Critical IE, Bluetooth, DirectX flaws highlight MS Patch Tuesday

Summary:Microsoft's Patch Tuesday train rumbled into the security station today with high-priority patches for multiple vulnerabilities affecting Internet Explorer, the Bluetooth stack in Windows and Microsoft DirectX.In all, the Redmond, Wash.

Critical IE, Bluetooth, DirectX flaws highlight MS Patch Tuesday
Microsoft's Patch Tuesday train rumbled into the security station today with high-priority patches for multiple vulnerabilities affecting Internet Explorer, the Bluetooth stack in Windows and Microsoft DirectX.

In all, the Redmond, Wash. software vendor released seven bulletins -- 3 critical, 3 important and 1 moderate -- with patches for at least 10 documented vulnerabilities affecting Windows users.   The "moderate" bulletin also includes a "killbit" to address an ActiveX control vulnerability in a third-party product.

The three critical bulletins all address flaws that could lead to remote code execution attacks.

The most serious of the three -- MS08-031 -- covers two separate issues (one publicly disclosed) affecting Microsoft's flagship IE browser. It affects IE 6 SP1on Microsoft Windows 2000 SP4; IE 6 on supported versions of Windows XP; and IE 7 on supported versions of Windows XP and Windows Vista.

Microsoft warns:

An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

Windows users should also pay special attention to MS08-033,  which covers two separate vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file.

The DirectX bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

The third high-priority bulletin -- MS08-030 -- comes with a patch for a remote code execution bug in the Bluetooth stack:

A remote code execution vulnerability exists in the Bluetooth stack in Microsoft Windows because the Bluetooth stack does not correctly handle a large number of service description requests. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete date; or create new accounts with full user rights.

The three "important" bulletins cover serious flaws in the WINS (Windows Internet Name Service);implementations of Active Directory; and denial-of-service bugs in the PGM (Pragmatic General Multicast) protocol.

The "moderate" bulletin covers a pair of buggy ActiveX controls from Microsoft and BackWeb.

Topics: Software, Browser, Microsoft, Operating Systems, Security, Software Development, Wi-Fi, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.