Microsoft Releases 7 Patches, 3 Critical

Microsoft released seven patches for its June rollout of security fixes. As expected, three are labeled "critical," three "important" and one "moderate."

In total, the patches address about 10 separate vulnerabilities.

All of the critical items plug holes vulnerable to remote code execution (RCE) exploits in Windows programs interacting with wireless protocol using voice and data for Bluetooth, Internet Explorer and Microsoft DirectX, an application programming function in Windows.

Meanwhile, the important fixes are designed to block elevation of privilege and denial of service from would-be hackers in Windows Internet Name Service, Active Directory and Pragmatic General Multicast, a transport protocol in Windows programs used for file transfer and streaming media.

The moderate patch applies to the kill bit function in Windows programs, a method by which a user can shut off an ActiveX control in IE.

But it's the Bluetooth vulnerability, experts say, that is most important to patch because it exemplifies the relatively nascent attack vector of wireless peripherals.

"[The Bluetooth vulnerability] is noteworthy because user interaction is not required," said Ben Greenbaum, senior research manager for Symantec. "All that is required is for the device to have Bluetooth on and to be within range of the attacker. That's something IT guys should look at first."

Second to that in importance, according to Greenbaum, is the patch for Active Directory, a critical component to system setting in a Windows processing environment. He added that the IE patch is also "very mission-critical."

Critical Items
Bluetooth technology and how it interoperates with Windows components and applications is the theme of the first critical patch. According to Redmond, it resolves "a privately reported vulnerability in the Bluetooth stack in Windows" which could allow a hacker carte blanche -- edit, delete, change and write capabilities -- over an enterprise system. The affected systems are all versions of Windows XP, Service Packs 2 and 3, and Vista SP1.

"The Bluetooth bulletin is the most interesting critical patch that deserves keen attention," said Paul Zimski of Scottsdale, Ariz.-based Lumension Security. "The impact of a remote code execution in Windows Bluetooth could mean that it's possible to attack a victim's computer just by being within close proximity and not actually being on the network itself."

The second critical patch is a cumulative security update for IE affecting every release from 5.01 through 7; it also cuts a wide swath across operating systems. This patch, which Microsoft said resolves one private and one publicly disclosed vulnerability, will touch Windows 2000 SP4, XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Vista SP1, and all versions of Windows Server 2008. The fix is designed to stave off hacker incursions via specially crafted Web pages in IE.

For the third and final critical item, Redmond is patching different versions of DirectX to stop hackers from deploying RCE exploits using maliciously configured media files. DirectX is an application programming interface mostly used for developing games, streaming audio, interactive video and other graphics features on Microsoft platforms. Experts say security administrators would do well to patch this vulnerability unless they want to find out a new meaning for "viral video."

Important Bulletins
The first important patch pertains to Windows Internet Name Service, a data cluster for holding host names and network addresses that acts as a central mapping function for the network. It affects all editions of Windows Server 2003.

Next is the patch for Active Directory in XP, Windows Server 2003 and the 32- and 64-bit versions of Windows Server 2008. The patch prevents a hack that would leave enterprise users locked out of their system via a denial-of-service exploit. Analysts say the "important" label for this patch may be misleading.

"Even though the Active Directory bulletin is only marked as important, this is something businesses will want to address primarily because Active Directory is such a business-critical system and an attack could potentially grind networks to a halt," Zimski said.

The file transfer and streaming media transmission protocol called Pragmatic General Multicast is at the center of the third and last important patch of the month. This fix, which resolves what Redmond called "two privately reported vulnerabilities" in the program, would also prevent denial-of-service exploits affecting XP, Vista, Windows Server 2003 and Windows Server 2008.

In 'Moderation'
In recent months, Microsoft has mostly confined its patch designations to either "critical" or "important." But this month, one "moderate" item has been thrown into the mix.

This patch is a cumulative security update of ActiveX kill bits, fixing what Microsoft's executive summary described as a "vulnerability [that] could allow remote code execution if a user viewed a specially crafted Web page" with a speech-recognition feature in Windows enabled. Additionally, this includes a kill bit for software produced by independent software vendor BackWeb.

Microsoft noted that this vulnerability may not affect end users that much, especially if they don't have administrative rights on a system.

All seven patches this month will require a restart or reboot of some kind. And, as in other Patch Tuesdays since late spring, Microsoft referred IT pros to this Knowledge Base article for a description of non-security and high-priority updates on Microsoft Update, Windows Update and Windows Server Update Services. Some of this month's items include updates for IE 7 dynamic installer and updates for XP, Vista and Windows Server versions 2003 and 2008.

"Nothing particularly shocking this month -- except for me being shocked that I actually tend to agree in the context of the severity of patch designations. I think Microsoft got it right this time," said Eric Schultze, chief technology officer of Shavlik Technologies in St. Paul, Minn. "An important thing to note is that four of the seven bulletins are server-side vulnerabilities, meaning no user interaction is required for a system to be hacked. Hackers have more fun with server-side issues."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.