Microsoft issued three critical updates on Tuesday as part of its monthly batch of updates, plugging holes in Bluetooth and Internet Explorer that could be exploited by a hacker to run malicious code and gain access to a machine.
The holes in Bluetooth, DirectX and Internet Explorer are rated critical, but security experts said a flaw found in Active Directory should be given high priority by IT administrators, despite being rated important by Microsoft.
The Active Directory security bulletin MS08-035, resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003 and Windows Server 2008. Although a hacker must have valid logon credentials to exploit the flaw, once exploited the hacker can shut down critical systems, said Paul Zimski, vice president of security solutions at patch management vendor Lumension Security.
"The Active Directory flaw has the capacity to take out business operations, and it's something that has enough impact to the business that really deserves attention," he said.
Amol Sarwate, manager of vulnerabilities research at security vendor Qualys Inc. agreed, calling this month's batch of patches a mixed bag. The critical flaws addresses issues with desktop users, while the flaws rated as important primarily affects server users, he said.
The Active Directory vulnerability and the Pragmatic General Multicast (PGM) protocol flaw, MS08-036, have the potential to be exploited and crash a server, Sarwate said.
MS08-030 plugs a hole in the Bluetooth stack in Windows that could allow remote code execution. The bulletin was rated critical because a hacker could exploit the vulnerability remotely to take control of an affected system and install programs; view, change, or delete data; or create new accounts with full user rights.
Zimski said that most organizations likely don't have a business need for Bluetooth, and recommends turning off the feature. While this kind of attack is atypical, it is dangerous because it is less thought of as an attack vector, he said.
MS08-031, also rated critical, resolves a call handling and object validation issue with Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. IE versions 5.01 and 6 on Microsoft Windows 2000 Service Pack 4, Windows XP, and IE 7 on supported versions of Windows XP and Windows Vista are affected.
MS08-033 repairs two critical Microsoft DirectX flaws that could allow remote code execution if a user opens a specially crafted media file. Lumison's Zimski said the DirectX flaw is risky because it can be exploited using a malicious media file. DirectX had a problem handling MJPEG and SAMI format files.
"It's something we generally tend to trust and something not blocked at gateway or network perimeter level," Zimski said.
IBM Internet Security Systems' X-Force researchers discovered the media-handling flaw. In a statement, IBM said the vulnerability will likely be "exploited in the near future, either through the hosting of malicious files on websites, or possibly by attaching the malicious files to spam messages."
MS08-032, a problem with Microsoft's Speech API, is rated moderate. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer, and has the Microsoft Speech Recognition feature in Windows enabled.
As a result of the Microsoft bulletins, Symantec raised its ThreatCon to Level 2 since the vulnerabilities addressed by Microsoft range from local privilege escalation to remote kernel code execution. Symantec advised its customers to apply the fixes as soon as possible.