Microsoft Fixes Nine Bugs With Four Updates
Security experts said that one of the most severe updates contained in this month's Patch Tuesday bundle includes a fix that resolves two vulnerabilities in the Windows Domain Name System (DNS). The vulnerabilities could open the door up for an attacker to redirect user's Internet traffic to launch a spoofing attack -- a multi-platform error affecting Unix and Linux, as well as Windows, platforms, experts said.
"As far as the severity of concerned, the DNS spoofing issue is definitely an important one," said Amol Sarwate, manager of vulnerabilities research lab at Qualys, a security company based in Redwood Shores, Calif. "This vulnerability is not limited to today's Microsoft Patch Tuesday. It's part of a much larger issue."
If exploited, the vulnerabilities could enable a remote attacker to redirect a user's browser to the attacker's own systems, experts say."If they attack a client's machine, it would allow attackers to redirect them to a malicious Web site, and this could also be carried out against a DNS server," said Sarwate.
Another serious update addresses a previously published security bug in Windows Explorer that could allow arbitrary code execution when a user opens and saves a maliciously crafted saved-search file.
An attacker exploiting the vulnerability could take complete control of an affected system once a user with administrative privileges logged on, and could then install malicious programs, view or change sensitive information, or create new user accounts.
Experts say that while the flaw does enable remote code execution, the severity of the error is mitigated due to the extensive user interaction required for the flaw to be exploited.
"It's remote code execution, but it's mitigated because a user has to download this file, then they have to open it, then they have to save it. It's a bunch of additional steps in order to be hacked," said Eric Schultze, CTO of Shavlik Technologies, based in Roseville, Minn.
Meanwhile, another patch fixes four errors in the Microsoft SQL server, which could allow an authenticated attacker to run malicious code to take complete control of a user's PC. Once arbitrary code was executed, the attacker could then install programs, alter data or create new accounts with full user login privileges.
Experts say that while Microsoft maintains the attack would have to come from an authenticated user to be effective, hackers could ostensibly infiltrate a system by using another exploit that impersonates an authenticated user or elevates login status.
"If it's code execution, then call it code execution," said Schultze."In the long run, it really is an issue that allows someone to steal your identification."
In addition, the patch load also repairs two glitches in Outlook Web Access for Microsoft Exchange Server that could allow an attacker to gain access to a private OWA client session. Once access is gained, an attacker could then execute script in order to read, delete or send e-mails on behalf of the user.
However, a successful attack would require user interaction -- an attacker would have to entice a victim to open an infected e-mail or visit a malicious Web site --which prevents the flaw from receiving a "critical" ranking, experts say.
While so far there are no known attacks exploiting the vulnerabilities, experts recommend that users and IT administrators apply the patches in a timely manner according to their own security environment. Security updates are available at the Download Center on the Microsoft Web site.