Microsoft patches 10 bugs with 7 bulletins in Windows
Microsoft released its June 2008 security bulletin, which includes three critical, three important, and one moderate patch.
The security bulletins for this month are as follows, in order of severity:
MS08-030 (Critical)
Summary
This security update resolves a privately reported vulnerability in the Bluetooth stack in Windows that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Impact of Vulnerability
Remote Code Execution
Affected Software
Microsoft Windows XP SP2 and SP3,Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Windows Vista and Windows Vista Service Pack 1, Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1.
MS08-031 (Critical)
Executive Summary
This security update resolves one privately reported and one publicly disclosed vulnerability. The privately reported vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The publicly disclosed vulnerability could allow information disclosure if a user viewed a specially crafted Web page using Internet Explorer.
Impact of Vulnerability
Remote Code Execution
Affected Software
Microsoft Windows, Internet Explorer.
MS08-033 (Critical)
Executive Summary
This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact of Vulnerability
Remote Code Execution
Affected Software
Microsoft Windows.
MS08-034 (Important)
Executive Summary
This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS) that could allow elevation of privilege. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Impact of Vulnerability
Elevation of Privilege
Affected Software
Microsoft Windows 2000 Server Service Pack 4,Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition Service Pack 2,Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS08-035 (Important)
Executive Summary
This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008; Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003; and Active Directory Lightweight Directory Service (AD LDS) when installed on Windows Server 2008. The vulnerability could be exploited to allow an attacker to cause a denial of service condition. On Windows XP Professional, Windows Server 2003, and Windows Server 2008, an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart.
Impact of Vulnerability
Denial of Service
Affected Software
Microsoft Windows 2000 Server Service Pack 4,Windows XP Professional SP 2 and SP 3, Windows XP Professional x64 Edition and Windows XP Professional x64 Edition SP 2, Windows Server 2003 SP 1 and SP 2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2,Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for x64-based Systems.
MS08-036 (Important)
Executive Summary
This security update resolves two privately reported vulnerabilities in the Pragmatic General Multicast (PGM) protocol that could allow a denial of service if malformed PGM packets are received by an affected system. An attacker who successfully exploited this vulnerability could cause a user?s system to become non-responsive and to require a restart to restore functionality. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.
Impact of Vulnerability
Denial of Service
Affected Software
All Microsoft Windows versions (except Windows 2000 Service Pack 4).
MS08-032 (Moderate)
Executive Summary
This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb.
Impact of Vulnerability
Remote Code Execution
Affected Software
Microsoft Windows.
MS08-030 (Critical)
Summary
This security update resolves a privately reported vulnerability in the Bluetooth stack in Windows that could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Impact of Vulnerability
Remote Code Execution
Affected Software
Microsoft Windows XP SP2 and SP3,Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2, Windows Vista and Windows Vista Service Pack 1, Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1.
MS08-031 (Critical)
Executive Summary
This security update resolves one privately reported and one publicly disclosed vulnerability. The privately reported vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The publicly disclosed vulnerability could allow information disclosure if a user viewed a specially crafted Web page using Internet Explorer.
Impact of Vulnerability
Remote Code Execution
Affected Software
Microsoft Windows, Internet Explorer.
MS08-033 (Critical)
Executive Summary
This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact of Vulnerability
Remote Code Execution
Affected Software
Microsoft Windows.
MS08-034 (Important)
Executive Summary
This security update resolves a privately reported vulnerability in the Windows Internet Name Service (WINS) that could allow elevation of privilege. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Impact of Vulnerability
Elevation of Privilege
Affected Software
Microsoft Windows 2000 Server Service Pack 4,Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition Service Pack 2,Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS08-035 (Important)
Executive Summary
This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008; Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003; and Active Directory Lightweight Directory Service (AD LDS) when installed on Windows Server 2008. The vulnerability could be exploited to allow an attacker to cause a denial of service condition. On Windows XP Professional, Windows Server 2003, and Windows Server 2008, an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could cause the system to stop responding or automatically restart.
Impact of Vulnerability
Denial of Service
Affected Software
Microsoft Windows 2000 Server Service Pack 4,Windows XP Professional SP 2 and SP 3, Windows XP Professional x64 Edition and Windows XP Professional x64 Edition SP 2, Windows Server 2003 SP 1 and SP 2, Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2,Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for x64-based Systems.
MS08-036 (Important)
Executive Summary
This security update resolves two privately reported vulnerabilities in the Pragmatic General Multicast (PGM) protocol that could allow a denial of service if malformed PGM packets are received by an affected system. An attacker who successfully exploited this vulnerability could cause a user?s system to become non-responsive and to require a restart to restore functionality. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.
Impact of Vulnerability
Denial of Service
Affected Software
All Microsoft Windows versions (except Windows 2000 Service Pack 4).
MS08-032 (Moderate)
Executive Summary
This security update resolves a publicly reported vulnerability for the Microsoft Speech API. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the Speech Recognition feature in Windows enabled. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This update also includes a kill bit for software produced by BackWeb.
Impact of Vulnerability
Remote Code Execution
Affected Software
Microsoft Windows.
