Microsoft issues four patches, none critical

Microsoft's monthly Patch Tuesday on July 8 was relatively easy for corporate users, going off without a critical patch and only four vulnerabilities listed as "important."

The patch update, however, did not include a fix for the bug in Access that is currently being exploited by hackers, although, Microsoft has issued some workarounds.

The patch release included Microsoft’s contribution to an historic multivendor patch release to close a hole in the Domain Name System protocol, a discovery that prompted CERT to issue an alert.

The other three patches that Microsoft released as part of Patch Tuesday focused on vulnerabilities in Outlook Web Access (OWA) and SQL Server that could allow an attacker to gain elevated privileges, and a hole in Windows Explorer that would allow remote code execution.

Even though Microsoft lists the OWA and SQL Server patches as important, some experts say certain users should treat them as critical.

“We recommend that people look at those two systems and if they do have SQL Servers or a lot of OWA use by executives that they possibly look at these two patches as critical,” said Don Leatham, director of solutions and strategy for security management vendor Lumension. He says those two systems can hold sensitive data.

“One thing that people need to understand with the SQL and OWA vulnerabilities is that they represent an opportunity to get at data. Microsoft’s [patch] classification is a lot about machine control,” he said.

MS08-039, which pertains to OWA, closes two holes in the software that if exploited would allow the attacker to perform any action the user could perform while in their OWA session. The flaws affect Exchange Server 2003 Server Pack 2 as well as Exchange Server 2007 and Exchange 2007 Service Pack 1.

MS08-040, the SQL Server patch, addresses four vulnerabilities. The most serious of them could allow an attacker to run code and take control of an affected server. The attacker could then install programs and view/change/delete data or create new accounts with full administrative rights. The complete list of affected SQL Server versions and Windows components is posted on the Microsoft Web site.

The Windows Explorer patch (MS08-037) could allow remote code execution, but the attack requires a victim to open a specially crafted saved-search file and then save it. The vulnerability affects Vista and Vista Service Pack 1 for both 32-bit and x64 systems, Windows Server 2008 (32-bit and x64), and Windows Server 2008 Itanium-based systems.

Microsoft also said it was issuing a performance update later this month for the Windows Update agent. (Compare Patch and Vulnerability Management products)