This month’s patch cycle from Microsoft isn’t quite as severe as the past few months. In fact, none of the four security bulletins, which contain a total of nine fixes, is considered critical, the most severe of alerts.
MS08-037 through MS08-040 are all listed as important, the next level of severity, which means Microsoft does recommend they be installed as soon as possible, but they are not considered must-install like a critical patch would be.
MS08-037 fixes two problems in the Windows Domain Name System (DNS) that might allow a remote attacker to redirect network traffic to their own systems instead. MS08-038 fixes problems in Windows Explorer that could allow an attacker to remotely take complete control of an affected system when a specially crafted saved-search file is opened and saved.
MS08-039 resolves problems in Outlook Web Access (OWA) for Microsoft Exchange Server, which could allow an attacker to gain access to an individual OWA client’s session data. Finally, MS08-040 addresses four vulnerabilities in Microsoft’s SQL language implementation.
Even though they are all listed as important, security experts say don’t dawdle. “Although there are no critical vulnerabilities in this cycle, McAfee would like to take this opportunity to remind enterprises to patch their applications,” the company said in note to InternetNews.com.
“July offers a summer break for patching, and although this is a minor patch, McAfee encourages all customers to update according to their risk management strategy and protect the integrity of their systems and data,” added Dave Marcus, director of security research for Avert Labs at McAfee.
Tyler Reguly, a security engineer from security provider nCircle, thought that MS08-037 was the most urgent patch to be applied. “The two DNS vulnerabilities are very serious because there is potential to poison both the DNS Server and Client. If an attacker poisons the cache of a client by spoofing a response, it only affects a single computer, but if they poison the DNS Server, they could potentially provide spoofed responses to all clients utilizing that nameserver,” he said in an e-mailed comment.
In addition to the fixes, later this month, Microsoft will issue an infrastructure update to the Windows Update client itself that it said will provide “meaningful improvements in Microsoft’s ability to service customers quickly and efficiently.”
As per tradition, Microsoft has also updated its Malicious Software Removal tool, this month adding the Win32/Horst line of Trojan horses to its detection list.
Microsoft will host a webcast to discuss the fixes on Wednesday, July 9, 2007 at 11:00 AM PDT.