Microsoft patches address kernel, DNS flaws

Microsoft has issued just a handful of security updates tackling flaws in the Windows kernel, Directory Name System (DNS) and SChannel security software.

As outlined in last week's preview, out of the three patches released this month, only the kernel bug was rated critical, because the software firm said it could allow a hacker to run malicious software remotely on all unpatched versions of Windows.

The critical MS09-006 kernel update blocks the most serious remote code execution vulnerability.

The other two patches were given the less severe rating of "important" and relate to spoofing in versions of Microsoft's Windows operating system (OS).

The MS09-008 DNS patch tackles four vulnerabilities that could allow a hackers to poison the servers handling internet addresses. Two relate to the Kaminsky attack vectors discovered last year.

The DNS patch also plugs holes that could be exploited to initiate so-called man-in-the-middle' attacks, where a user is redirected to spoofed, look-a-like website that will try to prompt them to divulge sensitive personal information.

Microsoft also patched a flaw in its SChannel software that is used to create Secure Sockets Layer (SSL) connections on Windows systems. It said the flaw could allow an attacker to spoof a digital certificate and so bypass certain security authentication features.

This month's updates did not, however, fix a recent zero-day flaw in Excel, although Microsoft has said it is working on a patch for the vulnerability.

But it did release the high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS), as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS).

Amol Sarwate, Qualys Vulnerability Research Labs manager, agreed with most security analysts that administrators should apply this month's critical kernel update straightaway. "Every user is affected," he said.

He also advised that the DNS updates tackled important server flaws that would be less prevalent in the enterprise systems, but would be no less damaging if successfully exploited.

Miya Knights

A 25-year veteran enterprise technology expert, Miya Knights applies her deep understanding of technology gained through her journalism career to both her role as a consultant and as director at Retail Technology Magazine, which she helped shape over the past 17 years. Miya was educated at Oxford University, earning a master’s degree in English.

Her role as a journalist has seen her write for many of the leading technology publishers in the UK such as ITPro, TechWeekEurope, CIO UK, Computer Weekly, and also a number of national newspapers including The Times, Independent, and Financial Times.