Microsoft Patches 10 Vulnerabilities June Patch Tuesday Arrives with Seven Security Bulletins Sean Michael Kerner
Microsoft is out with its June Patch Tuesday vulnerability haul, this time issuing advisories on a range of technologies including Internet Explorer, Bluetooth, Microsoft Speech, DirectX, Windows Internet Name Service (WINS), and Pragmatic General Multicast (PGM) protocol.
Among the advisories labeled with the maximum severity of critical is MS08-31, which details a pair of vulnerabilities in Microsoft's Internet Explorer browser. One of them is titled "Request Header Cross-Domain Information Disclosure Vulnerability," and it could potentially have allowed an attacker to read a user's data.
According to Microsoft's advisory on the issue, "an attacker who successfully exploited this vulnerability could read data from a Web page in another domain in Internet Explorer."
Microsoft noted that some social engineering would be required for a user to be at risk from the vulnerability. The user would have to physically visit a Web site that hosted the malicious code in order to be at risk.
The second Internet Explorer vulnerability is titled "HTML Objects Memory Corruption Vulnerability" and could lead to arbitrary code execution on the user's PC.
"When Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects, it may corrupt memory in such a way that an attacker could execute arbitrary code," Microsoft stated in its advisory.
Also on the critical side are a pair of vulnerabilities in Microsoft's DirectX, which is core part of Windows multimedia handling infrastructure.
One the issues is a remote code execution vulnerability that could be trigged by viewing a malicious MJPEG file. The second DirectX issue is also a remote code execution risk, this time triggered by the way DirectX handles Synchronized Accessible Media Interchange (SAMI) file types.
Microsoft's advisory notes that "Microsoft Synchronized Accessible Media Interchange (SAMI) is a media format that allows a content developer to include captions with digital media files."
The Windows Internet Name Service (WINS) gets patched in the June update for a privilege escalation vulnerability.
"An elevation of privilege vulnerability exists in the Windows Internet Name Service (WINS) in the way that WINS does not sufficiently validate the data structures within specially crafted WINS network packets," Microsoft explained in its advisory.
"The vulnerability could allow a local attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An
attacker could then install programs; view, change, or delete date; or create new accounts."
Microsoft is also providing a patch in the June update for its Active Directory system. According to the advisory on the issue, the vulnerability is due to insufficient validation of specially crafted LDAP (define) requests. The issue could lead to a denial of service (DoS) condition or a system restart.
Among the fixes on this Patch Tuesday includes for a protocol that many have likely never heard of, let alone used.
There are two updates for security vulnerabilities in the Pragmatic General Multicast (PGM) protocol which could lead to a DoS condition.
"Only one engineer on our team had ever heard of it and he previously worked as a tester on the core network components team, a Microsoft spokesperson wrote on the Security Vulnerability Research and Defense blog. "PGM is a multicast transport protocol that guarantees reliable delivery from multiple sources to multiple receivers."
