Microsoft released six patches covering 11 vulnerabilities on July's monthly Patch Tuesday, including "critical" fixes impacting Active Directory on Windows 2000 and 2003 Server and its .Net Framework products. In all, Microsoft rated eight of the 11 vulnerabilities as critical.The Active Directory and .Net Framework vulnerabilities have the potential to significantly negative impact enterprise systems, noted Eric Shultze, the chief security architect at Shavlik Technologies. The Active Directory patch is particularly dangerous because it "can allow any user on the network to take over a domain controller," he said.
It does so "by leveraging a problem in LDAP turned on by default" by Microsoft in Windows 2000 and 2003 Server systems, he added. It's "critical" because it could allow an attacker take over a domain controller and gain access to every user name and password on the system, he added.
That would include discovering the master password for the security controller, Shultze said. "This is the crown jewel" of a Microsoft-based domain and should be fixed ASAP, he added. If an enterprise "loses control of the domain controller, there's no sense in patching the others, because attacker now has you."
IBM X-Force researcher Neel Mehta discovered the Active Directory flaw in July, 2007.
The .Net Framework vulnerability has the potential to affect a broad range of applications on all of Microsoft's Windows platforms, said Don Leatham, director of business development for PatchLink. "It's such a pervasive part of Microsoft technology," he said, noting that it's used as the foundation in many organisations internally as well as commercial shrink-wrapped applications.
"Because so many businesses use .Net Framework to develop business applications, both software-development and operations teams must patch their systems," Andrew Storms, director of security operations at nCircle.
Although Microsoft rated MS07-041 as "important," Shultze called the vulnerability critical. "Microsoft says because ISS is not installed by default - you have to go out of way to run it - it's not critical," he explains. "But it is if you have a web server on XP because a remote attacker can send one URL and can gain complete access to XP machine."
The final Microsoft-labeled "critical" patch involves a flaw in Excel. Opening an Excel file with malicious code on an unpatched Windows PC could allow a remote user to hijack the system via a buffer overflow.
Microsoft also patched a flaw in a process called "teredo," which manages IPV6 and IPV4 bridging. The flaw that can open a hole in the Windows Vista firewall in the presence of a malicious URL, according to Shultze.