Microsoft issued four security bulletins Tuesday, correcting nine flaws in SQL Server and Windows that could allow an elevation of privilege of an authenticated attacker or remote code execution.
The software maker also issued an infrastructure update to the Windows Update client that could improve scanning performance, reducing the amount of time it takes to see if new updates are available. The update has been conducted annually for about eight years.
All the vulnerabilities were given an "important" rating by Microsoft. The four flaws in SQL Server, addressed in security bulletin MS08-040, address issues that could allow an elevation of privilege of an authenticated attacker. Microsoft said one of the flaws could allow an attacker to run code and to take complete control of an affected system. The update needs to be manually installed in SQL Server 7.0 Service Pack 4.
Microsoft was also one of a group of vendors that corrected a spoofing vulnerability in the DNS client and the DNS Server which could allow an attacker to redirect Internet traffic and steal sensitive information. Security bulletin MS08-037 should be applied carefully, according to Microsoft, to avoid crashing Windows. The update also introduces a new default for DNS port settings for Windows Server 2000 and Windows Server 2003.
Eric Schultze, chief security architect at Shavlik Technologies LLC, in Roseville, Minn., said that the update could be deployed relatively easy by IT administrators. Amol Sarwate, manager of the vulnerabilities research lab at Qualys agreed, calling the update a relatively routine procedure if standard best practices are used.
A longstanding zero-day flaw in Microsoft Windows Search is addressed in security bulletin MS08-038. The flaw affects the search feature in Windows Vista. If successfully exploited, it could allow an attacker to remotely execute code on a system and then install programs; view, change, or delete data; or create new accounts with full user rights. The issue is in the Autorun functionality and can only be exploited if the attacker inserts a CD-ROM or USB device containing a malicious file.
Sarwate said knowledge to exploit the issue has been available since March. Still, Microsoft doesn't explain enough about the flaw to understand the true attack vector, Schultze said.
Bulletin MS08-039 addresses a hole in Outlook Web Access (OWA) clients, which could allow an attacker to gain access to a user's email. If successfully exploited, an attacker could exploit script in the context of an OWA session and read or delete email, according to Microsoft.
"It's rated important yet it's a code execution vulnerability," Schultze said of the OWA flaw. "I would have to call Microsoft out on this and say that the severity is critical but the likely hood of attack is low."
Absent from this months batch of patches is a zero-day flaw being actively targeted in the Snapshot Viewer ActiveX control for Microsoft Access. The Snapshot Viewer is used to view database report snapshots that are created with any version of Microsoft Access. The flaw could allow an attacker to gain user rights on a system, Microsoft said.