Saturday 13 September 2008

MS08-52 - Micrososft Security Patch Update

Critical Microsoft Security Patch MS08-052 Updated!

Patch Tuesday happens more than once a month. In fact, our automated anlaysis indicates that the Microsoft security database changes between 3 and 4 times a month. This time, one of the critical patches has been updated; patch MS08-052.


And the reason, as quoted by Microsoft is; "Bulletin updated to add Microsoft Office Project 2002 Service Pack 2, all Office Viewer software for Microsoft Office 2003, and all Office Viewer software for 2007 Microsoft Office System as Affected Software."

Given that this patch was rated critical and recently updated, I decided to spend a bit more time on some of the issues surrounding the September patch update, "MS08-052 Vulnerabilities in GDI+ Could Allow Remote Code Execution"  and wanted a few more thoughts to this possibly disruptive update.


First, the FSIRT update indicates a number of vulnerabilities with GDI including;

  1. The first issue is caused by a heap overflow error when processing gradient sizes handled by the vector graphics link library, which could be exploited to execute arbitrary code via a malicious web site.
  2. The second vulnerability is caused by a memory corruption error when processing a specially crafted EMF image file, which could be exploited to execute arbitrary code via a malicious image.
  3. The third issue is caused by an error when parsing records in a specially crafted GIF image file, which could be exploited to execute arbitrary code via a malicious web site.
  4. The fourth vulnerability is caused by a buffer overflow error when allocating memory when parsing a specially crafted WMF image file, which could be exploited to execute arbitrary code via a malicious image.
  5. The fifth issue is caused by a buffer overflow error when processing a malformed header in a specially crafted BMP image file, which could be exploited to execute arbitrary code via a malicious web site.
The full documentation can be found here;  http://www.frsirt.com/english/advisories/2008/2520 

I really think that this level of detail would be really helpful in our future reports, so, apologies for not including it in this month's Patch Tuesday report.


And, if you would like to find out more about GDI+, look here: http://msdn.microsoft.com/en-us/library/ms533798(VS.85).aspx

And have run the contents of this package against our test AOK Application Compatibility test portfolio. Why?

Once loaded into our system, we can analyse each application package (MSI) for configuration data overlaps (file s and registry settings)  and in addition look into the dependencies for each file in each package and determine if there is a dependency on the GDI  components.

After some quick analysis of the GDI redistributable EXE, I found that bar the catalog and manifest files (CAT/MAN) there was only file gdiplus.dll included in the hotfix redistributable package . This was interesting news as the Patch update payload (the files included in the Security update MS08-055) only included a single file; gdiplus.dll. So, my worries were put to rest about the possible impact that this redistributable might have and I feel that our initial report still accurately reflects the potential impact of the security update MS08-52; both for overlaps for application packages and the corresponding dependency analysis.

In addition, I though it would be really helpful to include the links from the monthly Microsoft Patch related Questions and Answer session hosted by Christopher Budd from the Patch team. 


I wanted to highlight one question in particular  that was raised in this session, quoted here; 

"Q: Why does bulletin MS08-052 not indicate the SP for Office 2003/2007; so the patch will not be included, and MS08-053 will not be included in future SPs for Windows Server 2003/Vista/2008?  Are these typos?
A: For MS08-053, the fix is contained in the Windows Media Encoder.  This is an optional component and not applicable for the OS service pack.  For MS08-52, there is currently no Office 2003 SP3 scheduled.  However, it should be included in future service packs for Office 2007."
 
Note: the answer to this question is, "there is currently no Office 2003 SP3 scheduled"  Wow! 

No comments: