execution vulnerability in the Windows search component of Microsoft Corp.'s Windows operating system allows attackers to execute arbitrary code.
 

Security Bulletin MS08-076: Vulnerabilities in Windows Media Components Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/bulletin/MS08-076.mspx

CVE Number: CVE-2008-3009
iDefense Title: Microsoft Windows Media Player SPN Credential Reflection Vulnerability
iDefense Master ID: 477746
iDefense Severity: MEDIUM

Remote exploitation of a design error vulnerability in Microsoft Corp.'s Windows Media Player, could allow an attacker to execute arbitrary code as the currently logged-in user.

CVE Number: CVE-2008-3010
iDefense Title: Microsoft Windows Media Player NTLM Credential Information Disclosure Vulnerability
iDefense Master ID: 477748
iDefense Severity: MEDIUM

Remote exploitation of an information disclosure vulnerability in Microsoft Corp.'s Windows Media Player could allow an attacker to execute arbitrary code as the currently logged-in user.
 

Security Bulletin MS08-077: Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS08-077.mspx

CVE Number: CVE-2008-4032
iDefense Title: Microsoft Office SharePoint Server Privilege Escalation Vulnerability
iDefense Master ID: 477756
iDefense Severity: MEDIUM

Remote exploitation of a design error vulnerability in Microsoft Corp.'s Office SharePoint Server could allow an attacker to gain escalated privileges on the targeted host.