Microsoft Patch Tuesday Brings Seven Fixes

The DirectX and IE vulnerabilities are noteworthy because they could be exploited using proven methods of social engineering, security researchers point out.
For its June security update, Microsoft on Tuesday released seven security patches addressing 10 vulnerabilities.

As Microsoft indicated in its security advisory last week, three of the bulletins are rated "critical," three are rated "important," and one is rated "moderate."

MS08-030 ("critical") addresses a vulnerability in the Bluetooth stack in Windows that could allow remote code execution.

"The Bluetooth flaw is the sort of server-side vulnerability you don't see too often," said Eric Schultze, CTO of Shavlik Technologies. "That means someone can hack you and you don't have to do anything."

Tyler Reguly, a security engineer with nCircle, observed in an e-mail that the Bluetooth vulnerability is mitigated by the fact Bluetooth has a very limited range.

Four of the seven vulnerabilities this month, including the Bluetooth flaw, can be exploited without any user action, Schultze said.

MS08-031 ("critical") fixes a flaw in Microsoft Internet Explorer that could allow remote code execution if the user viewed a maliciously crafted Web page.

MS08-033 ("critical") resolves two DirectX issues that could allow remote code execution if a user opened a maliciously crafted media file.

Amol Sarwate, manager of vulnerability labs at Qualys, said that the DirectX and IE vulnerabilities are noteworthy because they could be exploited using proven methods of social engineering. "A user who views news or videos online could be compromised, because the news or videos could have malicious instructions that could install bad stuff on the user's machine," he said.

Other software affected includes the Microsoft Speech API (MS08-032), the Windows Internet Name Service (MS08-034), Active Directory (MS08-35), and the Pragmatic General Multicast (MS-8-036).

Notably absent is a fix for the Cross-Zone Scripting vulnerability identified by security researcher Aviv Raff last month.

Microsoft, however, isn't the only vendor that doesn't immediately respond to vulnerability reports. The company last month warned Windows users of a possible security flaw related to the way Apple's Safari Web browser handles files under Windows. Security researcher Nitesh Dhanjani calls it the Safari Carpet Bomb vulnerability.

Apple on Monday released QuickTime 7.5, fixing five security vulnerabilities in its media software. But the Safari Carpet Bomb vulnerability was not addressed.