Microsoft’s June Patch Tuesday has arrived with three “critical” bulletins in tow.
Microsoft issued a total of seven bulletins June 10, with the three rated critical affecting Internet Explorer, DirectX and Bluetooth. All three address vulnerabilities that permit hackers to execute code remotely.
The IE bulletin addresses two vulnerabilities, one of which has already been disclosed publicly. Microsoft officials warned that both vulnerabilities can be exploited if a victim views a malicious Web page, with the publicly disclosed vulnerability allowing hackers to steal information. According to the company, enterprises can reduce the impact of the issue by minimizing user rights.
The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles calls to HTML objects and validates data, the company stated in its advisory. The IE bulletin affects a number of versions of the browser, including Windows Internet Explorer 7, across several editions of the Windows 2000, Vista and XP and Windows Server 2003 and 2008 platforms.
The security update also fixes a vulnerability in the Bluetooth stack in Windows that could allow an attacker to take complete control of an affected system. It affects only certain editions of Windows Vista and XP.
The DirectX bulletin affects editions of Windows 2000, Vista and XP and Windows Server 2003 and 2008. The update addresses two vulnerabilities in DirectX, both of which could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system, the company warned.
Also included in the Patch Tuesday update are three bulletins rated “important” that deal with vulnerabilities in PGM (Pragmatic General Multicast), Active Directory and WINS (Windows Internet Name Service). The vulnerabilities involving PGM and Active Directory can cause a denial-of-service condition, while the WINS bulletin addresses an escalation-of-privileges situation.
While Microsoft did not rate the Active Directory vulnerability critical, Tyler Reguly, a security engineer with nCircle, said this vulnerability may be the most interesting to enterprises.
“It actually replaces a previous AD DoS from earlier this year and affects everything that could be running AD, all the way up to Server 2008,” Reguly said. “While this doesn’t affect most systems in a enterprise environment, it does affect any [or] all domain controllers that exist and these are considered critical infrastructure.”
The final bulletin, rated “moderate,” deals with Kill Bit and can result in remote code execution.
This month’s Patch Tuesday release brings the number of security bulletins issued by Microsoft to 36 in 2008.