News
Microsoft To Issue 7 Patches This Month
Redmond projects a rollout of seven fixes, with three rated critical, three important and one moderate.
Redmond
projects
a rollout of seven fixes for its June patch release, with three rated critical,
three important and -- in a rare twist, considering previous months' rollouts
-- one moderate.
A good deal of the bulletins relate to potential remote code execution (RCE)
exploits, a recurring theme for Microsoft applications and services for years
now. In fact, all of the critical items slated for this month's Patch Tuesday
plug holes vulnerable to RCE exploits in Windows programs interacting with wireless
protocol using voice and data for Bluetooth, Internet Explorer and Microsoft
DirectX.
Meanwhile, the important fixes represent a mix of security preparedness considerations
as they're designed to block elevation of privilege and denial-of-service attacks
in Windows Internet Name Service, Active Directory and Pragmatic General Multicast,
a transport protocol in Windows programs used for file transfer and streaming
media.
The lone moderate patch pertains to the kill bit function in Windows programs,
a method by which a user can shut of an ActiveX control in Internet Explorer.
Critical Items
The first critical item dealing with Bluetooth and how it interoperates with
Windows components and applications affects XP SP2 and SP3 and Vista SP1.
Next is the critical patch for IE, which will likely be the one critical item
to watch closely as it affects every release from IE 5.01 through IE 7 and cuts
a wide swath across operating systems. This patch will touch Windows 2000 SP4,
XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Vista SP1, and all versions
of Windows Server 2008.
The final critical patch deals with different versions of DirectX, a group
of application programming interfaces mostly used by developers of games, streaming
audio, interactive video and other graphics features on Microsoft platforms.
It affects Windows 2000 SP4, XP SP2 and SP3, Vista SP1, and Windows Server 2003
and 2008.
All the critical items have RCE implications.
Important Bulletins
The leading important patch this month involves Windows Internet Name Service,
a data cluster for names and network addresses that acts as the central mapping
function for the network. This patch would prevent a hacker incursion that could
result in someone elevating administrative and read, write and edit privileges
in a given system. It affects all editions of Windows Server 2003.
The second important patch touches Active Directory settings in XP, Windows
Server 2003 and the 32- and 64-bit versions of Windows Server 2008. AD is a
critical feature where Windows settings are configured for end users and super-users,
and serves as a sort of a system setup schematic. The patch would prevent a
hack that would leave enterprise users locked out of the system via denial-of-service
exploits.
The third and final important patch is something IT security pros rarely have
to deal with but that network admin folks might see more often: the file transfer
and streaming media transmission protocol called Pragmatic General Multicast.
This fix would also prevent denial-of-service exploits from seeping through.
It affects XP, Vista, Windows Server 2003 and Windows Server 2008.
The Moderate Kill Bit Patch
Typically, when a security vulnerability involves an ActiveX control, a patch
delivers a new control and sets the "kill bit" on the vulnerable control.
This patch is, in effect, a patch for the kill bit function itself. It touches
Windows 2000 SP4, XP, Vista, and Windows Server versions 2003 and 2008.
All seven patches will require a restart or reboot of some kind.
And, once again, Microsoft is referring IT pros and Windows Enterprise professionals
to this
Knowledge Base article for a description of non-security and high-priority
updates on Microsoft Update, Windows Update and Windows Server Update Services.
The support page is a crowded but comprehensive list of changes in content and
deployment of updates. Some of this month's items include updates for IE 7 dynamic
installer and updates for XP, Vista, and Windows Server versions 2003 and 2008.
About the Author
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.