Microsoft released six patches covering 11 vulnerabilities on July’s Patch Tuesday, including “critical” fixes impacting Active Directory on Windows 2000 and 2003 Server and .Net Framework products. In all, Microsoft rated eight of the 11 now-patched vulnerabilities as critical.
The Active Directory patch (bulletin MS07-039) is particularly dangerous because it "can allow any user on the network to take over a domain controller," he said.
It does so "by leveraging a problem in LDAP [the Lightweight Directory Access Protocol] turned on by default" by Microsoft in Windows 2000 and 2003 Server systems, he added.
The flaw was ranked as "critical" because it could allow an attacker take over a domain controller and gain access to every username and password on the system, Shultze added.
That would include discovering the master password for the security controller, Shultze said.
"This is the crown jewel" of a Microsoft-based domain and should be fixed as soon as possible, he added.
If an enterprise "loses control of the domain controller, there's no sense in patching the others, because the attacker now has you," Shultze said.
IBM X-Force researcher Neel Mehta, who created proof-of-concept exploit code, discovered the Active Directory flaw this month.
The .Net Framework vulnerability has the potential to affect a broad range of applications on all of Microsoft's Windows platforms, said Don Leatham, director of business development for PatchLink.
"It's such a pervasive part of Microsoft technology," he said, noting that it is used as the foundation in many organizations' internal and commercial shrink-wrapped applications.
Andrew Storms, director of security operations at nCircle, said the .Net Framework is prevalent in development.
"Because so many businesses use .Net Framework to develop business applications, both software-development and operations teams must patch their systems," he said.
Although Microsoft rated MS07-041 as "important," Shultze called the vulnerability, which affects Microsoft's Internet Information Server (IIS) on Windows XP, "critical."
"Microsoft says because IIS is not installed by default – that you have to go out of way to run it – it's not critical," he explains. "But it's critical if you have a web server on XP because a remote attacker can send one URL and can gain complete access to XP machine."
The final Microsoft-labeled "critical" patch involves a flaw in Excel. Opening an Excel file with malicious code on an unpatched Windows PC could allow a remote user to hijack the system via a buffer overflow.
Microsoft also patched a flaw in a process called "teredo," which manages IPV6 and IPV4 bridging. That flaw can open a hole in the Windows Vista firewall via a malicious URL, according to Shultze.