Microsoft delivers 'important' patches
Microsoft on Tuesday delivered nine important patches to fix vulnerabilities in SQL Server, Exchange Server, Vista and Windows Server.
Among the details, which were previewed last week.
CVE-2008-0085: A vulnerability in the way SQL Server manages memory page reuse. An attacker with database operator access could get to customer data. The versions impacted are SQL Server 7.0, SQL Server 2000 and SQL Server 2005 on Windows 2000, Windows Server 2003 and 2008.
CVE-2008-0086: A convert function vulnerability could allow an attacker to take control of a system. Same deal with CVE-2008-0107 and CVE-2008-0106. CVE-2008-1435: Microsoft says: "A remote code execution vulnerability exists when saving a specially crafted search file within Windows Explorer. This operation causes Windows Explorer to exit and restart in an exploitable manner." Operating systems impacted include Windows Vista and Windows Server 2008.
CVE-2008-1447 and CVE-2008-1454: Both of these fix vulnerabilities that allow DNS spoofing to redirect Internet traffic from legit sites. Windows 2000, XP, and Server 2003 impacted.
CVE-2008-2247 and CVE-2008-2248: Both of these vulnerabilities appear in Outlook Web Access for Exchange and involve cross-site scripting issues. Exchange Server 2003 and 2007 impacted. Microsoft sums up:
Exploitation of the vulnerability could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. If the malicious script is executed, the script would run in the security context of the user’s OWA session and could perform any action the user could perform such as reading, sending, and deleting e-mail as the logged-on user.
- On deck from MS: Four ‘important’ patches but nothing for IE
- Microsoft warns of “active, targeted” ActiveX control attacks