News
Microsoft Releases 7 Patches, 3 Critical
- By Jabulani Leffall
- June 10, 2008
Microsoft released
seven patches for its June rollout of security fixes. As expected,
three are labeled "critical," three "important" and one "moderate."
In total, the patches address about 10 separate vulnerabilities.
All of the critical items plug holes vulnerable to remote code execution (RCE)
exploits in Windows programs interacting with wireless protocol using voice
and data for Bluetooth, Internet Explorer and Microsoft DirectX, an application
programming function in Windows.
Meanwhile, the important fixes are designed to block elevation of privilege
and denial of service from would-be hackers in Windows Internet Name Service,
Active Directory and Pragmatic General Multicast, a transport protocol in Windows
programs used for file transfer and streaming media.
The moderate patch applies to the kill bit function in Windows programs, a
method by which a user can shut off an ActiveX control in IE.
But it's the Bluetooth vulnerability, experts say, that is most important to
patch because it exemplifies the relatively nascent attack vector of wireless
peripherals.
"[The Bluetooth vulnerability] is noteworthy because user interaction is not
required," said Ben Greenbaum, senior research manager for Symantec. "All that
is required is for the device to have Bluetooth on and to be within range of
the attacker. That's something IT guys should look at first."
Second to that in importance, according to Greenbaum, is the patch for Active
Directory, a critical component to system setting in a Windows processing environment.
He added that the IE patch is also "very mission-critical."
Critical Items
Bluetooth technology and how it interoperates with Windows components and applications
is the theme of the first
critical patch. According to Redmond, it resolves "a privately reported
vulnerability in the Bluetooth stack in Windows" which could allow a hacker
carte blanche -- edit, delete, change and write capabilities -- over an enterprise
system. The affected systems are all versions of Windows XP, Service Packs 2
and 3, and Vista SP1.
"The Bluetooth bulletin is the most interesting critical patch that deserves
keen attention," said Paul Zimski of Scottsdale, Ariz.-based Lumension Security.
"The impact of a remote code execution in Windows Bluetooth could mean that
it's possible to attack a victim's computer just by being within close proximity
and not actually being on the network itself."
The second
critical patch is a cumulative security update for IE affecting every release
from 5.01 through 7; it also cuts a wide swath across operating systems. This
patch, which Microsoft said resolves one private and one publicly disclosed
vulnerability, will touch Windows 2000 SP4, XP SP2 and SP3, Windows Server 2003
SP1 and SP2, Vista SP1, and all versions of Windows Server 2008. The fix is
designed to stave off hacker incursions via specially crafted Web pages in IE.
For the third
and final critical item, Redmond is patching different versions of DirectX
to stop hackers from deploying RCE exploits using maliciously configured media
files. DirectX is an application programming interface mostly used for developing
games, streaming audio, interactive video and other graphics features on Microsoft
platforms. Experts say security administrators would do well to patch this vulnerability
unless they want to find out a new meaning for "viral video."
Important Bulletins
The first
important patch pertains to Windows Internet Name Service, a data cluster
for holding host names and network addresses that acts as a central mapping
function for the network. It affects all editions of Windows Server 2003.
Next is the patch
for Active Directory in XP, Windows Server 2003 and the 32- and 64-bit versions
of Windows Server 2008. The patch prevents a hack that would leave enterprise
users locked out of their system via a denial-of-service exploit. Analysts say
the "important" label for this patch may be misleading.
"Even though the Active Directory bulletin is only marked as important, this
is something businesses will want to address primarily because Active Directory
is such a business-critical system and an attack could potentially grind networks
to a halt," Zimski said.
The file transfer and streaming media transmission protocol called Pragmatic
General Multicast is at the center of the third
and last important patch of the month. This fix, which resolves what Redmond
called "two privately reported vulnerabilities" in the program, would also prevent
denial-of-service exploits affecting XP, Vista, Windows Server 2003 and Windows
Server 2008.
In 'Moderation'
In recent months, Microsoft has mostly confined its patch designations to either
"critical" or "important." But this month, one
"moderate" item has been thrown into the mix.
This patch is a cumulative security update of ActiveX kill bits, fixing what
Microsoft's executive summary described as a "vulnerability [that] could allow
remote code execution if a user viewed a specially crafted Web page" with a
speech-recognition feature in Windows enabled. Additionally, this includes a
kill bit for software produced by independent software vendor BackWeb.
Microsoft noted that this vulnerability may not affect end users that much,
especially if they don't have administrative rights on a system.
All seven patches this month will require a restart or reboot of some kind.
And, as in other Patch Tuesdays since late spring, Microsoft referred IT pros
to this
Knowledge Base article for a description of non-security and high-priority updates
on Microsoft Update, Windows Update and Windows Server Update Services. Some
of this month's items include updates for IE 7 dynamic installer and updates
for XP, Vista and Windows Server versions 2003 and 2008.
"Nothing particularly shocking this month -- except for me being shocked that
I actually tend to agree in the context of the severity of patch designations.
I think Microsoft got it right this time," said Eric Schultze, chief technology
officer of Shavlik Technologies in St. Paul, Minn. "An important thing to note
is that four of the seven bulletins are server-side vulnerabilities, meaning
no user interaction is required for a system to be hacked. Hackers have more
fun with server-side issues."
About the Author
Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.