Another month, another Patch Tuesday. For April, Microsoft has issued eight security bulletins that address 10 vulnerabilities, five of them rated critical.
All the bulletins address client-side vulnerabilities, continuing a trend reported this week in Symantec's Internet Security Threat Report. The report found that in the second half of 2007, more than half of patched operating-system vulnerabilities were browser and client-side vulnerabilities.
Scripting Stands Out
While all of Tuesday's security bulletins are serious, the vulnerabilities in the VBScript and JScript engines stand out because they ship on Windows by default and are tied to the operating system, according to Ben Greenbaum, senior research manager at Symantec Security Response.
"An attacker need only compromise and modify any Web page, which, when viewed by a user in a browser that uses these engines, will result in the execution of attacker-supplied code on the user's computer," Greenbaum said. "This attack requires no additional user action or intervention to exploit."
Microsoft actually reintroduced the VBScript and JScript fix that was pulled in February. Sheldon Malm, director of security research and development for nCircle, a network-security firm that works with companies like Visa, US Cellular and Archer Daniels Midland, has been watching this one closely.
"We've been very concerned about this one. It's another case where Web sites hosting third-party content can be used in multi-staged attacks," Malm said. "This is a particularly troubling trend for users because trusted sites can be used in an attack without compromising the site itself. One common example of this in action would be serving malicious ads on an otherwise trusted Web site."
Three Are Very Critical
By Qualys' standards, these are especially important given that all versions of Windows since Windows 2000 are affected and do not require any special software to be exploited, according to Amol Sarwate, manager of the vulnerability research lab at Qualys.
The ActiveX patch, MS08-023, is a "kill bit" that disables ActiveX controls in the Yahoo music jukebox. This is an unusual patch in that it is the first ever provided for a third-party application that is not part of a default Microsoft system download or bundle, Sarwate said. Rather, it is for an aftermarket application that users have to choose to download. This could be an indication, he continued, that Microsoft may begin to provide additional third-party patches to enable organizations to obtain important security updates from one location.
"While there are no zero-day exploits addressed in Tuesday's release, there is an alarming trend in that the majority of the patches ... address vulnerabilities contained in legacy Microsoft code," Sarwate said. "This means that code reuse from older Windows versions dating back to 2000 is rampant and therefore affects a very wide base of Microsoft users."