Microsoft released four security updates for July, rating all of them as important. Here's a brief description of each update; for more information, go to
MS08-037: Vulnerabilities in DNS Could Allow Spoofing
This vulnerability deals with the possible spoofing of the Windows DNS client and server. The most severe consequence from an attack leveraging this vulnerability is network traffic being redirected by the attacker from a legitimate host to the attacker's own systems. This bulletin replaces no previous bulletins.
Applies to: Windows Server 2003, Windows XP, and Windows 2000 DNS clients; Windows Server 2008, Windows Server 2003, and Windows 2000 DNS servers
Recommendation: Microsoft rates this update as important. The vulnerabilities have been privately rather than publically reported. You should test and deploy this update as a part of your organization's regular patch management strategy.
MS08-038: Vulnerability in Windows Explorer Could Allow Remote Code Execution
The attack vector for this vulnerability is a specially crafted saved-search file. The most severe consequence from an attack leveraging this vulnerability is an attacker taking complete control of an affected system. This bulletin does not replace any previous security bulletins.
Applies to: Windows Server 2008 and Windows Vista
Recommendation: Microsoft rates this update as important; however, the vulnerability was publically disclosed and could result in an attacked system being completely compromised. Although there were no critical bulletins released this month, you should test and deploy this update as a part of your organization’s accelerated patch management strategy.
MS08-039: Vulnerability in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege
Both of the vulnerabilities addressed by this update deal with cross-site scripting attacks against Outlook Web Access (OWA) clients connecting to OWA on Exchange Server 2007 and Exchange Server 2003. The most severe consequence from an attack leveraging this vulnerability is elevation of privilege, allowing the attacker to perform any action within an individual client’s OWA session. This bulletin replaces previous bulletin MS07-026.
Applies to: Exchange Server 2007 and Exchange Server 2003
Recommendation:
Microsoft rates this update as important. If your organization relies heavily on OWA, you should test and deploy this update as a part of your organization’s regular patch management strategy.
MS08-040: Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege
This update addresses four vulnerabilities that have been privately disclosed to Microsoft. The most severe consequence from an attack leveraging one of the vulnerabilities addressed by this bulletin is that an attacker could execute code and take complete control of an affected server, thus being able to install programs; view, change, or delete data; and create new accounts with administrative rights. This bulletin replaces no previous bulletins.
Applies to: SQL Server 2005, SQL Server 2000, and SQL Server 7.0
Recommendation: Although Microsoft rates this update as important, given the critical nature of SQL Server to many organizations and the possible leveraging of these vulnerabilities to take complete control of a database server (though admittedly under a very specific set of circumstances), you should thoroughly test and deploy this update as a part of your organization’s accelerated patch management strategy.
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Master SharePoint with 3 eLearning Seminars Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!
SharePointConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
VMworld 2008 - Sign Up Today! Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.
Microsoft® Tech•Ed EMEA 2008 IT Professionals Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
Are You Really Compliant with Software Regulations? View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.
Virtualization Congress Oct. 14-16 in London Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.
Register
