Microsoft Patch Tuesday fixes nine vulnerabilities

Share this article:
In its Patch Tuesday update, Microsoft addressed nine vulnerabilities by releasing four security updates, none of which were deemed critical.

The updates, all rated as “important,” included fixes that patched vulnerabilities in the Windows Domain Name System (DNS), could allow spoofing (MS08-037). With this fix, two vulnerabilities that could allow a remote attacker to redirect network traffic intended for systems on the internet to the attacker's own systems were eliminated.

Another patch fixed a vulnerability in Windows Explorer that could allow remote code execution (MS08-038). This update resolved a flaw that could have allowed an attacker to remotely take control of an affected system.

Said Don Leatham, director of solutions and strategy at Lumension Security: “This announcement gives administrators some breathing room to get caught up and assess their overall security posture from a mitigation standpoint."

But it all depends on individual circumstances, he said.

The other two patches could have more impact on businesses.

The third update fixes vulnerabilities in Outlook Web Access for Exchange Server that could allow elevation of privilege (MS08-039). This update resolved vulnerabilities that could enable attackers to gain access to an individual's session data, allowing elevation of privilege.

Again, the severity for individual organizations can differ.

The fourth update patches vulnerabilities in Microsoft SQL Server that could allow elevation of privilege (MS08-040). The more serious of the such vulnerabilities could enable an attacker to run code and to take complete control of an affected system.

Said Leatham: "Organizations should pay close attention to the issue of elevation of privilege in SQL and Exchange servers, as exploitation of these targets can easily negate the policy and enforcement efforts made in the provisioning of and access management setup on such systems. Both of these products can be high-value targets and these vulnerabilities could be considered critical depending on the organization."

Schultze said that compared to other months, this is a "sleeper."

The danger of applying low severity levels is that it gives people the impression that they can wait a little longer and not pay as much attention to the latest updates, he said. But security officials should carry through with any standard patch-management processes, and jump on the ones that are directly applicable.

“Although they are not labeled critical, each user should evaluate them for their own environment,” Schultze said.

Share this article:

Sign up to our newsletters

More in News

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel recently announced the recruitment efforts during a speech in Fort Meade, Md.

Tech manufacturer's online payment system breached

LaCie confirmed an unauthorized party used malware to access its online payment system for almost a year and could have stolen customer information.

The Heartbleed bug works, and could be a scapegoat for older breaches

The Heartbleed bug works, and could be a ...

Researchers proved the Heartbleed bug was real in a challenge issued by CloudFlare to prove private keys can be stolen, right around the time companies are claiming they were breached ...