For Storms, MS08-015 was the second-most-important bulletin of the quartet. Affecting every supported version of Outlook -- and critical across the board, even on the newest edition, Outlook 2007 -- the bug is located in code that tells Microsoft's e-mail client how to handle the "mailto:" URI protocol handler.
URI (Uniform Resource Identifier) protocol handler bugs have plagued Microsoft's software, as well as that of other vendors, since last summer. Microsoft patched a general protocol handler flaw in Windows back in November, for example, but only after several months of sometimes contentious debate about who was responsible for the vulnerability.
It's likely, said nCircle's Storms, that the mailto: flaw in Outlook was actually discovered during the URI protocol handler dustup, and reported privately to Microsoft around then. "It makes sense that this was disclosed about the same time," said Storms. "Everybody was scrutinizing the URI issue, so the likelihood of someone finding it then was really high." Because the bug was reported directly to Microsoft and news of it didn't leak, Microsoft could take its time crafting a patch, Storms theorized. Microsoft credited Greg MacManus of iDefense Labs for reporting the vulnerability.
Unlike most Office-related vulnerabilities, however, the Outlook bug isn't in a file format, and doesn't require hackers to deliver rigged attachments. Instead, the bug can be triggered by simply clicking on a specially-crafted mailto: URI that would then take the victim to a malicious or hacked Web site.
The other two bulletins -- MS08-016 and MS08-017 -- fix a pair of parsing and memory corruption bugs in several versions of Office, and plug two holes in Office Web Components, controls that let users publish spreadsheets, charts and databases to the Web, then view that content once it's published.
What's interesting, Storms said, is that those vulnerabilities, as well at the other eight in the dozen patched today, can all be mitigated by doing what Microsoft and others constantly recommend: Run Windows as a local user, not with admin rights. "This might be the first month ever that running [as a local] user protects you from all the bugs," Storms said.
On the trend line, both Storms and Amol Sarwate, the manager of Qualys Inc.'s vulnerability lab, pointed to the emphasis on client applications, not the operating system, in today's updates. "The trend again is of vulnerabilities in client-side applications," said Sarwate, noting the shift toward exploiting flaws in commonly-used programs like Microsoft Office.
"If you look at these, there's a lot of copy and paste," said Storms, referring to the bulletins' descriptions and the other flavor of today's updates. "They're all [about] Office, they're all critical. That totally makes sense [and] may be a turning point for Microsoft. Maybe they're clearing out the last batch of vulnerabilities in Office. It's such a homogeneous bunch and so similar all down the line.
"Maybe they've finally gotten their act together," Storms concluded.
The four security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.