Microsoft fixes 28 Windows and Office security bugs

The December security update with a total of 28 patched security bugs has become the largest security update in the last 5 years since Microsoft began moving to periodic product updates. month.

Officially released yesterday (December 9), the periodic update in December is divided into 8 major patches according to the criteria for each individual product such as Windows operating system, Internet Explorer, Office, SharePoint, Windows Media, Visual Basic and Visual Studio.

Up to 23 out of 28 errors corrected this phase is classified as 'extremely dangerous' (Critical) - the highest level in the ladder of 4 steps assessing the level of vulnerability of Microsoft security errors. 3 errors are ranked at the lower 'important' (Important) level and two errors are at average (Moderate).

Most security experts agree that the December security update has met the user's expectations. In other words, it has fully overcome the security vulnerabilities that have been discovered recently and have been exploited by hackers to attack users.

Priority

Andrew Storms - director of security at nCircle Network Security Inc - said first to mention security flaws in Graphics Device Interface (GDI) - the core component of the Windows operating system graphics. The code MS08-071 fixes a total of 2 different security errors in GDI.

' This fix is ​​quite similar to the MS08-021 patch that was released in April last year ,' said Mr. Storm. MS08-021 also has two different vulnerabilities in GDI. It can be said that since GDI has been found to be faulty, it has been constantly corrected by Microsoft. The latest fix for this important component was released last September.

And similar to the errors that were fixed in September, these fixes could also be exploited by hackers to attack users by tricking them into downloading and opening a malicious Windows Metafile (WMF) file. system.

' GDI is the core kernel component available in almost every Windows operating system version. The risk of users being attacked may be very clear , 'said Amol Sarwate, Qualys Inc's director of security research.

Standing next immediately after the GDI patch ranked in the order of priority need to be installed urgently as a fix for Internet Explorer with code MS08-073 . This patch fixes a total of 4 security bugs for this browser. But according to Mr. Sarwate's opinion, the second position in priority order must be MS08-070 for Visual Basic application.

' This is a security bug that is difficult to exploit ,' said Wolfgang Kandek, Qualys' chief technology officer. Although ordinary users do not use Visual Basic, errors in this application development environment can affect almost everyone browsing the web with Internet Explorer.

' Microsoft has warned application developers to upgrade their system and Visual Basic Runtime. The application developer itself must send a full alert to all users who are using their ActiveX Control. You know that ActiveX is an indispensable component in IE. ActiveX errors mean hackers can still attack websites and upload malicious content through their own ActiveX errors . '

MS08-070 fixes a total of 6 security errors in Visual Basic. All are classified as 'extremely dangerous' (Critical) that need to be overcome as soon as possible.

Other fixes include MS08-072 that fixes a total of 8 errors in Microsoft Word. MS08-074 fixes 3 security errors for Microsoft Excel. Windows Media received the fixes MS08-076 with two errors fixed. SharePoint has only one error fixed in this phase through patch MS08-077 . The final patch MS08-075 belongs to Windows Searchs with two errors fixed.

Eric Schultze - Chief technology officer of Shavlik Technologies LLC - said that among these patches, the most attention has been drawn to MS08-076. These errors are very similar to the errors fixed in the previous month by MS08-068. The error corrected is the error of the Server Message Block (SMB) procedure.

' The attack method is similar to the one mentioned in MS08-068 fix. The difference is reasonable in the login mechanism on the system. Microsoft has said that Windows Media Player does not use the same rules as the operating system, why is this fix? '

Mr. Storms said that also need to pay attention to fix MS08-075 bug fixes in Windows Searchs built into Windows Vista and Windows Server 2008. This error is noted not because it belongs to the new version of Windows but also because it originates from another procedure in Windows. That is the 'search-ms' procedure.

Users can download the above fixes via the automatic update feature of the operating system. This is the most convenient way and does not require much intervention.