Microsoft Patch Tuesday fixes nine vulnerabilities

Share this article:
In its Patch Tuesday update, Microsoft addressed nine vulnerabilities by releasing four security updates, none of which were deemed critical.

The updates, all rated as “important,” included fixes that patched vulnerabilities in the Windows Domain Name System (DNS), could allow spoofing (MS08-037). With this fix, two vulnerabilities that could allow a remote attacker to redirect network traffic intended for systems on the internet to the attacker's own systems were eliminated.

Another patch fixed a vulnerability in Windows Explorer that could allow remote code execution (MS08-038). This update resolved a flaw that could have allowed an attacker to remotely take control of an affected system.

Said Don Leatham, director of solutions and strategy at Lumension Security: “This announcement gives administrators some breathing room to get caught up and assess their overall security posture from a mitigation standpoint."

But it all depends on individual circumstances, he said.

The other two patches could have more impact on businesses.

The third update fixes vulnerabilities in Outlook Web Access for Exchange Server that could allow elevation of privilege (MS08-039). This update resolved vulnerabilities that could enable attackers to gain access to an individual's session data, allowing elevation of privilege.

Again, the severity for individual organizations can differ.

The fourth update patches vulnerabilities in Microsoft SQL Server that could allow elevation of privilege (MS08-040). The more serious of the such vulnerabilities could enable an attacker to run code and to take complete control of an affected system.

Said Leatham: "Organizations should pay close attention to the issue of elevation of privilege in SQL and Exchange servers, as exploitation of these targets can easily negate the policy and enforcement efforts made in the provisioning of and access management setup on such systems. Both of these products can be high-value targets and these vulnerabilities could be considered critical depending on the organization."

Schultze said that compared to other months, this is a "sleeper."

The danger of applying low severity levels is that it gives people the impression that they can wait a little longer and not pay as much attention to the latest updates, he said. But security officials should carry through with any standard patch-management processes, and jump on the ones that are directly applicable.

“Although they are not labeled critical, each user should evaluate them for their own environment,” Schultze said.
 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.

FBI warns of potential cyber attacks launched by ISIS hacktivists

Following U.S. military airstrikes in the Middle East, the FBI has issued a warning regarding possible cyber threats aimed at U.S. networks and critical infrastructure by hacktivists in support of ISIS.

Report: 75 million records compromised so far in 2014

Report: 75 million records compromised so far in ...

An updated report indicates that since this time last year, breaches have increased by 29.4 percent, with 568 breaches occurring this year.