Fixes for Critical Security Flaws Issued by Microsoft

Published: June 11, 2008

by Alex Woodie

It's the second Tuesday of the month, which means that the cycle of life begins anew in the Microsoft TechNet Security division, which yesterday issued seven patches addressing 10 vulnerabilities in the Windows operating system and associated programs. Standouts from June's patch pack include a critical vulnerability in Windows' Bluetooth stack that could potentially enable drive-by hacking over wireless networks, another cumulative IE release, and an Active Directory flaw that will affect nearly every corporation.

3 Patches for 5 Critical Flaws

A critical vulnerability with Windows' Bluetooth stack is addressed with Security Bulletin MS08-030. According to Microsoft, the flaw could allow attackers to gain complete control over Windows XP and Vista machines by flooding the computers with bogus service requests. The flaw has not been publicly announced (Microsoft did not say who reported it), and is not being exploited in the wild, the company says.

Two critical vulnerabilities in the Internet Explorer Web browser are addressed with Security Bulletin MS08-031, which is being delivered as a cumulative update. The patch fixes the HTML Objects Memory Corruption vulnerability, which could allow an attacker to take complete control of an affected system by tricking a user into viewing a malformed Web page, as well as the Request Header Cross-Domain Information Disclosure vulnerability, which could allow an attacker to view a victim's private information if they view a malformed Web page. Neither vulnerability is currently being exploited, according to Microsoft, which credits researchers working with TippingPoint and the Zero Day Initiative for reporting the HTML Objects Memory Corruption Vulnerability.

The final critical patch, Security Bulletin MS08-033, fixes two problems with Microsoft's DirectX versions 7 through 10 affecting nearly all versions of Windows and Windows Server over the last eight years. The MJPEG Decoder vulnerability and the SAMI Format Parsing vulnerability could give attackers total control over victims' machines by tricking them into opening malformed files. IBM Internet Security Systems X-Force team and Tipping Point and the Zero Day Initiative get credit for reporting the vulnerabilities, which aren't in general circulation, according to Microsoft.

3 Patches for 4 Important Flaws

An elevation of privilege flaw affecting Windows 2000 Server and Windows Server 2003 has been addressed with Security Bulletin MS08-034. A problem with the way that the Windows Internet Name Service (WINS) validates data structures within WINS packets could potentially allow an attacker to take complete control over an affected system. Luckily, it's not being exploited in the wild yet, according to Microsoft.

Security Bulletin MS08-035 addresses a potentially troublesome denial of service (DOS) problem in Active Directory that could affect businesses relying on Active Directory. The flaw could enable an attacker to bring down a server or a PC by flooding it with malformed LDAP requests. Nearly all recent versions of Windows are affected by the Active Directory vulnerability. But luckily, there have been no reports of the attack occurring in the wild, according to Microsoft. Alex Matthews and John Guzik of Securify get credit for reporting this vulnerability.

Two DOS flaws affecting all recent versions of Windows have been addressed with Security Bulletin MS08-036. The flaws--called the PGM Invalid Length vulnerability and the PGM Malformed Fragment vulnerability--both have to do with improper validation of pragmatic general multicast (PGM) requests in the operating system. Windows 2000 SP4 is the only Windows OS not affected. Microsoft has no reports of this flaw being exploited in the wild.

1 Moderate Patch

A flaw in Windows' speech recognition engine that could allow an attacker to take full control of an affected computer has been fixed with Security Bulletin MS08-032. While this flaw carries a risk of remote code execution, Microsoft gave it a moderate rating because so few people actually use the speech recognition feature in Windows. In fact, many of you may be surprised to learn that Windows has a speech recognition feature (it doesn't work very well). In any case, this patch provides a killbit for that feature.

MS08-32 is also the only patch from yesterday that addresses an issue that had been previously disclosed to the public. However, nobody has been victimized by attackers utilizing the flaw, to the best of Microsoft's knowledge, it says.

Expert Advice

So there you have it--the latest batch of patches for your varied Windows flaws. So what do you do now? According to security experts, you should start patching.

"Organizations should not be lax when rolling out this month's patches as they have the potential to create widespread hacks," says Paul Zimski, vice president security solutions at Lumension Security, a provider of patch management software for Windows.

Two patches that stand out in particular to Zimski are the ones affecting Bluetooth and Active Directory. The Bluetooth problem could "mean that it's possible to attack a victim's computer just by being within close proximity and not actually being on the network itself," he says. Also, due to Active Directory's widespread use, administrators should pay special attention to this flaw, he says.