Microsoft fixes 9 flaws with 4 patches; none critical
Bulletins address flaws within Domain Name Service in Windows, Windows Explorer in Windows Vista, Outlook Web Access (OWA), and Microsoft SQL servers
Microsoft today released its July 2008 security bulletin highlighting items all considered important but not critical. They are for Domain Name Service in Windows, Windows Explorer within Windows Vista, Outlook Web Access (OWA), and Microsoft SQL servers. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
Entitled "Vulnerabilities in DNS Could Allow Spoofing (953230)," this bulletin is for users of Windows 2000, Windows XP, and Windows Server 2003; not affected are users of Windows Vista (both 32-bit and 64-bit editions) and Windows Server 2008. The update addresses vulnerabilities detailed in CVE-2008-1447 and CVE-2008-1454. The patch modifies the Windows Domain Name System (DNS) in Windows. Microsoft says these two vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems.
Entitled "Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)," this bulletin only affects users of Windows Vista and Windows Server 2008; all other versions of Windows are not affected. The update addresses vulnerability detailed in CVE-2008-1435. Microsoft says "the vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Entitled "Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)," this bulletin affects users of Microsoft Outlook Exchange Server 2003 and Microsoft Outlook Exchange Server. The update addresses the issues detailed in CVE-2008-2247 and CVE-2008-2248. Microsoft says "an attacker who successfully exploited these vulnerabilities could gain access to an individual Outlook Web Access (OWA) client's session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client's OWA session."
Entitled "Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)," this bulletin affects SQL Server 7.0 Service Pack 4, SQL Server 2000 Service Pack 4, SQL Server 2000 Itanium-based Edition Service Pack 4, SQL Server 2005 Service Pack 2, SQL Server 2005 x64 Edition Service Pack 2, SQL Server 2005 with SP2 for Itanium-based Systems, Microsoft Data Engine (MSDE) 1.0 Service Pack 4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 4, Microsoft SQL Server 2005 Express Edition Service Pack 2, Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) x64 Edition Service Pack 2. This update addresses the vulnerability detailed in CVE-2008-0085, CVE-2008-0086, CVE-2008-0107, and CVE-2008-0106. Microsoft says this bulletin "resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."