Security Market Segment LS
Wednesday, 10 June 2009 05:43

More critical Microsoft updates, even for Vista

By
June's Patch Tuesday release from Microsoft addresses more vulnerabilities than there are days in the month. And this time, Mac users needn't feel left out.

As expected, June's Patch Tuesday saw 10 new security bulletins from Microsoft, covering 31 vulnerabilities.

Seven of the bulletins relate to Windows itself.

Active Directory problems can lead to remote code execution on Windows 2000 and allow denial of service attacks on XP and Server 2003. Server 2008 is unaffected.

Multiple vulnerabilities exist in Internet Explorer, and all but one allow remote code execution. The exception is an information disclosure vulnerability in IE6 on Windows 2000. There is at least one Critical vulnerability for each of Internet Explorer 5, 6, 7 and 8, even when running under Vista. Others are rated Important or Moderate.

According to Andrew Storms, director of security operations for nCircle, "every user should put this patch at the top of their 'install immediately' list."

The IIS issues revolve around the use of maliciously crafted anonymous HTTP requests to gain WebDAV access without authentication. The problems are regarded as Important on Windows 2000, XP, and Server 2003. Vista and Server 2008 are not affected.

There's a lot more to be patched this month, so please read on.


Multiple vulnerabilities in the Windows Print Spooler allow remote code execution (Windows 2000 only) or privilege elevation (XP, Server 2003, Vista, and Server 2008).

Windows Search (in XP and Server 2003 only) also gets a patch to avoid potential information disclosure if the user previews a maliciously crafted file in the search results, or if the malicious file is the first item in the results. It's only considered a Moderate problem.

Four vulnerabilities allow privilege escalation in all supported versions of Windows. The issue is rated Important in all cases. An attacker must be able to log on locally and not anonymously to exploit the situation.

Also rated Important and affecting all supported versions, a vulnerability in Windows' remote procedure call facility allows privilege escalation. Microsoft points out that affected versions of Windows do not ship with RPC servers or clients that are subject to exploitation of this vulnerability, but third-party applications using RPC could be affected.

The three non-operating system bulletins all concern Microsoft Office.

All three are most serious for Office 2000 (which comes out of support on July 14), where they are regarded as Critical. The rating is Important for Office XP, 2003, 2004, 2007 and 2008, though only two of the issues are relevant to the Mac versions of Microsoft's productivity suite.

A maliciously crafted Excel file can trigger remote code execution. This issue is regarded as Critical on Excel 2000, and Important on Excel 2002, 2003, 2004, 2007, and 2008.

It also affects Excel Viewer, the Compatibility Pack for 2007 file formats, and SharePoint Server 2007, where it is again regarded as a Important issue.

See page 3 for other Office-related vulnerabilities and more.


A remote code execution flaw in the Microsoft Works converters has been fixed. The affected software is Word 2000, 2002, 2003 and 2007 SP1, and Works 8.5 and 9. The Mac versions of Word, Word 2007 SP2, the Word Viewers and the Compatibility Pack for 2007 file formats are unaffected.

The final bulletin describes vulnerabilities in Word that allow remote code execution when a malicious file is opened.

The problem is rated Critical for Word 2000, and Important for Word 2002, 2003, 2004, 2007, 2008, the Word Viewers and the Compatibility Pack for 2007 file formats.

"This month only 6 out of 31 CVEs are related to listening services, a trend that deserves special attention," said Tyler Reguly, senior security engineer with nCircle.

"If you add in MS09-022 (Windows Print Spooler) for interaction with a remote service, you end up with 24 out of 31 CVEs related to local vulnerabilities. Many, including Microsoft, will consider these to be the most critical, yet most of these issues would be far less critical if every computer was operated using the principle of least privilege," he added.

Microsoft has also updated a previous bulletin and provided updates for Office for Mac 2004 and 2008 as well as Works 8.5 and 9. These updates protect against a PowerPoint remote code execution issue.

To round things off, there's a pair of advisories (a new set of ActiveX killbits and a change to DNS devolution), updated versions of the Malicious Software Removal Tool and Windows Mail Junk E-Mail Filter, and cumulative updates for Media Center TVPack for Vista and Media Center for Vista. And you may not have noticed the Root Certificate update that was released late last month.

In related news, Sun has released an updated version of Java for Windows, and Adobe has released the first of its quarterly updates for Acrobat and Reader.

Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments