Microsoft patches Bluetooth, Internet Explorer flaws

By Robert Westervelt, News Editor 10 Jun 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Microsoft issued three critical updates on Tuesday as part of its monthly batch of updates, plugging holes in Bluetooth and Internet Explorer that could be exploited by a hacker to run malicious code and gain access to a machine.

The Active Directory flaw has the capacity to take out business operations and it's something that has enough impact to the business that really deserves attention.  Paul Zimski, vice president of security solutions, Lumension Security

The holes in Bluetooth, DirectX and Internet Explorer are rated critical, but security experts said a flaw found in Active Directory should be given high priority by IT administrators, despite being rated important by Microsoft.

The Active Directory security bulletin MS08-035, resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003 and Windows Server 2008. Although a hacker must have valid logon credentials to exploit the flaw, once exploited the hacker can shut down critical systems, said Paul Zimski, vice president of security solutions at patch management vendor Lumension Security.

"The Active Directory flaw has the capacity to take out business operations, and it's something that has enough impact to the business that really deserves attention," he said.

Amol Sarwate, manager of vulnerabilities research at security vendor Qualys Inc. agreed, calling this month's batch of patches a mixed bag. The critical flaws addresses issues with desktop users, while the flaws rated as important primarily affects server users, he said.

The Active Directory vulnerability and the Pragmatic General Multicast (PGM) protocol flaw, MS08-036, have the potential to be exploited and crash a server, Sarwate said.

MS08-030 plugs a hole in the Bluetooth stack in Windows that could allow remote code execution. The bulletin was rated critical because a hacker could exploit the vulnerability remotely to take control of an affected system and install programs; view, change, or delete data; or create new accounts with full user rights.

Zimski said that most organizations likely don't have a business need for Bluetooth, and recommends turning off the feature. While this kind of attack is atypical, it is dangerous because it is less thought of as an attack vector, he said.

MS08-031, also rated critical, resolves a call handling and object validation issue with Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. IE versions 5.01 and 6 on Microsoft Windows 2000 Service Pack 4, Windows XP, and IE 7 on supported versions of Windows XP and Windows Vista are affected.

MS08-033 repairs two critical Microsoft DirectX flaws that could allow remote code execution if a user opens a specially crafted media file. Lumison's Zimski said the DirectX flaw is risky because it can be exploited using a malicious media file. DirectX had a problem handling MJPEG and SAMI format files.

"It's something we generally tend to trust and something not blocked at gateway or network perimeter level," Zimski said.

IBM Internet Security Systems' X-Force researchers discovered the media-handling flaw. In a statement, IBM said the vulnerability will likely be "exploited in the near future, either through the hosting of malicious files on websites, or possibly by attaching the malicious files to spam messages."

MS08-032, a problem with Microsoft's Speech API, is rated moderate. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer, and has the Microsoft Speech Recognition feature in Windows enabled.

As a result of the Microsoft bulletins, Symantec raised its ThreatCon to Level 2 since the vulnerabilities addressed by Microsoft range from local privilege escalation to remote kernel code execution. Symantec advised its customers to apply the fixes as soon as possible.

Tags: Security Patch Management,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary