Risk
7/8/2008
05:35 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Patch Tuesday Brings Four Bulletins For Nine Flaws

Though a month without "critical" vulnerabilities and a low number of bulletins might suggest there's not much to worry about, researchers say Microsoft is downplaying the potential risks.

Microsoft on Tuesday released its security patches for July. These include four Security Bulletins that address nine vulnerabilities.

Microsoft rated each of the four Security Bulletins "important," which the company defines thus: "A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data, or of the integrity or availability of processing resources."

The bulletins include "Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege" (MS08-040), "Vulnerability in Windows Explorer Could Allow Remote Code Execution" (MS08-038), "Vulnerabilities in DNS Could Allow Spoofing" (MS08-037), and "Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege" (MS08-039).

While the absence of any vulnerabilities with a "critical" rating and the relatively low number of bulletins might suggest there's not much to worry about this month, Eric Schultze, CTO of Shavlik Technologies, believes Microsoft is downplaying the potential risks.

"If you consider this a light month, then Microsoft has done its job," Schultze said. "By [rating the vulnerabilities 'important,'] they hoped to lessen their visibility. It's an interesting month because there's nothing very earth-shattering but there still are important things to pay attention to."

Chief among them are the BIND DNS vulnerabilities, which affect not only Windows but Linux and Unix systems too, including Apple's Unix-based Mac OS X.

Debian, a Linux vendor, has already posted security advisories about the issue.

On Tuesday, US CERT issued a Vulnerability Note indicating that the DNS flaws affect more than 80 vendors. The Internet Systems Consortium (ISC) released several fixes for BIND9 to address the issue.

Wolfgang Kandek, CTO of Qualys, warned that the DNS vulnerabilities could be used to send an Internet user to the wrong site and that there might be no way to recognize the deception without checking the site's certificate, which few bother doing. The technique is known as DNS Poisoning.

In an e-mailed statement, Tyler Reguly, a security engineer from nCircle, elaborated on the risks of DNS poisoning. "The two DNS vulnerabilities are very serious because there is potential to poison both the DNS Server and Client," he said. "If an attacker poisons the cache of a client by spoofing a response, it only affects a single computer, but if they poison the DNS Server, they could potentially provide spoofed responses to all clients utilizing that nameserver. By using this approach an attacker could potentially compromise a corporation's entire DNS infrastructure under the right circumstances."

Schultze said that while the "important" rating may be fair for the DNS flaws themselves, a DNS poisoning attack is usually the prelude to exposure to more serious malware, which might merit a "critical" rating. He added that both the Windows Explorer and SQL server vulnerabilities mention "remote code execution," which usually is considered "critical." He said Microsoft probably softened the severity rating because exploiting the vulnerabilities is difficult.

Amol Sarwate, manager of vulnerability labs at Qualys, said he knew of two vulnerabilities that Microsoft left unpatched: CVE-2008-1436 (Windows privilege elevation vulnerability), CVE-2008-2463 (Microsoft Office Access Snapshot Viewer ActiveX control vulnerability).

Microsoft on Monday released a Security Advisory about the Snapshot Viewer flaw. It published an advisory on the Windows privilege elevation issue in April.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Hyatt Hit With Another Credit Card Breach
Dark Reading Staff 10/13/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.