Light Patch Tuesday, but server flaws serious

Microsoft released only four "important" security patches as part of its July Patch Tuesday update late yesterday.

Although the fixes were comparatively fewer in number than previous Patch Tuesdays and they were all given only Microsoft's second highest severity rating, security experts are still urging IT administrators not to become complacent.

Andrew Clarke, Lumension Security international senior vice president said: "This [Patch Tuesday] gives administrators some breathing room to get caught up and assess their overall security posture from a mitigation standpoint."

Thesecurity bulletin addresses the software maker's Windows operating system (OS) as well as, more seriously from the security experts' point of view, its SQL and Exchange servers.

"Organisations should pay close attention to the two security updates that address Elevation of Privilege on Microsoft SQL Servers and Microsoft Exchange Servers," said Clarke.

The elevation of privilege on these targets can easily negate the policy and enforcement efforts made in the provisioning and access management setup on these important systems. MS08-039 updates Exchange 2003 and 2007 with two patches and MS08-040 is a four-patch update for Microsoft's SQL Server software.

Clarke said companies that depend heavily on SQL and Exchange servers to manage and key data should address these patches as a "critical" level security update, the highest rating Microsoft has.

"Both of these products can be high-value targets and these vulnerabilities could be considered critical depending on the organisation," added Clarke. "Many corporations hold not only their basic business information, but also their customer or patient data and critical intellectual property in Microsoft SQL Servers databases, or transmit these types of data via Microsoft Exchange servers."

The third of the last two updates, MS08-038, addressed a remote code vulnerability in Windows Vista and Windows Server 2008 that affects the saved search feature and its associated file format in those OSs.

And MS08-037, patches two domain name system (DNS) bugs in every supported version of Windows except Vista. This "indicates the possible violation of the fundamental principle of trusted communication over the network and should also be seriously reviewed," said Clarke.

"This threat affects most Windows platforms and could allow for the execution of spoofing attacks. Every network-based communication or transaction is based on trust between the sender and receiver," he added. "If that trust can be broken by mimicking a trusted source, then this becomes a major problem that needs to be closely examined and quickly addressed."

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.