Microsoft Security Bulletin

I try not to take up your time by posting for the sake of posting to this blog – but this is something you should be considering! Local, national and international media interest adds clout to the importance of this update. Hope its helpful. Regards JIM Abstract Please find below a level 3 critical product vulnerability alert email, the 17thDecember Microsoft Security Bulletin Release from the Microsoft CSS Security Team.

—————————————————————————

Background What is the purpose of this alert?   This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on December 17, 2008. Microsoft has released security bulletin MS08-078, Security Update for Internet Explorer (960714), to address a vulnerability in all currently supported versions of Internet Explorer . This security update was released outside of the usual monthly security bulletin release cycle in an effort to protect customers.

—————————————————————————

Executive Summary This security update resolves a publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition. This security update also addresses the vulnerability first described in Microsoft Security Advisory 961051.

—————————————————————————

Recommendations   Microsoft recommends customers prepare their systems and networks to apply this security bulletin immediately once released to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit http://www.microsoft.com/protect.

—————————————————————————

New Security Bulletin Technical Details   Identifier MS08-078 Severity Rating This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 SP1,  and Internet Explorer 7. Impact of Vulnerability Remote Code Execution Detection Microsoft Baseline Security Analyzer can detect whether your computer system requires this update. Affected Software Internet Explorer 5.01 (Windows 2000), Internet Explorer 6 (Windows 2000), Internet Explorer 6 SP1 (Windows XP and Windows Server 2003), and Internet Explorer 7 (Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008).  For information about Internet Explorer 8 (Beta) please see the FAQ section of the bulletin. Restart Requirement The update will require a restart only if the required files are being used.  If this occurs, a message appears that advises you to restart. Removal Information ·         For Windows 2000, Windows XP, Windows Server 2003: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility ·         For Windows Vista and Windows Server 2008: WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates. Bulletins Replaced by This Update None. Full Details: http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx   Public Bulletin Webcast   Microsoft will host two Webcasts to address customer questions on this Out-of-Band bulletin:   Title: Information About Microsoft December Out-of-Band Security Bulletin Date: Wednesday, December 17, 2008 1:00 P.M. Pacific Time (U.S. & Canada) URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448&Culture=en-US  Title: Information About Microsoft December Out-of-Band Security Bulletin #2 Date: Thursday, December 18, 2008 11:00 A.M. Pacific Time (U.S. & Canada) URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449&Culture=en-US   Regarding Information Consistency   We strive to provide you with accurate information in static (this mail) and dynamic (Web-based) content. Microsoft’s security content posted to the Web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s Web-based security content, the information in Microsoft’s Web-based security content is authoritative.   If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.   Thank you,   Microsoft CSS Security Team