Microsoft IT Security Bulletins

Severity Rating: Important - Revision Note: V1.5 (July 23, 2008): Added removal information notes for Microsoft SQL Server 2000 Desktop Engine (WMSDE) and Windows Internal Database (WYukon) to clarify that removing this security update for WMSDE or WYukon will also completely remove the instance of WMSDE or WYukon from the system.Summary: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Severity Rating: Important - Revision Note: V2.1 (July 23, 2008): Affected Software table revised to add MS06-064, MS07-062, and MS08-001 as bulletins replaced by this update.Summary: This security update resolves two privately reported vulnerabilities in the Windows Domain Name System (DNS) that could allow spoofing. These vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems.

Severity Rating: Important - Revision Note: V1.4 (July 18, 2008): Corrected the list of valid product instance names in the Microsoft SQL Server 2000 Desktop Engine (WMSDE) subsection under the Security Update Information section. Also added entry to the Frequently Asked Questions (FAQ) Related to This Security Update to communicate a detection change in the way that Windows Server Update Services (WSUS) offers the update for Microsoft SQL Server 2000 Desktop Engine (WMSDE).Summary: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Revision Note: V2.0 (July 16, 2008): Added DirectX 9.0a as affected software for MS08-033.Summary: This bulletin summary lists security bulletins released for June 2008.

Severity Rating: Important - Revision Note: V1.3 (July 16, 2008): Updated the applicable software under the “Windows Server Update Services” heading in the section, Detection and Deployment Tools and Guidance.Summary: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Severity Rating: Important - Revision Note: V1.2 (July 16, 2008): Added Microsoft Exchange Server 2000 Service Pack 3 as non-affected software. Also provided links to additional information on Outlook Web Access Light and Outlook Web Access Premium in the Mitigating Factors sections. Finally, updated the applicable software under the “Windows Server Update Services” heading in the section, Detection and Deployment Tools and Guidance.Summary: This security update resolves two privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. An attacker who successfully exploited these vulnerabilities could gain access to an individual OWA client’s session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client’s OWA session.

Severity Rating: Critical - Revision Note: V2.0 (July 16, 2008): Added DirectX 9.0a as affected software.Summary: This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Severity Rating: Critical - Revision Note: V1.3 (July 16, 2008): Removed link to Microsoft Knowledge Base Article 950749 under Known Issues in the Executive Summary.Summary: This security update resolves a security vulnerability in the Microsoft Jet Database Engine (Jet) in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Revision Note: V2.0 (July 16, 2008): Bulletin updated to reflect changes to the affected software of MS07-064 bulletin.Summary: This bulletin summary lists security bulletins released for December 2007.

Severity Rating: Critical - Revision Note: V3.0 (July 16, 2008): Bulletin updated to reflect that the update for DirectX 9.0 also applies to DirectX 9.0a.Summary: This critical security update resolves two privately reported vulnerabilities in Microsoft DirectX. These vulnerabilities could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Revision Note: July 16, 2008: Updated the example workaround steps for running the update to Windows Server Update Services 3.0 Service Pack 1 on Windows Server 2008 as an administrator.Summary: Microsoft has completed the investigation into public reports of a non-security issue that prevents the distribution of any updates deployed through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment. Microsoft confirmed those reports and has released an update to correct this issue under Microsoft Knowledge Base Article 954960. Microsoft encourages customers affected by this issue to review and install this update.

Severity Rating: Important - Revision Note: V1.2 (July 11, 2008): Added entry to the Frequently Asked Questions (FAQ) Related to This Security Update to communicate that the Known issues with this security update section in the associated Microsoft Knowledge Base Article 948110 has been updated.Summary: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Severity Rating: Important - Revision Note: V2.0 (July 10, 2008): Bulletin revised to inform users of ZoneAlarm and Check Point Endpoint Security of an Internet connectivity issue detailed in the section, Frequently Asked Questions (FAQ) Related to this Security Update. The revision did not change the security update files in this bulletin, but users of ZoneAlarm and Check Point Endpoint Security should read the FAQ entries for guidance.Summary: This security update resolves two privately reported vulnerabilities in the Windows Domain Name System (DNS) that could allow spoofing. These vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems.

Revision Note: July 10, 2008: Advisory updated to reflect specific installation and uninstallation procedures for the update for Windows Server Update Services running on Windows Server 2008.Summary: Microsoft has completed the investigation into public reports of a non-security issue that prevents the distribution of any updates deployed through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment. Microsoft confirmed those reports and has released an update to correct this issue under Microsoft Knowledge Base Article 954960. Microsoft encourages customers affected by this issue to review and install this update.

Severity Rating: Important - Revision Note: V1.1 (July 9, 2008): Removed erroneous references to SQL Server 2005 Service Pack 1 in the MBSA and SMS Detection and Deployment tables. Also clarified permissions requirements for vulnerability mitigating factors.Summary: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Severity Rating: Important - Revision Note: V1.1 (July 9, 2008): Changed the information reference link for OWA Premium in the Mitigating Factors sections for both vulnerabilities.Summary: This security update resolves two privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. An attacker who successfully exploited these vulnerabilities could gain access to an individual OWA client’s session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client’s OWA session.

Revision Note: July 9, 2008: Advisory updated to reflect availability of fix.Summary: Microsoft has completed the investigation into public reports of a non-security issue that prevents the distribution of any updates deployed through Microsoft Windows Server Update Services 3.0 or Microsoft Windows Server Update Services 3.0 Service Pack 1 to client systems that have Microsoft Office 2003 installed in their environment. Microsoft has confirmed those reports and has released an update to correct this issue under Microsoft Knowledge Base Article 954960. Microsoft encourages customers affected by this issue to review and install this update.

Revision Note: Bulletin Summary published.Summary: This bulletin summary lists security bulletins released for July 2008.

Severity Rating: Important - Revision Note: Bulletin published.Summary: This security update resolves four privately disclosed vulnerabilities. The more serious of the vulnerabilities could allow an attacker to run code and to take complete control of an affected system. An authenticated attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

Severity Rating: Important - Revision Note: Bulletin published.Summary: This security update resolves two privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. An attacker who successfully exploited these vulnerabilities could gain access to an individual OWA client’s session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client’s OWA session.