|
|
The critical bulletin affects Windows 7 and Vista. A vulnerability in the Windows Bluetooth stack means a series of maliciously crafted Bluetooth packets could be used to trigger remote code execution.
Vista SP1 is only affected if the Windows Vista Feature Pack for Wireless has been installed, and in any case affected operating systems are only vulnerable if Bluetooth hardware is installed. It still makes sense to apply the patch to affected versions of Windows in case a USB Bluetooth adaptor is ever plugged in.
Although the issue is regarded as critical, Microsoft's Security Research Center believes it will be difficult to build a reliable exploit for remote code execution and that denial of service (crashing) is a more likely outcome.
July's second bulletin addresses 15 vulnerabilities in Windows kernel-mode drivers, some of which could be used to gain elevated privileges. The bulletin is rated important, and all currently supported versions of Windows are affected, including Server Core installations of Windows Server 2008.
Please read on for details of the remaining Windows and Office patches.
|
|
All of the Windows vulnerabilities addressed this month were disclosed privately or discovered within Microsoft.
The final bulletin for the month addresses a publicly disclosed vulnerability in Visio. It concerns an attack vector that we've seen mentioned in other security bulletins in recent months: a maliciously crafted library file located in the same network directory as a legitimate Visio file opened by the user.
The only currently supported version affected is Visio 2003 SP3, but Microsoft has warned that Microsoft Update or Windows Update may offer the update on systems that do not have Visio 2003 installed.
Microsoft has also released updates addressing non-security issues in Windows 7, Vista, Server 2008 (including R2), and Windows Embedded DStandard 7, along with new versions of the Malicious Software Removal Tool and the Windows Mail Junk E-mail Filter.
