Microsoft patches 10 flaws with seven bulletins

The most critical patches released cover Bluetooth, Internet Explorer, and DirectX.

Microsoft on Tuesday released its June 2008 security bulletin, which includes three critical, three important, and one moderate patch.

Of the critical, one is for the Bluetooth stack in Windows XP and Windows Vista, one is for DirectX, and another is a cumulative update to Internet Explorer. The one moderate bulletin covers a flaw in the speech recognition feature in Windows 2000, XP, and Windows Vista. Of the important bulletins, one concerns Active Directory and another Pragmatic General Multicast (PGM). All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-030: Critical

Titled "Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)", this bulletin is critical for users of Windows XP and Windows Vista (both 32-bit and 64-bit editions). The update addresses vulnerabilities detailed in CVE-2008-1453. The patch modifies the way that the Bluetooth stack handles a large number of service description requests. Microsoft says an attacker could use this to take complete control of an affected system; install programs; view, change, or delete data; or create new accounts with full user rights.

MS08-031: Critical

Titled "Cumulative Security Update for Internet Explorer (950759)", this bulletin affects all users of Windows. However, the critical designation only applies to users of Windows XP and Windows Vista; all others are deemed moderate or important by Microsoft. The update addresses vulnerabilities in CVE-2008-1442 and CVE-2008-1544. The cumulative patch fixes a couple of vulnerabilities including one that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and another which could allow information disclosure if a user viewed a specially crafted Web page using Internet Explorer.

MS08-032: Moderate

Titled "Cumulative Security Update of ActiveX Kill Bits (950760)", this bulletin affects users of Microsoft Windows 2000 Service Pack 4; all supported editions of Windows XP; and all editions of Windows Vista including Windows Vista Service Pack 1. The update addresses the issues in CVE-2007-0675. It fixes a publicly reported vulnerability for the Microsoft Speech API that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the speech recognition feature in Windows enabled.

MS08-033: Critical

Titled "Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)", this bulletin affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-0011 and CVE-2008-1444. Microsoft says the vulnerability "could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

MS08-034: Important

Titled "Vulnerability in WINS Could Allow Elevation of Privilege (948745)", this bulletin affects all supported editions of Microsoft Windows 2000 Server and Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-1451. Microsoft says an attacker could use an elevation of privilege to take complete control of an affected system, and then install programs; view, change, or delete data; or create new accounts.

MS08-035: Important

Titled "Vulnerability in Active Directory Could Allow Denial of Service (953235)", this bulletin is rated Important for all supported editions of Microsoft Windows 2000 Server, and rated Moderate for select editions of Windows XP Professional, Windows Server 2003, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1445. Microsoft says the vulnerability could be exploited to allow an attacker to cause a denial-of-service condition.

MS08-036: Important

Titled "Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)", this bulletin is rated Important for all supported editions of Windows XP and Windows Server 2003 and rated Moderate for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1440 and CVE-2008-1441. Microsoft says "an attacker who successfully exploited this vulnerability could cause a user's system to become non-responsive and to require a restart to restore functionality. Note that the denial-of-service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests."

Tags:
Security
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    Last-minute gift ideas

    Under pressure? These will deliver on time

    With plenty of top-notch retailers offering digital gifts, you still have time to salvage your gift-giving reputation.