VistaKnowledge.com

Microsoft issued four bulletins that address nine vulnerabilities for July’s Patch Tuesday, none of them critical. This is the first time since last year that none of the patches were rated critical. With only four vulnerabilities rated “important,” IT administrators have some breathing room to get caught up and reassess their security, researchers said.

(Early reports on the Web have indicated the DNS bug fix, patch KB951748, which scrambles the address from which a request comes, affects some third-party firewalls. In particular, ZoneAlarm Pro was reported unable to access the Internet after the patch was applied. Suggested workarounds were to lower ZoneAlarm’s Internet Zone security setting to medium or remove Microsoft’s patch.)

“There are no patches rated critical this month, but there are a number of notable patches, including one addressing a new file type found in Vista,” said Ben Greenbaum, senior research manager at Symantec Security Response. “The Microsoft Windows Explorer saved-search File Remote Code Execution Vulnerability is the first report of a vulnerability using the new Search-MS file type, introduced in Vista.”

Focusing on High-Value Targets

Despite the apparent reprieve, organizations still need to pay close attention to the two security updates that address elevation of privilege on Microsoft SQL Server and Microsoft Exchange Server, said Don Leatham, director of solutions and strategy at Lumension. That’s because elevation of privilege can easily negate the policy and enforcement efforts on these systems.

“Both of these products can be high-value targets and these vulnerabilities could be considered critical, depending on the organization. Many corporations hold not only their basic business information, but also their customer/patient data and critical intellectual property in Microsoft SQL Server databases, or transmit these types of data via Microsoft Exchange servers,” Leatham said.

Web Application Security

The two Exchange vulnerabilities involve cross-site scripting (XSS) and underline again the growing importance of Web application security, according to Tyler Reguly, a security engineer for nCircle, a network security firm that works with companies like Safeway, ESPN and Archer Daniels Midland.

“In this case, the XSS would be in a specially crafted e-mail and could allow for full session hijacking,” Reguly said. “These vulnerabilities offer great opportunity for an attacker to snoop for additional information before attempting to breach a company’s network security.”

With SQL, Reguly is surprised that all four patched vulnerabilities require authentication. Either more work has gone into looking for unauthenticated remote vulnerabilities in the past, which has secured that attack surface, or Microsoft is working harder to prevent the unauthenticated remote vulnerabilities, he said.

“If it is the second case, then I wonder if perhaps Microsoft is failing to pay close enough attention to the authenticated vulnerabilities,” Reguly said. “This could mean there is, perhaps, a larger attack surface for insider threats than there is for outside attackers.”

Share This