Three Important Windows Security Bulletins; One Affects SQL Server
Severity: Medium
8 July, 2008
Summary:
§ These vulnerabilities affect: All versions of Windows; also SQL Server
§ How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or enticing your users into downloading and opening malicious files
Three Important Windows Security Bulletins; One Affects SQL Server
Severity: Medium
8 July, 2008
Summary:
§ These vulnerabilities affect: All versions of Windows; also SQL Server
§ How an attacker exploits them: Multiple vectors of attack, including sending specially crafted network traffic or enticing your users into downloading and opening malicious files
§ Impact: Various results; in the worst case, attacker can gain complete control of your Windows computer
§ What to do: Install the appropriate Microsoft patches immediately
Exposure:
Today, Microsoft released four security bulletins describing vulnerabilities that affect Windows and components shipping with it. One of the bulletins also affect SQL Server. Each vulnerability affects different versions of Windows to a different extent; a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PCs. The summary below lists the vulnerabilities in order from highest to lowest severity.
MS08-040: Four SQL Server and Windows SQL Server component vulnerabilities
All server versions of Windows ship with a SQL Server component, called either the Windows Microsoft SQL Server Desktop Engine (WMSDE) or the Windows Internal Database (WYukon). Unfortunately, both SQL Server and its Windows components suffer from four security vulnerabilities. Three of the vulnerabilities differ technically, but share the same general characteristics: By executing specially crafted SQL queries, an authenticated attacker can exploit these vulnerabilities to execute code on your Windows server, gaining complete control of it. Note, however, that only authenticated SQL attackers can exploit these vulnerabilities. If the attacker can’t obtain valid credentials on your SQL Server (even low-privileged credentials would do), he could not leverage this attack. The remaining information disclosure vulnerability allows a fairly privileged SQL user to gain access to customer data. It poses less risk than the three code execution flaws described above.
Microsoft rating: Important.
MS08-037: Windows DNS spoofing and poisoning vulnerabilities
All versions of Windows ship with a DNS client. The server versions of Windows also ship with a DNS server. According to Microsoft’s bulletin, both of these Windows DNS components suffer from vulnerabilities that can allow an attacker to redirect your user’s Internet traffic from legitimate web sites to malicious ones. The vulnerabilities differ technically, but an attacker triggers them in a similar manner: By sending your DNS server specially crafted DNS queries or responses, an attacker could poison its cache with arbitrary IP addresses, thus forcing your users to visit arbitrary malicious web sites. An attacker might leverage this kind of DNS cache poisoning attack to force your users to visit a malicious drive-by download site. Note: These vulnerabilities are part of a recently disclosed set of common deficiencies in the DNS protocol that allows for DNS cache poisoning. Many vendors’ products and devices also suffer from these flaws. We will post more about these overarching DNS vulnerabilities in another alert.
Microsoft rating: Important.
MS08-038: Windows Explorer saved-search vulnerability
Windows Explorer is the application that provides a graphical user interface (GUI) for your file system. Windows Explorer ships with a useful Windows Search add-in, which makes it easy for you to find specific files or folders on your system. Windows Search suffers from an unspecified vulnerability involving its inability to properly parse saved-search files. By enticing one of your users into downloading and opening a saved-search file, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have administrative privileges, the attacker could exploit this to gain complete control of their machines. However, we believe that few users actually use saved-search files. Thus, most users probably wouldn’t fall for this sort of attack.
Microsoft rating: Important.
Solution Path:
Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.
Note: Microsoft no longer officially supports Windows NT 4.0, 98, ME or XP with SP1. If you manage any of these operating systems, Microsoft suggests that you migrate to supported versions in order to prevent potential exposure to vulnerabilities. You can learn more about Microsoft’s extended security update support at its Product Support Services Web site.
§ For Windows 2000
§ Windows Microsoft SQL Server 2000 Desktop Engine (WMSDE)
§ For Windows 2003 (32-bit or x64)
§ Windows Microsoft SQL Server 2000 Desktop Engine (WMSDE)
§ Windows Internal Database (WYukon) Service Pack 2
§ For Windows 2008 (32-bit or x64)
§ Windows Internal Database (WYukon) Service Pack 2
§ For SQL Server and related components
§ SQL Server 7.0 and Microsoft Data Engine (MSDE) 1.0 [ GDR / QFE ]
§ SQL Server 2000 (all versions) and Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) [ GDR / QFE ]
§ SQL Server 2005 (all versions) [ GDR / QFE ]
Note: For the differences between GDR and QFE releases, see this Microsoft blog post
§ For Windows 2000 Server
§ For Windows XP
§ For Windows XP x64
§ For Windows Server 2003
§ For Windows Server 2003 x64
§ For Windows Server 2003 Itanium
§ For Windows Server 2008
§ For Windows Server 2008 x64
§ For Windows Server 2008 Itanium
For All WatchGuard Users:
WatchGuard Fireboxes, by default, reduce the risks presented by some of these vulnerabilities. However, attackers could exploit many of them locally, without passing traffic through your firewall. For that reason, we urge you to apply the patches above.
Status:
Microsoft has released patches correcting these issues.
References:
§ Microsoft Security Bulletin MS08-037
§ Microsoft Security Bulletin MS08-038
Microsoft Security Bulletin MS08-040