Microsoft fixes 9 flaws with 4 patches; none critical

Microsoft today released its July 2008 security bulletin highlighting items all considered important but not critical. They are for Domain Name Service in Windows, Windows Explorer within Windows Vista, Outlook Web Access (OWA), and Microsoft SQL servers. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-037: Important

Entitled "Vulnerabilities in DNS Could Allow Spoofing (953230)," this bulletin is for users of Windows 2000, Windows XP, and Windows Server 2003; not affected are users of Windows Vista (both 32-bit and 64-bit editions) and Windows Server 2008. The update addresses vulnerabilities detailed in CVE-2008-1447 and CVE-2008-1454. The patch modifies the Windows Domain Name System (DNS) in Windows. Microsoft says these two vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems.

MS08-038: Important

Entitled "Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)," this bulletin only affects users of Windows Vista and Windows Server 2008; all other versions of Windows are not affected. The update addresses vulnerability detailed in CVE-2008-1435. Microsoft says "the vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

MS08-039: Important

Entitled "Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)," this bulletin affects users of Microsoft Outlook Exchange Server 2003 and Microsoft Outlook Exchange Server. The update addresses the issues detailed in CVE-2008-2247 and CVE-2008-2248. Microsoft says "an attacker who successfully exploited these vulnerabilities could gain access to an individual Outlook Web Access (OWA) client's session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client's OWA session."

MS08-040: Important

Entitled "Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)," this bulletin affects SQL Server 7.0 Service Pack 4, SQL Server 2000 Service Pack 4, SQL Server 2000 Itanium-based Edition Service Pack 4, SQL Server 2005 Service Pack 2, SQL Server 2005 x64 Edition Service Pack 2, SQL Server 2005 with SP2 for Itanium-based Systems, Microsoft Data Engine (MSDE) 1.0 Service Pack 4, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 4, Microsoft SQL Server 2005 Express Edition Service Pack 2, Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) x64 Edition Service Pack 2. This update addresses the vulnerability detailed in CVE-2008-0085, CVE-2008-0086, CVE-2008-0107, and CVE-2008-0106. Microsoft says this bulletin "resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."

[jimmurray1946]

I dont know about you but my machine would not go on line after the new downloads were installed on my machine. I re-started several times and it wasn't until i used a restore (prior to the automatic download) point that I was able to get back on line and then.... the auto downloads re-installed and I was again bumped off line. <My son is on the same router with me however he uses vista and was not affected since the fix was for xp. I now have disabled the auto updater and I am able to stay on line. What happened??

[william.kroshl]

Are you using Zone Alarm? Their support board has been full of emails about this problem. RIght now they just recommend that you uninstall the patch from MS while they come up with a solution. I had the problem on two XP machines that auto updated windows.

[ronbee48]

I had the same problem after the Windows downloads, I could not get online.

Used system restore and that solved the problem.

[davefrombc]

I had the same problem , but used the repair function for Windows Live Messenger to fix it ..When I couldn't connect to the net with anything, I tried the troubleshoot wizard for Messenger, clicked the repair button after the diagnosis, and connection problems were cleared up . I am running Zonealarm free, and AVG 8 and have had no problems with them.
PC is running XP Home through a Linksys router and cable modem.

[william59]

I had the same problem! No Internet. I did a system restore and I had internet. I turned of auto update. but now I see how I can uninstall the update.