The updates, all rated as “important,” included fixes that patched vulnerabilities in the Windows Domain Name System (DNS), could allow spoofing (MS08-037). With this fix, two vulnerabilities that could allow a remote attacker to redirect network traffic intended for systems on the internet to the attacker's own systems were eliminated.
Another patch fixed a vulnerability in Windows Explorer that could allow remote code execution (MS08-038). This update resolved a flaw that could have allowed an attacker to remotely take control of an affected system.
Said Don Leatham, director of solutions and strategy at Lumension Security: “This announcement gives administrators some breathing room to get caught up and assess their overall security posture from a mitigation standpoint."
But it all depends on individual circumstances, he said.
The other two patches could have more impact on businesses.
The third update fixes vulnerabilities in Outlook Web Access for Exchange Server that could allow elevation of privilege (MS08-039). This update resolved vulnerabilities that could enable attackers to gain access to an individual's session data, allowing elevation of privilege.
Again, the severity for individual organizations can differ.
The fourth update patches vulnerabilities in Microsoft SQL Server that could allow elevation of privilege (MS08-040). The more serious of the such vulnerabilities could enable an attacker to run code and to take complete control of an affected system.
Said Leatham: "Organizations should pay close attention to the issue of elevation of privilege in SQL and Exchange servers, as exploitation of these targets can easily negate the policy and enforcement efforts made in the provisioning of and access management setup on such systems. Both of these products can be high-value targets and these vulnerabilities could be considered critical depending on the organization."
Schultze said that compared to other months, this is a "sleeper."
The danger of applying low severity levels is that it gives people the impression that they can wait a little longer and not pay as much attention to the latest updates, he said. But security officials should carry through with any standard patch-management processes, and jump on the ones that are directly applicable.
“Although they are not labeled critical, each user should evaluate them for their own environment,” Schultze said.