labels: Technology, Cisco Systems, Microsoft, Sun Microsystems
Microsoft patches up internet deficiencies, joined by Cisco and Sun Microsystem news
10 July 2008

Microsoft has often being derided as a maker of buggy software requiring frequent patches to correct. The software major did that image no good by releasing four such corrections on its monthly Patch Tuesday on 8 July, although none of them were termed as critical, but important.

The patch release included Microsoft's contribution to an historic multi-vendor patch release to close a hole in the Domain Name System (DNS), basically used for converting Web addresses into numerical sequences, which are then used by computers in order to move through the Internet traffic.

The fundamental flaw found in the DNS offered hackers the possibility of redirecting unsuspecting Web surfers to alternate addresses and mess with the DNS records of network providers.

The other three patches that Microsoft released as part of Patch Tuesday focused on vulnerabilities in Outlook Web Access (OWA) and SQL Server that could allow an attacker to gain elevated privileges, and a hole in Windows Explorer that would allow remote code execution.

Even though Microsoft lists the OWA and SQL Server patches as important, some experts say certain users should treat them as critical.

Apart from Microsoft, Cisco Systems and Sun Microsystem also released several software patches for their users on the same day, significantly boosting the internet access protection level.

"This is the largest synchronised security upgrade in the history of the Internet," said a statement from the Computer Security Response Team, or CERT, a division of Homeland Security. "An attacker could easily take over portions of the Internet and redirect users to arbitrary and malicious locations."

The flaw has been discovered by accident several months ago and a specially designed team composed of researchers from all the companies involved worked assiduously in order to develop the security patches released simultaneously on Tuesday.

MS08-039, which pertains to OWA, closes two holes in the software that if exploited would allow the attacker to perform any action the user could perform while in their OWA session. The flaws affect Exchange Server 2003 Server Pack 2 as well as Exchange Server 2007 and Exchange 2007 Service Pack 1.

MS08-040, the SQL Server patch, addresses four vulnerabilities. The most serious of them could allow an attacker to run code and take control of an affected server. The attacker could then install programs and view/change/delete data or create new accounts with full administrative rights. The complete list of affected SQL Server versions and Windows components is posted on the Microsoft Web site.

The Windows Explorer patch (MS08-037) could allow remote code execution, but the attack requires a victim to open a specially crafted saved-search file and then save it. The vulnerability affects Vista and Vista Service Pack 1 for both 32-bit and x64 systems, Windows Server 2008 (32-bit and x64), and Windows Server 2008 Itanium-based systems.


 search domain-b
  go
 
Microsoft patches up internet deficiencies, joined by Cisco and Sun Microsystem