Microsoft releases seven patches, three criticalIn what one security researcher called a broad-based set of releases, Microsoft on Tuesday unleashed seven patches, three for critical vulnerabilities, in its June Patch Tuesday round of bug fixes.
"There's a broad spectrum of applications and operating system components that are vulnerable," Paul Zimski, vice president of security solutions at Lumension Security, told SCMagazineUS.com. "This round includes everything from Internet Explorer to media components of DirectX to Active Directory to Windows Internet Name Services [WINS]. There's a lot of risk analysis that must be done by enterprises to prioritize the patches."
Of the three critical issues, Zimski called the Bluetooth vulnerability (MS08-030) the most interesting.
"It's probably one of the more complex, but less risky," he said. "It's interesting because you could potentially attack a remote user who has Bluetooth enabled without being part of their net segment."
Other analysts pointed to other fixes as worrisome.
“The vulnerability in the Bluetooth stack is especially noteworthy because it allows an attacker in range of a Bluetooth-enabled device running Windows XP or Vista to take control of that device,” said Ben Greenbaum, a senior research manager in Symantec's Security Response unit. “User interaction is not required. All that is required is for the device to have Bluetooth on and to be within range of the attacker.”
In some ways, however, the Bluetooth issue is more of a problem for home users, according to Zimski.
"From a business perspective, it's probably not enabled on corporate laptops, so enterprises may just want to control or disable Bluetooth if they don't have a need for it," he said.
"People traveling with laptops are probably the most likely to have Bluetooth enabled," Tyler Reguly, a security engineer with nCircle, told SCMagazineUS.com. "It's important to keep in mind the limited range of Bluetooth, which is what, in my opinion, somewhat limits the severity of the vulnerability."
"Windows administrators should take a look at WINS (MS08-34), Active Directory (MS08-35) and PGM (MS08-36) issues," Amol Sarwate, manager of the vulnerability research lab at Qualys, told SCMagazineUS.com. "Two of them [MS08-035/36] can cause a Windows server to crash or reboot, and the WINS vulnerability can give an attacker elevated privileges and the ability to view data usually allowed only for high-privilege users."
The Active Directory vulnerability (MS08-035) is the big one for the enterprise, according to Reguly.
"It actually replaces a previous Active Directory denial of service [DoS vulnerability] from earlier this year and affects everything that could be running Active Directory, all the way up to Server 2008," he said. "While this doesn't affect most systems in an enterprise environment, it does affect any and all domain controllers, and these are considered critical infrastructure."
The vulnerability MS80-034 in the Pragmatic General Multicast [PGM] protocol used for file sharing could potentially be used as a nuisance tool to crash XP and Vista boxes, Zimski said.
As usual, the June round of fixes also included a critical patch (MS80-031) for Internet Explorer. This bug applies to all versions of IE, including IE 8 beta, and would allow an attacker who crafted a malicious website to take over a visitor's vulnerable system.
This fixes an HTML object memory corruption issue, Eric Schultze, chief technology officer of Shavlik Technologies, told SCMagazineUS.com.
The final critical patch (MS80-033) fixes a problem with DirectX.
When an IE user visits a malicious website with IE unpatched, an attacker could execute code on the user's system and download malware, Schultze said.
"The vector of the attack is called mjpeg, and that will cause the DirectX function to overflow and execute code," he said.
In another desktop-related issue (MS08-032), Microsoft released a "kill bit" that turns off the ActiveX speech API within Internet Explorer. This "moderate" patch prohibits the ActiveX speech function from running within IE, said Schultze.