Microsoft Releases 8 Security Patches, 4 Deemed 'Critical'

• By Dian Schaffhauser
• 04/08/08

Microsoft released its latest security update, which includes eight cumulative patches addressing vulnerabilities in Office applications, Windows, and Internet Explorer.

MS08-022, considered critical by the company, secures a vulnerability in the VBScript and JScript scripting engines in Windows 2000, XP and Windows Server 2003. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

MS08-023 and MS08-024, considered critical, address holes that could allow remote code execution if a user viewed specially crafted Web pages using Internet Explorer. Users with administrative rights would be more greatly affected than those with fewer user rights on the system.

MS08-021, also pegged as critical, addresses vulnerabilities in GDI, which could allow remote code execution if a user opened a specially crafted EMF or WMF image file.

MS08-025, considered important, resolves a privately reported vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. It affects Windows 2000, Windows Server 2003 and 2008, XP and Vista.

MS08-020 addresses a spoofing vulnerability that exists in Windows DNS clients, in which an attacker could send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.

MS08-018 and MS08-019 address vulnerabilities in Office Project and Visio, respectively, in which the programs could allow code execution if a user opens a specially crafted file.