'Important' fixes in July patch cycle
Connecting state and local government leaders
Microsoft will address a mix of exploit risks, including two elevation-of-privilege vulnerabilities, one spoofing security risk and one remote code execution exploit.
IT pros can expect four patches in Microsoft's July patch
rollout, according an advance announcement issued by the company.
The patches, arriving today, won't contain "critical" or "moderate"
items, but all four will be deemed "important."
Microsoft will address a mix of exploit risks with the July
patch, including two elevation-of-privilege vulnerabilities, one
spoofing security risk and one remote code execution (RCE) exploit.
The infamous RCE problem continues to be a concern as the software
giant's 2008 hotfix cycle passes its half-way point.
The first important fix addresses an elevation-of-privilege
problem in SQL Server. Hackers can gain back-door access into the
database and change fields to configure user access parameters,
giving themselves superuser or unlimited access to run amok on a
network.
In the last week of June, Redmond issued a security advisory
pertaining to certain components of SQL Server, citing a recent "escalation in a
class of attacks targeting Web sites" and using the database
application as an incursion vector. This new SQL patch is far
reaching as it touches several releases of the database and server
software program, including SQL Server 7.0 Service Pack 4, SQL
Server 2000 for Itanium systems and all versions of SQL Server 2005
SP2.
Also included as part of this fix are Microsoft Data Engine 1.0
SP4, SQL Server 2000 Desktop Engine SP4, SQL Server 2005 Express
Edition SP2 and SQL Server 2005 Express Edition with Advanced
Services SP2.
The SQL patch affects Windows 2000 Service Pack 4 and Windows
Server 2003 (SP1 and SP2), including 64-bit editions. Windows
Internal Database (WYukon) is also affected as the patch relates to
all versions of Windows Server 2008 except for
Itanium-processor-based systems.
The second fix blocks potential RCE exploits in all versions of
Windows Vista and Windows Server 2008.
The third fix staves off spoofing, which is the act of masking
Internet Protocol configurations under false pretenses by faking
the sending address of a transmission in order to gain illegal
entry into a secure system. The patch affects the client and server
side update functions for Windows 2000 SP4, client updates for
multiple versions of Windows XP, and client and server update
functions in Windows Server 2003. The fix addresses server-side
updates for all versions of Windows Server 2008, except for those
running on an Itanium system.
The final fix is one that network and systems administrators
might note. It involves an elevation-of-privilege attack on
Exchange Server, the near ubiquitous software package that supports
e-mail, task scheduling, instant messaging and Web traffic flow. A
hacker with carte blanche access could shut down Exchange Server,
redirecting traffic or stealing large e-mail listserve
addresses.
All four fixes will require a restart to implement the
patch.
Microsoft's advanced warning is not always the final word on
what IT pros can expect to see, but it's a good indicator. Redmond
points users to this Knowledgebase article for a list of all Windows
Server Update Services and Windows Update upgrades that will come
out this month.
Future items will include an update of the dynamic installer
function in Internet Explorer, a Windows Mail junk e-mail feature
and a nonsecurity update for Windows Server 2008.
NEXT STORY: Microsoft warns of vulnerability in Access