Critical IE, Bluetooth, DirectX flaws highlight MS Patch Tuesday

Critical IE, Bluetooth, DirectX flaws highlight MS Patch Tuesday

Summary: Microsoft's Patch Tuesday train rumbled into the security station today with high-priority patches for multiple vulnerabilities affecting Internet Explorer, the Bluetooth stack in Windows and Microsoft DirectX.In all, the Redmond, Wash.

SHARE:

Critical IE, Bluetooth, DirectX flaws highlight MS Patch TuesdayMicrosoft's Patch Tuesday train rumbled into the security station today with high-priority patches for multiple vulnerabilities affecting Internet Explorer, the Bluetooth stack in Windows and Microsoft DirectX.

In all, the Redmond, Wash. software vendor released seven bulletins -- 3 critical, 3 important and 1 moderate -- with patches for at least 10 documented vulnerabilities affecting Windows users.   The "moderate" bulletin also includes a "killbit" to address an ActiveX control vulnerability in a third-party product.

The three critical bulletins all address flaws that could lead to remote code execution attacks.

The most serious of the three -- MS08-031 -- covers two separate issues (one publicly disclosed) affecting Microsoft's flagship IE browser. It affects IE 6 SP1on Microsoft Windows 2000 SP4; IE 6 on supported versions of Windows XP; and IE 7 on supported versions of Windows XP and Windows Vista.

Microsoft warns:

An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

Windows users should also pay special attention to MS08-033,  which covers two separate vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file.

The DirectX bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

The third high-priority bulletin -- MS08-030 -- comes with a patch for a remote code execution bug in the Bluetooth stack:

A remote code execution vulnerability exists in the Bluetooth stack in Microsoft Windows because the Bluetooth stack does not correctly handle a large number of service description requests. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete date; or create new accounts with full user rights.

The three "important" bulletins cover serious flaws in the WINS (Windows Internet Name Service);implementations of Active Directory; and denial-of-service bugs in the PGM (Pragmatic General Multicast) protocol.

The "moderate" bulletin covers a pair of buggy ActiveX controls from Microsoft and BackWeb.

Topics: Software, Browser, Microsoft, Operating Systems, Security, Software Development, Wi-Fi, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Once again if you're looking for a reason to upgrade to Vista...

    ...here it is.
    ye
    • Why?

      Critical remote code execution in Vista as well
      rpmyers1
      • Which only execute with the privileges of...

        ...the logged on user. IOW standard user privileges thus they cannot harm the system (though I personally think data is more valuable but it makes removing easy).
        ye
        • maybe you NEED vista

          I have been limited user on XP ever since I heard of and figured out how to do this.

          And you are right about data not protected with most of these "security" schemes...
          Ipsenol
          • I don't need Vista. Been using LUP since Windows 3.51

            But I'm not the average computer user and know how to work around LUP issues. I don't expect the "average" computer user to be able to work around it.
            ye
          • Gosh, I thought you didn't NEED to be ...

            ... a techie to use MS Windows! Only those wildly techie folks who use Linux, and need to know how to click on that little update notice down on the task bar in GNOME or KDE, need to WORRY about futzing around with LUP, right?

            You mean you have to be all techified to use Vista? Gawrsh, I'm SHOCKED! <grin>
            OButterball
          • You don't need to be a technie to use Windows.

            That would be your strawman
            ye
          • LOL! I quote you, ye:

            "I don't expect the [i]'average'[/i] computer user to be able to work around it." (Emphasis is mine.)

            So, are you saying a "below average" computer user CAN work their way around? <chuckle> How does THAT work?
            OButterball
          • lol

            of course, you do know ye was talking about 3.1 in your quote.

            Maybe if you quit pretending Windows and Vista are synonyms the conversation would go smoother.
            rtk
      • wrong

        It can only execute if you allow it.Unless it somehow allowed itself into the thread of another application, it would require admin perms.
        Spiritusindomit
  • RE: Critical IE, Bluetooth, DirectX flaws highlight MS Patch Tuesday

    Installed patches and computer went into continuous reboot mode, even in safe mode. Did the same when I used recovery CD. I think I'm in trouble.
    jcorkrum
    • don't feed the troll

      don't feed the troll
      qmlscycrajg
  • RE: Critical IE, Bluetooth, DirectX flaws highlight MS Patch Tuesday

    Windows 3.1 is the best Windows better than Vista & it all fit on 4 MB harddrive with lots of games.
    Hotdoge3
    • rediculous

      windows 3.1 was only good until win 95 and that was kicked into submission by win 98. then eventually along came xp and killed them all horribly. now we have vista to put xp in the rubbish bin.
      vi0l3t1975
      • More ridiculous

        Being a computer user since the easly 80's and starting with MS-DOS 2.1 I can tell you every new product $MS issues is the pits! When Win 3.1 was introduced, most power users wouldn't touch it. It was a glorified graphics memory-eating monster. But $MS went on their lies and bloated marketing schemes to convince PC vendors to push it! The mainstream public didn't know any better and refused to listen to the pros. Now that $MS learned an evil marketing strategy, they applied it to Win95/98. One of the best OS system they issued was 2000... but that died off quickly and wasn't properly supported because they went on their marketing strategy for XP... now we have this bloated Vista that is about as pathetic of a OS we have ever seen... $MS needs to put the schematics of 2000 back on the blackboard and fix it... and that would be the best they could produce... but that won't happen and since their marketing dept is so brainwashed and corrupt, you'll never see a decent OS from $MS!
        DarbyOhara
        • Aaah...Windows 2000, how I miss thee

          Yeah I'll agree about Win2K being one of the best OSes from the MS stable. Even more so when you consider how they were trying to push WinME(aaargh) onto the users. As far as I can see, WinXP is basically just a dolled up bloated version of Win2K, and when XP first came out it seemed amazing just how much MS could take a pretty decent OS and screw it up. Though they did work out many of the bugs in XP by SP1, it was only with SP2 that it became a better OS than Win2K.
          balaknair
          • Absolutely, Windows 2000 still is THE BEST M$ flavour

            Unfortunately we had to replace a dozen PC's with W2K by ones with XP SP3 lately.
            A hell of a step backwards in terms of network responsiveness. If I'd known that..

            Is there a possibility to downgrade from Vista to W2K?
            How come Microsoft OS's are constantly decreasing in quality (despite all the money being thrown at)?

            Not only quality decreases, they also become more and more power- and hardware hungry, thereby ever increasing the footprint on our planet.

            Could you ever imagine the liability of any other industrial making badder products polluting more?
            Lewis J. Alba
  • PGM flaw is rated as moderate in Vista. It's rated as important in XP

    PGM flaw is rated as moderate in Vista. It's rated as important in XP
    qmlscycrajg
  • Just go with the flow...

    with resistance.

    It's to bad MS didn't spend their dollars on XP with eye candy and security instead of Building a new core that's an expensive upgrade.

    Planned obsolence.

    c/,-O
    sykandtyed
  • Heh, I'm surprised no one has mentioned opengl

    Oh wait, that's probably because it *is* a code execution exploit.
    Spiritusindomit