ITSS-Advisory : MEDIUM : Microsoft : Various Products : Various Issues

THREAT LEVEL
============
Medium.

INFORMATION
===========
Microsoft has released 8 bulletins and 1 advisory on 09 Dec 2008.
Following is a summary of the announcements.

MS08-077 - Vulnerability in Microsoft Office SharePoint Server
--------------------------------------------------------------
Rating: Important
Impact: Elevation of Privilege
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-077.mspx
Known Issues: http://support.microsoft.com/kb/957175
Affected:
- Microsoft Office SharePoint Server versions: 32-bit, 32-bit SP1, 64-bit, 64-bit SP1.
- Microsoft Search Server 2008 versions: 32-bit, 64-bit.
Not Affected:
- Microsoft Windows SharePoint Services 3.0.
- Microsoft Office SharePoint Portal Server 2003 SP3.

MS08-076 - Vulnerabilities in Windows Media Components
------------------------------------------------------
Rating: Important
Impact: Remote Code Execution
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-076.mspx
Known Issues: None
Affected:
- Windows Media Player 6.4.
- Windows Media Format Runtime versions: 7.1, 9.0, 9.5, 11.
- Windows Media Services versions 4.1, 9, 2008.

MS08-075 - Vulnerabilities in Windows Search
--------------------------------------------
Rating: Critical
Impact: Remote Code Execution
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-075.mspx
Known Issues: None
Affected:
- Windows Vista versions: Vista, SP1, x64, x64 SP1.
- Windows Server 2008 versions: 32-bit, 64-bit, Itanium-based.
Not Affected:
- Windows versions: 2000 SP4, XP SP2, XP SP3, XP Pro x64, XP Pro x64 SP2.
- Windows Server 2003 versions: SP1, SP2, x64, x64 SP2, Itanium SP1, Itanium SP2.

MS08-074 - Vulnerabilities in Microsoft Office Excel
----------------------------------------------------
Rating: Critical
Impact: Remote Code Execution
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-074.mspx
Known Issues: http://support.microsoft.com/kb/959070
Affected:
- Microsoft Office Excel versions: 2000 SP3, 2002 SP3, 2003 SP3, 2007, 2007 SP1.
- Microsoft Office Excel Viewer versions: 2003, 2003 SP3, Viewer.
- Microsoft Office Compatibility Pack for Word, Excel and Powerpoint versions: 2007, 2007 SP1.
- Microsof tOffice for Mac versions: 2004, 2008, Open XML File Format Converter.
Not Affected:
- Microsoft Works versions: 8.5, 9.0, Suite 2005, Suite 2006.
- Microsoft Office SharePoint Server versions: 2003 SP3, 2007, 2007 SP1, 2007 64-bit, 2007 64-bit SP1.

MS08-073 - Cumulative Security Update for Internet Explorer
-----------------------------------------------------------
Rating: Critical
Impact: Remote Code Execution
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-073.mspx
Known Issues: None
Affected: Internet Explorer versions: 5.01 SP4, 6, 6 SP1, 7.

MS08-072 - Vulnerabilities in Microsoft Office Word
---------------------------------------------------
Rating: Critical
Impact: Remote Code Execution
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-072.mspx
Known Issues: http://support.microsoft.com/kb/957173
Affected:
- Microsoft Office Word versions: 2000 SP3, 2002 SP3, 2003 SP3, 2007, 2007 SP1.
- Microsoft Office Outlook versions: 2007, 2007 SP1.
- Microsoft Office Word Viewer versions: 2003, 2003 SP3.
- Microsoft Office Compatibility Pack for Word, Excel and Powerpoint 2007 File Formats.
- Microsoft Office Compatibility Pack for Word, Excel and Powerpoint 2007 File Formats SP1.
- Microsoft Works 8.
- Microsoft Office for Mac versions: 2004, 2008, Open XML File Format Converter.
Not Affected:
- Microsoft Office Outlook versions: 2000 SP3, 2002 SP3, 2003 SP3.
- Microsoft Works 9.0.

MS08-071 -Vulnerabilities in GDI
--------------------------------
Rating: Critical
Impact: Remote Code Execution
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-071.mspx
Known Issues: None
Affected:
- Microsoft Windows versions: 2000 SP4, XP SP2, XP SP3, XP Pro x64, XP Pro x64 SP2.
- Windows Server 2003 versions: SP1, SP2, x64, x64 SP2, Itanium SP1, Itanium SP2.
- Windows Vista versions: Vista, Vista SP1, x64, x64 SP1.
- Windows Server 2008 versions: 32-bit, x64, Itanium.

MS08-070 - Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls)
----------------------------------------------------------------------------------------
Rating: Critical
Impact: Remote Code Execution
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-070.mspx
Known Issues: http://support.microsoft.com/kb/932349
Affected:
- Microsoft Visual Basic 6.0 Runtime Extended Files.
- Microsoft Visual versions: Studio .NET 2002 SP1, Studio .NET 2003 SP1.
- Microsoft Visual versions: FoxPro 8.0 SP1, FoxPro 9.0 SP1, FoxPro 9.0 SP2.
- Microsoft Office versions: FrontPage 2002 SP3, Project 2003 SP3, Project 2007, 2007 SP1.
Not Affected:
- Microsoft Visual Studio versions: 2005 SP1, 2008, 2008 SP1.
- Microsoft Office FrontPage versions: 2000 SP3, 2003 SP3.
- Microsoft Expression Web, Microsoft Expression Web 2.
- Microsoft Project versions: 2000 SR1, 2002 SP1.
- Microsoft Office Project Server versions: 2003 SP3, 2007, 2007 SP1.
- Microsoft Office Project Portfolio Server 2007, Microsoft Office Project Portfolio Server 2007 SP1.

Microsoft Security Advisory (960906)- Vulnerability in WordPad Text Converter
-----------------------------------------------------------------------------
Impact: Remote Code Execution
Link: http://www.microsoft.com/technet/security/advisory/960906.mspx
Recommendation: Do not use WordPad to open unexpected .doc, .wri, or .rtf files.
Status: Under investigation, no patch available at present.
Affected:
- Microsoft Windows versions: 2000 SP4, XP SP2, XP Pro x64, XP Pro x64 SP2.
- Windows Server 2003 versions: SP1, SP2, Itanium SP1, Itanium SP2, x64, x64 SP2.
Not Affected:
- Windows versions: XP SP3, Vista, Vista SP1, Vista x64, Vista x64 SP1.
- Windows server 2008 versions: 32-bit, 64-bit, Itanium.

ACTION
======
Administrators of affected computers are advised to review the bulletins, test and apply relevant updates.

Computers in the testbed will have the patches applied immediately, and their performance will be monitored.
The effects of the patches on these computers will be sent to its-announce@unimelb.edu.au by early afternoon
on Fri 12 Dec 2008.