'Important' Fixes To Come in Microsoft's July Patch Cycle

• By Jabulani Leffall
• 07/07/08

IT pros will come back from the holiday weekend to face a possible four patches in Microsoft's July patch rollout, according an advance announcement issued by the company. The patches, arriving Tuesday, won't contain "critical" or "moderate" items, but all four will be deemed "important."

Microsoft will address a mix of exploit risks with the July patch, including two elevation-of-privilege vulnerabilities, one spoofing security risk and one remote code execution (RCE) exploit. The infamous RCE problem continues to be a concern as the software giant's 2008 hotfix cycle passes its half-way point.

The first important fix addresses an elevation-of-privilege problem in SQL Server. Hackers can gain back-door access into the database and change fields to configure user access parameters, giving themselves superuser or unlimited access to run amok on a network.

In the last week of June, Redmond issued a security advisory pertaining to certain components of SQL Server, citing a recent "escalation in a class of attacks targeting Web sites" and using the database application as an incursion vector. This new SQL patch is far reaching as it touches several releases of the database and server software program, including SQL Server 7.0 Service Pack 4, SQL Server 2000 for Itanium systems and all versions of SQL Server 2005 SP2.

Also included as part of this fix are Microsoft Data Engine 1.0 SP4, SQL Server 2000 Desktop Engine SP4, SQL Server 2005 Express Edition SP2 and SQL Server 2005 Express Edition with Advanced Services SP2.

The SQL patch affects Windows 2000 Service Pack 4 and Windows Server 2003 (SP1 and SP2), including 64-bit editions. Windows Internal Database (WYukon) is also affected as the patch relates to all versions of Windows Server 2008 except for Itanium-processor-based systems.

The second fix blocks potential RCE exploits in all versions of Windows Vista and Windows Server 2008.

The third fix staves off spoofing, which is the act of masking Internet Protocol configurations under false pretenses by faking the sending address of a transmission in order to gain illegal entry into a secure system. The patch affects the client and server side update functions for Windows 2000 SP4, client updates for multiple versions of Windows XP, and client and server update functions in Windows Server 2003. The fix addresses server-side updates for all versions of Windows Server 2008, except for those running on an Itanium system.

The final fix is one that network and systems administrators might note. It involves an elevation-of-privilege attack on Exchange Server, the near ubiquitous software package that supports e-mail, task scheduling, instant messaging and Web traffic flow. A hacker with carte blanche access could shut down Exchange Server, redirecting traffic or stealing large e-mail listserve addresses.

All four fixes will require a restart to implement the patch.

Microsoft's advanced warning is not always the final word on what IT pros can expect to see, but it's a good indicator. Redmond points users to this Knowledgebase article for a list of all Windows Server Update Services and Windows Update upgrades that will come out this month.

Future items will include an update of the dynamic installer function in Internet Explorer, a Windows Mail junk e-mail feature and a nonsecurity update for Windows Server 2008.