09 July 2008, 09:52

Microsoft patch day: nine plugged, two open

With four updates classed as important, Microsoft has plugged vulnerabilities in Windows Explorer, Windows Domain Name System, SQL server and Exchange Server. The known security problems in Internet Explorer when dealing with domain borders and through an ActiveX control in MS Office are, however, still pending.

The vulnerability in Explorer described in MS08-038 affects Windows Vista and Server 2008 only. It results from a bug in Explorer when it saves a search in a .search-ms file, with the result that specially crafted search files could infect a computer with malicious software. The update also happens to fix a bug which results in AutoRun and AutoPlay sometimes failing to be deactivated properly under Vista.

There are two problems in the Domain Name Service in Windows 2000, XP and Server 2003, which affect not only the DNS server, but also the name server on all affected Windows systems. As revealed in security bulletin MS08-037, the Windows DNS also has problems with too little randomness. Transaction IDs for DNS queries can apparently be guessed sufficiently reliably that attackers could generate spoofed responses, which would then end up in the DNS cache.

This update appears to relate to the massive DNS security problems affecting multiple vendors. Amongst other things the patch ensures that the selection of the UDP source port for DNS queries is random. This may lead to problems with restrictive personal firewall configurations which rely on DNS queries always coming from the same port, resulting in users being disconnected from the internet. An allow rule, allowing UDP packets from arbitrary ports to UDP port 53 of the ISP's DNS server and the associated responses, is a possible workaround.

The second vulnerability is described only vaguely by Microsoft as a DNS cache poisoning problem. It appears that responding DNS servers can send extra, unrequested responses, which the recipient spuriously evaluates and saves. This has echoes of a problem exploited for huge attacks back in 2005. DNS cache poisoning involves manipulating the Domain Name System such that queries to a web server are diverted to an attacker's website.

Microsoft SQL server apparently has memory management problems. The patch described in MS08-040 fixes four such problems. Versions 7, 2000 and 2005 are affected, as are various services based on SQL Server, such as Microsoft Data Engine and Windows Internal Database (WYukon) in Windows Server 2003/2008. The most extreme effect of the bugs is apparently unwanted disclosure of information or escalation of privileges. Two of the three buffer overflows allow attackers to inject code, but they must be logged onto the database to do so. This would certainly be the case, however, in the event of an SQL injection attack via a web frontend.

Security bulletin MS08-039, on Exchange 2003/2007, deals with typical vulnerabilities in web applications. Outlook Web Access, a web frontend, contains two cross-site scripting vulnerabilities. The updates are being distributed with immediate effect via the automatic update service, which also includes a new version of the Malicious Software Removal Tool.