June 2008 is already upon us. But here in Seattle it still feels like March. The temperature seems to be hovering at about 60 degrees. Maybe by August it will be really hot, probably reaching highs of around 75 degrees. Granted, 75 degrees is not really that hot at all by some standards. For instance, Phoenix, Ariz. is constantly flirting with highs of the hundred-plus degree mark this time of the year. So I guess Seattle is a virtual air conditioner.
In June, Microsoft will release seven security bulletins. By all accounts, this would appear to be a month where deployment activity is high. But upon closer review of the bulletin details we see that this is not necessarily true. So with no further delay I will provide you with information that will help in your risk assessment and deployment strategy.
As I mentioned, there are seven bulletins -- three rated as Critical, three rated as Important, and one rated as Moderate.
MS08-030 addresses a remote code-execution vulnerability in the Bluetooth stack that has a cumulative rating of Critical. Only client systems are affected. Those systems are Windows XP and Windows Vista. There are workarounds noted in the bulletin. The client system can be configured to ignore solicitations for Bluetooth connections. Additionally, the Bluetooth driver can be stopped and disabled. Windows 2000, Windows Server 2003, and Windows Server 2008 are not affected.
MS08-031 addresses a vulnerability in Internet Explorer, which could allow remote code execution if a user viewed a specially crafted web page. The cumulative severity rating is Critical. However, for some systems the rating is Moderate, such as Windows Server 2003 and Windows Server 2008. These systems are rated as Moderate because by default they run in what is known as Enhanced Security Configuration. In this mode, any sites that have not been explicitly added to the Internet Explorer trusted sites zone is set to High.
In contrast, Windows 2000, Windows XP, and Windows Vista are rated as Critical and should be given a higher priority for testing and deployment.
MS08-032 is the cumulative security update of ActiveX Kill bits and has a cumulative rating of Moderate. There is a remote code execution vulnerability in the speech recognition feature in Microsoft Windows (Windows Vista's speech recognition feature is not enabled by default). This security bulletin only addresses the killbiting of ActiveX controls. This security update does not address vulnerabilities in Internet Explorer or supersede any Kill bits included in prior Internet Explorer bulletins.
MS08-033 addresses a remote code execution vulnerability in Microsoft DirectX for all supported versions of Microsoft Windows and is rated as Critical. Please take note of the workarounds noted in the bulletin. This security update should be given high priority for testing and deployment.
MS08-034 addresses an elevation of privilege vulnerability in the Windows Internet Name Service (WINS). This bulletin is rated as Important and affects Microsoft Windows 2000 and Windows 2003 server systems.
MS08-035 addresses a vulnerability in Active Directory® that could allow a denial of service attack. This bulletin has a cumulative severity rating of Important. However, this rating of Important only applies to Active Directory® on Microsoft Windows 2000. All other affected platforms are rated as Moderate. It is necessary during your risk assessment to also evaluate systems that are not domain controllers. Non-domain controllers may have Active Directory Application Mode (ADAM) installed. ADAM provides data storage and retrieval for directory-enabled applications, without the dependencies that are required for the Active Directory® directory services. Applications that rely on ADAM may, as part of the installation routine, install it.
MS08-036 addresses vulnerabilities in the Pragmatic General Multicast (PGM) protocol that could allow a denial of service attack to the extent that the affected system becomes non-responsive until the system is restarted. The cumulative severity rating for this bulletin is Important. However, Windows Vista and Windows server 2008 are rated as a Moderate. PGM is present if Microsoft Message Queuing (MSMQ) has been installed or if a PGM-supported application is in use.
Within the realm of security updates, but not focused on June's release, as part of our ongoing work, we've provided new Knowledge base articles that better document installation procedures for any possible, future SQL Server security updates for Microsoft SQL Server 7, Microsoft SQL 2000 or Microsoft SQL Server 2005. In particular, there are steps that SQL Server 2000 and SQL Server 2005 administrators can take in advance that could help expedite deployment of any possible future security updates. We encourage all SQL administrators to review all these Knowledge Base articles and consider following the steps now to better prepare for any future SQL Server updates that may be released in the future. Please see the MSRC blog for additional information.
I want to encourage you to take a moment and register for our regular monthly security bulletin webcast, which will be held on Wednesday, June 11, at 11:00 a.m., Pacific Standard Time.
Adrian Stone, lead security program manager, and Christopher Budd, senior public relations manager, will review information about each bulletin to help you with your planning and deployment. After the review session, they will answer your questions – with information from our assembled panel of experts. If you can't make the live webcast, you can also access it on-demand.
Please take a moment and mark your calendars for the July 2008 monthly bulletin. The release is scheduled for Tuesday, July 8, 2008, and the advance notification is scheduled for Thursday, July 3, 2008. Look for the July edition of this column on release day with information to help you with your planning and deployment of the most recent security bulletins.