Microsoft addresses 9 security vulnerabilities with 4 "Important" bulletins

Microsoft announced 4 "Important" security bulletins today that cover 9 separate vulnerabilities. Of note were vulnerabilities reported in Windows DNS server and client, and within SQL Server. Briefly, the vulnerabilities involve:

• Cache poisoning and insufficient socket entropy flaws in Microsoft DNS Server
• A remote code execution vulnerability when saving a specially crafted search file within Windows Explorer
• Outlook Web Access data validation and parsing Cross-Site Scripting vulnerabilities
• Information disclosure and potential remote code execution flaws due to memory corruption in SQL Server

More details below:

• MS08-037 (Maximum severity of Important): This update resolves two newly discovered and privately reported vulnerabilities in the Windows Domain Name System (DNS), which could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems.
  • Dan Kaminsky of IOActive reported a DNS Insufficient Socket Entropy Vulnerability (CVE-2008-1447)
    • A spoofing vulnerability exists in Windows DNS client and Windows DNS server. This vulnerability could allow a remote unauthenticated attacker to quickly and reliably spoof responses and insert records into the DNS server or client cache, thereby redirecting Internet traffic.To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-1447.

  • A cache poisoning vulnerability was reported in the Windows DNS Server
    • A cache poisoning vulnerability exists in Windows DNS Server. The vulnerability could allow an unauthenticated remote attacker to send specially crafted responses to DNS requests made by vulnerable systems, thereby poisoning the DNS cache and redirecting Internet traffic from legitimate locations.To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-1454.

• MS08-038 (Maximum severity of Important): This security update resolves a publicly reported vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • A vulnerability was reported in the way Windows handles saved searches
    • A remote code execution vulnerability exists when saving a specially crafted search file within Windows Explorer. This operation causes Windows Explorer to exit and restart in an exploitable manner. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-1435.

• MS08-039 (Maximum severity of Important): This update resolves two newly discovered and privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server, which could allow an attacker to gain access to an individual OWA client’s session data, allowing elevation of privilege.
  • Michael Jordan of Context Information Security reported the OWA Data Validation Cross-Site Scripting Vulnerability (CVE-2008-2247) and the OWA Parsing Cross-Site Scripting Vulnerability (CVE-2008-2248)
    • This is a cross-site scripting vulnerability in the affected versions of Outlook Web Access (OWA) for Exchange Server. Exploitation of the vulnerability could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. If the malicious script is executed, the script would run in the security context of the user’s OWA session and could perform any action the user could perform such as reading, sending, and deleting e-mail as the logged-on user.To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-2247.
    • This is a cross-site scripting vulnerability in the affected versions of Outlook Web Access (OWA) for Exchange Server. Exploitation of the vulnerability could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. To exploit the vulnerability an attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. The script would run in the security context of the user’s OWA session and could perform any action the user could perform, such as reading, sending, and deleting e-mail as the logged-on user.To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-2248.

• MS08-040 (Maximum severity of Important):This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.This security update is rated Important for supported releases of SQL Server 7.0, SQL Server 2000, SQL Server 2005, Microsoft Data Engine (MSDE) 1.0, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).
  • An anonymous finder reported a Memory Page Reuse Vulnerability (CVE-2008-0085)
    • An information disclosure vulnerability exists in the way that SQL Server manages memory page reuse. An attacker with database operator access who successfully exploited this vulnerability could access customer data. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-0085.

  • An anonymous finder reported a Convert Buffer Overrun Vulnerability (CVE-2008-0086)
    • A vulnerability exists in the convert function in SQL Server that could allow an authenticated attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-0086.

  • Brett Moore of Insomnia Security working with the iDefense VCP reported a SQL Server Memory Corruption Vulnerability (CVE-2008-0107)
    • A vulnerability exists in SQL Server that could allow an authenticated attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-0107.

  • An anonymous finder reported the SQL Server Buffer Overrun Vulnerability (CVE-2008-0106)
    • A vulnerability exists in SQL Server that could allow an authenticated attacker to gain elevation of privilege. An attacker who successfully exploited this vulnerability could run code and take complete control of the system. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-0106.

SQL Server and DNS vulnerabilities are always concerning. We'll see if more details on these flaws become available.

-Nate