The July 2008 bulletin release encompasses four new security bulletins, all with the rating of Important. These bulletins will help increase your ability to protect your systems with the appropriate security measures. My focus in this month's column will primarily be on MS08-037, addressing Windows Domain Name System (DNS), and MS08-040, addressing Microsoft SQL Server. These two bulletins will require special consideration when devising your deployment strategies.
This bulletin addresses spoofing vulnerabilities that affect the DNS client as well as the DNS server. Both vulnerabilities are rated as important. An attacker who successfully exploits these vulnerabilities could redirect Internet traffic.
When deploying this update, there are a few things to keep in mind to make sure you are protected from these vulnerabilities. A system may require both the client and server version of the update. Importantly, if the updates must be uninstalled, it should be performed in reverse order. That is, if you install the client version first, and then the server version of the update, you will need to uninstall the server version first, then the client version. Not following this sequence could impair the functionality of the operating system. Please see Microsoft Knowledge Base (KB) article 823836 for detailed information.
About Inside MSRC:
As part of a special partnership with SearchSecurity.com, Bill Sisk, the response communication
manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process
that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of
the software giant's security updates.
Inside MSRC: Bluetooth, Internet Explorer issues explained
Inside MSRC: Microsoft explains Word, Publisher flaws
Inside MSRC: Microsoft gives guidance on security updates
Inside MSRC: Microsoft outlines Internet Explorer flaws
This security update also introduces a new default for DNS port settings for Windows Server 2000 and Windows Server 2003 — dynamic default socket port ranges have changed from 1025 through 5000, to the new range of 49152 through 65535. We encourage you to review the firewall settings in your environment to ensure that traffic between servers in the dynamic port range of 49152 through 65535 is allowed. Windows Vista and Windows Server 2008 already have the default port range of 49152 to 65535. For additional information, please review the MS08-037 bulletin.
This bulletin addresses vulnerabilities that could allow elevation of privilege of an authenticated attacker on a Microsoft SQL Server. There are several considerations to keep in mind when deploying this update. SQL Server 7.0 Service Pack 4 requires that you manually install the update. For example, one of the tasks you will need to perform is shutting down the Microsoft SQL Server service and the SQL Server Agent service. Please see the Microsoft KB article 953743 for additional details.
In addition, Microsoft SQL Server 2000, MSDE 2000 and Microsoft SQL Server 2005 versions of the update will not be applied to disabled instances. That is, only instances that do not have a startup type of disabled will be updated by the installer. KB article 953740 has the details.
A vulnerability exists in Windows Search that could allow for remote code execution. A user would have to open and then save a specially crafted saved-search file to be affected. Windows Search is an add-in for Windows XP systems, but these systems are not affected by this issue. This update also resolves an issue with the Autorun functionality as noted in CVE-2008-0951, disabling the right-click and double-click behavior controlled by the NoDriveTypeAutorun registry key. There are workarounds noted in the MS08-038 bulletin for known attack vectors until the update can be deployed.
This bulletin addresses an elevation of privilege vulnerability affecting Outlook Web Access (OWA) clients. An attacker could potentially perform user functions, such as reading or deleting email, but cannot gain rights to the Exchange Server itself.
Here's some additional guidance to keep in mind as it relates to deployment planning: The cumulative nature of Exchange Server 2007 updates is different than that of Exchange Server 2003 updates. Exchange Server 2007 updates are cumulative at the package level, whereas Exchange Server 2003 updates are cumulative at the file level. For detailed information regarding these differences, please see KB article 937194.
I also want to note that we'll be releasing an infrastructure update to the Windows Update client itself later this month, which has been standard practice for more than eight years. Windows Vista customers who select "never check for updates" (and Windows XP customers who select "turn off Automatic Update") in their WU settings will not receive this WU infrastructure update unless they elect to install it manually by visiting Windows Update. For more information, please visit the Microsoft Update blog.
Our Monthly Webcast
I want to encourage you to take a moment and register for our regular monthly security bulletin webcast, which will be held on Wednesday, July 9, at 11:00 a.m., Pacific Standard Time.
Adrian Stone, lead security program manager, and Christopher Budd, security response communications lead, will review information about each bulletin to help you with planning and deployment. After the review session, they will answer your questions, with information from our assembled panel of experts. If you can't make the live webcast, you can also access it on demand.
Please take a moment and mark your calendars for the August 2008 monthly bulletin. The release is scheduled for Tuesday, Aug. 12, and the advance notification is scheduled for Thursday, Aug. 7. Look for the August edition of this column on release day with information to help you with planning and deployment of the most recent security bulletins.