- Windows HPC hits top 10 among supercomputers
- Ruby on Rails rolls into the enterprise
- Mobile phone chargers are energy vampires
- 10 IT security companies to watch
- Researchers getting the lead out of electronics
Microsoft's monthly Patch Tuesday on July 8 was relatively easy for corporate users, going off without a critical patch and only four vulnerabilities listed as "important."
The patch update, however, did not include a fix for the bug in Access that is currently being exploited by hackers, although, Microsoft has issued some workarounds.
The patch release included Microsoft’s contribution to an historic multivendor patch release to close a hole in the Domain Name System protocol, a discovery that prompted CERT to issue an alert.
The other three patches that Microsoft released as part of Patch Tuesday focused on vulnerabilities in Outlook Web Access (OWA) and SQL Server that could allow an attacker to gain elevated privileges, and a hole in Windows Explorer that would allow remote code execution.
Even though Microsoft lists the OWA and SQL Server patches as important, some experts say certain users should treat them as critical.
“We recommend that people look at those two systems and if they do have SQL Servers or a lot of OWA use by executives that they possibly look at these two patches as critical,” said Don Leatham, director of solutions and strategy for security management vendor Lumension. He says those two systems can hold sensitive data.
“One thing that people need to understand with the SQL and OWA vulnerabilities is that they represent an opportunity to get at data. Microsoft’s [patch] classification is a lot about machine control,” he said.
MS08-039, which pertains to OWA, closes two holes in the software that if exploited would allow the attacker to perform any action the user could perform while in their OWA session. The flaws affect Exchange Server 2003 Server Pack 2 as well as Exchange Server 2007 and Exchange 2007 Service Pack 1.
MS08-040, the SQL Server patch, addresses four vulnerabilities. The most serious of them could allow an attacker to run code and take control of an affected server. The attacker could then install programs and view/change/delete data or create new accounts with full administrative rights. The complete list of affected SQL Server versions and Windows components is posted on the Microsoft Web site.
The Windows Explorer patch (MS08-037) could allow remote code execution, but the attack requires a victim to open a specially crafted saved-search file and then save it. The vulnerability affects Vista and Vista Service Pack 1 for both 32-bit and x64 systems, Windows Server 2008 (32-bit and x64), and Windows Server 2008 Itanium-based systems.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (15)
Microsolt UpdatesBy Anonymous on July 9, 2008, 10:34 pmOne of the updates at work today was marked as critical as soon as it was downloadeed I lost Internet connnection , Microsoft screwed up again It took me 2 hours...
Reply | Read entire comment
thanks for the list of portsBy Forgetful Smurf on July 9, 2008, 8:39 pmThanks for mentioning the port numbers. I forgot about port 443 and who knows how long it would have taken me to realize why a few of my connections were being filter....
Reply | Read entire comment
Windows noncritical updates killed my internet access.By Anonymous on July 9, 2008, 6:44 pmI cannot get online or get e-mail after this so-called noncritical update. I will now try the work around someone above mentioned. I cannot NOT have internet access....
Reply | Read entire comment
Ditto, did a restore point, & an update hiding KB951748By Anonymous on July 9, 2008, 1:59 pmAfter losing my $^%*&( connectivity. Using OpenDNS and FastCache but they wereOK before the Automatic Update. I thought I forgot to pay the bill.
Reply | Read entire comment
Lost internet access alsoBy Anonymous on July 9, 2008, 1:49 pmI also lost internet access, and resorted to "uninstall KB951748 & KB951978". Access returned. Tried installing again, same problem. Uninstalled again & placed a...
Reply | Read entire comment
View all comments