Microsoft: 10 patches for Windows

As expected, Microsoft has released seven patches for its June rollout of security
fixes. In total, the patches address about 10 separate
vulnerabilities.

All of the critical items plug holes vulnerable to remote code
execution (RCE) exploits in Windows programs interacting with
wireless protocol using voice and data for Bluetooth, Internet
Explorer and Microsoft DirectX, an application programming function
in Windows.

Meanwhile, the important fixes are designed to block elevation
of privilege and denial of service from would-be hackers in Windows
Internet Name Service, Active Directory and Pragmatic General
Multicast, a transport protocol in Windows programs used for file
transfer and streaming media.

The moderate patch applies to the kill bit function in Windows
programs, a method by which a user can shut off an ActiveX control
in IE.

But it's the Bluetooth vulnerability, experts say, that is most
important to patch because it exemplifies the relatively nascent
attack vector of wireless peripherals.

"[The Bluetooth vulnerability] is noteworthy because user
interaction is not required," said Ben Greenbaum, senior research
manager for Symantec. "All that is required is for the device to
have Bluetooth on and to be within range of the attacker. That's
something IT guys should look at first."

Second to that in importance, according to Greenbaum, is the
patch for Active Directory, a critical component to system setting
in a Windows processing environment. He added that the IE patch is
also "very mission-critical."

Critical fixes

Bluetooth technology and how it interoperates with Windows
components and applications is the theme of the first critical patch. According to
Redmond, it resolves "a privately reported vulnerability in the
Bluetooth stack in Windows" which could allow a hacker carte
blanche -- edit, delete, change and write capabilities -- over an
enterprise system. The affected systems are all versions of Windows
XP, Service Packs 2 and 3, and Vista SP1.

"The Bluetooth bulletin is the most interesting critical patch
that deserves keen attention," said Paul Zimski of Scottsdale,
Ariz.-based Lumension Security. "The impact of a remote code
execution in Windows Bluetooth could mean that it's possible to
attack a victim's computer just by being within close proximity and
not actually being on the network itself."

The second critical patch is a cumulative
security update for IE affecting every release from 5.01 through 7;
it also cuts a wide swath across operating systems. This patch,
which Microsoft said resolves one private and one publicly
disclosed vulnerability, will touch Windows 2000 SP4, XP SP2 and
SP3, Windows Server 2003 SP1 and SP2, Vista SP1, and all versions
of Windows Server 2008. The fix is designed to stave off hacker
incursions via specially crafted Web pages in IE.

For the third and final critical item, Redmond
is patching different versions of DirectX to stop hackers from
deploying RCE exploits using maliciously configured media files.
DirectX is an application programming interface mostly used for
developing games, streaming audio, interactive video and other
graphics features on Microsoft platforms. Experts say security
administrators would do well to patch this vulnerability unless
they want to find out a new meaning for "viral video."

Important bulletins

The first important patch pertains to
Windows Internet Name Service, a data cluster for holding host
names and network addresses that acts as a central mapping function
for the network. It affects all editions of Windows Server
2003.

Next is the patch for Active Directory in XP,
Windows Server 2003 and the 32- and 64-bit versions of Windows
Server 2008. The patch prevents a hack that would leave enterprise
users locked out of their system via a denial-of-service exploit.
Analysts say the "important" label for this patch may be
misleading.

"Even though the Active Directory bulletin is only marked as
important, this is something businesses will want to address
primarily because Active Directory is such a business-critical
system and an attack could potentially grind networks to a halt,"
Zimski said.

The file transfer and streaming media transmission protocol
called Pragmatic General Multicast is at the center of the third and last important patch of the
month. This fix, which resolves what Redmond called "two privately
reported vulnerabilities" in the program, would also prevent
denial-of-service exploits affecting XP, Vista, Windows Server 2003
and Windows Server 2008.

In 'moderation'

In recent months, Microsoft has mostly confined its patch
designations to either "critical" or "important." But this month,
one "moderate" item has been thrown into
the mix.

This patch is a cumulative security update of ActiveX kill bits,
fixing what Microsoft's executive summary described as a
"vulnerability [that] could allow remote code execution if a user
viewed a specially crafted Web page" with a speech-recognition
feature in Windows enabled. Additionally, this includes a kill bit
for software produced by independent software vendor BackWeb.

Microsoft noted that this vulnerability may not affect end users
that much, especially if they don't have administrative rights on a
system.

All seven patches this month will require a restart or reboot of
some kind. And, as in other Patch Tuesdays since late spring,
Microsoft referred IT pros to this Knowledge Base article for a
description of non-security and high-priority updates on Microsoft
Update, Windows Update and Windows Server Update Services. Some of
this month's items include updates for IE 7 dynamic installer and
updates for XP, Vista and Windows Server versions 2003 and
2008.

"Nothing particularly shocking this month -- except for me being
shocked that I actually tend to agree in the context of the
severity of patch designations. I think Microsoft got it right this
time," said Eric Schultze, chief technology officer of Shavlik
Technologies in St. Paul, Minn. "An important thing to note is that
four of the seven bulletins are server-side vulnerabilities,
meaning no user interaction is required for a system to be hacked.
Hackers have more fun with server-side issues."