Size not everything on Patch Tuesday

Late yesterday Microsoft patched six vulnerabilities in its software products with four patches related to Windows, Word, Publisher and its anti-virus software. Three patches were rated "critical".

Most analysts agreed the most important was a fix for Microsoft's Jet Database Engine, as they said last week in response to Microsoft's preview notice about May's round of regular security patches.

MS08-028 replaces components in Jet that Microsoft said could allow for remote code execution-based exploits if vulnerable Windows 2000, Windows XP SP2 and Windows Server SP1 systems become compromised.

Alan Bentley, Lumension (formerly PatchLink) Europe, Middle East and Africa regional vice president said: "The Jet bulletin is the critical patch that will have the widest impact because it affects Windows XP, Windows 2000 and Windows Server 2003. When prioritising this month's patches, this will probably get the most attention because of the number of organisations running these systems and programs."

The software giant only acknowledged that Jet - the Windows component that provides data access to applications such as Microsoft Access and Visual Basic - still had holes on 22 March. The company subsequently claimed it had remained unpatched for over two years, because it thought it had blocked the obvious attack vectors.

"Jet Database should be done first," suggested Amol Sarwate, Qualys vulnerability research lab manager. "This is a zero-day that Microsoft themselves acknowledged as having seen not only proof-of-concept code, but also public exploits."

The patch also took an unusual measure by changing some of the logic that allows Word documents to load Access .mdb files without prompting, following Microsoft's further admission in March that it had not anticipated this particular attack vector.

The bulletin added: "In addition to the changes that are listed in the 'Vulnerability Details' section of this [MS08-028] bulletin, this update includes logic enhancements to security warnings that mitigate Word as an attack vector used to exploit vulnerabilities in Microsoft Jet Database Engine. After applying this update, Word will prompt a user for confirmation before running SQL commands or queries when opening Word documents."

MS08-026 patched two critical bugs in Word and Outlook's rendering of rich text format (RTF) files and documents with cascading style sheets (CSS).

The patch was given the highest "critical" rating in Word 2000 and Outlook 2007 and rated as "important" in Word 2002, 2003 and 2007, as well as in the versions of Word included with Office 2004 for Mac and Office 2008 for Mac. Meanwhile, MS08-027 addressed a remote code execution flaw rated 'critical' and found in several versions of Microsoft Publisher.

Bentley said: "The other two critical updates have a fairly narrow impact, only affecting Word 2000 and Publisher 2000. However, it is vital that organisations with widespread deployments of Word and/or Publisher 2000 pay close attention to these advisories and roll out the patches swiftly."

Lastly, two denial-of-service bugs in Microsoft's anti-malware scanning engine used by its Antigen, Forefront Security, Windows Live OneCare and Windows Defender security products were also fixed. Although the patch is only given the vendor's third highest threat rating of "moderate", most analysts called it out as important, given its importance to so many Microsoft security products.

"Whenever security tools themselves are affected we encourage customers to treat them with increased importance. Any company that relies on these programs as part of their overall security posture should pay close attention to this update," said Bentley.