Microsoft Fixes Critical Flaws In IE, Bluetooth
Altogether, Microsoft's patch bundle covered a total seven patches--three deemed "critical," three rated "important" and one designated "moderate."
The three critical patches addressed vulnerabilities in Microsoft's Internet Explorer, DirectX and Bluetooth. Both the DirectX and IE updates addressed flaws that affect almost all versions of Windows, including Windows 2000, Windows XP, Windows Vista and Windows Server 2003 and 2008 as well as Internet Explorer 7. The Bluetooth error only affects Windows XP and Vista.
However, security experts say that the Bluetooth flaw, addressed by patch MS08-030, is the most serious of all three critical fixes. The error, which exists in Windows' Bluetooth stack, could allow a remote attacker to execute malicious code on a user's computer simply by actively engaging the Bluetooth technology on an unprotected or open network.
Once exploited, the attacker could then use the exploit code to take complete control of the affected computer to create new accounts, install malicious programs or steal a user's private information for identity theft purposes.
"If you're running Bluetooth on your computer, that means anybody else can hack your system and take control of it," said Eric Schultze, CTO of Shavlik Technologies. "You don't have to do anything. Because you have Bluetooth turned on, someone can own your computer."
Two of the critical vulnerabilities addressed by MS08-031 load can be found in Microsoft's Internet Explorer, which leaves users' computers susceptible to remote code execution if they visit a malicious Web site. The IE patch addresses a vulnerability known as zero-day—exploit code that has already been made public.
Similarly, the DirectX vulnerability addressed by patch MSO8-033 allows users to be susceptible to remote exploitation if they were to view an online video infected with malicious code.
"That's pushing social engineering to an edge," said Amol Sarwate, manager of vulnerability research at Qualys. "A lot of people use the Internet to watch news and video and all sorts of media content. Basically when a user is viewing that video, attack streams could exploit or install things like viruses, worms or keyloggers."
Microsoft also released three bulletins deemed "important," addressing security errors in PGM, Active Directory and WINS, affecting numerous versions of Windows. The security errors in PGM and Active Directory could enable a denial-of-service attack, while the flaw in WINS could allow an attacker to gain elevated user privileges without authorization.
Included in this month's patch bundle was a "Kill Bit" flaw deemed "moderate" that could also be exploited by a remote attacker. Although designated as "moderate," the vulnerability enabled an attacker to execute arbitrary code—a flaw that usually is deemed "critical." However, in order to be infected, a user would have to visit a malicious Web site while actively engaging the speech-recognition function, experts say.
"Because of the combination of things, it decreased the likelihood and it decreases the severity of it," said Schultze. "By default, speech recognition in Vista is not enabled."
Meanwhile, Microsoft failed to include a fix for a recently detected critical "carpet bomb" error in Apple Safari, discovered late last month. Like most critical errors, the glitch allows remote code execution by enabling the Safari browser to download any resource, including malicious content, without the user's consent.
None of the vulnerabilities have been actively exploited so far, but security experts recommend that users install the latest patches as soon as possible—in particular those designated critical.