Between the Lines

Larry Dignan, Sam Diaz, Andrew Nusca

Get BTL via:: Mobile; RSS; Email Alerts
Bios:: Larry’s Bio; Sam’s Bio; Andrew’s Bio

July 8th, 2008

Microsoft delivers 'important' patches

Posted by Larry Dignan @ 10:51 am

Categories: General, Microsoft, Security

Tags: Microsoft SQL Server, Vulnerability, Patch Management, Microsoft Corp., Microsoft Outlook Web Access, Microsoft Windows, Microsoft Outlook, Microsoft Office, Security, Databases

Microsoft on Tuesday delivered nine important patches to fix vulnerabilities in SQL Server, Exchange Server, Vista and Windows Server.

Among the details, which were previewed last week.

CVE-2008-0085: A vulnerability in the way SQL Server manages memory page reuse. An attacker with database operator access could get to customer data. The versions impacted are SQL Server 7.0, SQL Server 2000 and SQL Server 2005 on Windows 2000, Windows Server 2003 and 2008.

CVE-2008-0086: A convert function vulnerability could allow an attacker to take control of a system. Same deal with CVE-2008-0107 and CVE-2008-0106.

CVE-2008-1435: Microsoft says: “A remote code execution vulnerability exists when saving a specially crafted search file within Windows Explorer. This operation causes Windows Explorer to exit and restart in an exploitable manner.” Operating systems impacted include Windows Vista and Windows Server 2008.

CVE-2008-1447 and CVE-2008-1454: Both of these fix vulnerabilities that allow DNS spoofing to redirect Internet traffic from legit sites. Windows 2000, XP, and Server 2003 impacted.

CVE-2008-2247 and CVE-2008-2248: Both of these vulnerabilities appear in Outlook Web Access for Exchange and involve cross-site scripting issues. Exchange Server 2003 and 2007 impacted. Microsoft sums up:

Exploitation of the vulnerability could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. If the malicious script is executed, the script would run in the security context of the user’s OWA session and could perform any action the user could perform such as reading, sending, and deleting e-mail as the logged-on user.

Also see:

Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

For daily updates, follow Larry on Twitter.

Email Larry Dignan

Subscribe to Between the Lines via Email alerts or RSS.

Talkback
Most Recent of 54 Talkback(s)

Thread View
Flat View

Re: I think i'll install Firefox.: Good for you, though I'm surprised you don't already have it. Though by now, I suppose you do.

Once you have Firefox installed, go to their add-ons site and look up WindizUpdate, and install it... (Read the rest); Posted by: bart001fr Posted on: 07/16/08 You are currently: a Guest | Log in | Terms of Use