On July 8, 2008, Microsoft released a total of four security bulletins plugging soles in both its Windows operating systems as well as in its Server solutions. Even the latest versions of the supported Windows clients, namely Windows Vista Service Pack 1 and Window XP Service Pack 3 are affected. However, the Redmond giant labeled all the patches issued in July with a maximum severity rating of Important, and a scale where the highest risk is associated with the Critical level.

"The July 2008 release contains 4 new bulletins, all with maximum severities of 'Important'. MS08-037: vulnerabilities in DNS Could Allow Spoofing (953230). MS08-038: vulnerability in Windows Explorer Could Allow Remote Code Execution (950582). MS08-039: vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747). MS08-040: vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)," revealed the Release Manager for the Microsoft Security Response Center.

The four security bulletins are designed to patch no less than nine vulnerabilities. Four security holes affect various versions of SQL Server, including Windows components such as Windows Internal Database (Wyukon) and can allow an attacker to gain elevation of privileges. In this context, the list of affected software is not limited to SQL Server, but spans to encompass operating systems such as Windows 2000, Windows Server 2003, and Windows Server 2008 (with the exception of the core installation). In the eventuality of a successful exploit, targeting two vulnerabilities in Outlook Web Access for Exchange Server, elevation of privileges is also a possibility.

Two security flaws in Windows Domain Name System (DNS) permit spoofing following exploitation, and only 32-bit and 64-bit Windows Vista SP1 along with Windows Server 2008 for Itanium-based Systems are not affected. "The security update addresses the vulnerabilities by using strongly random DNS transaction IDs, using random sockets for UDP queries, and updating the logic used to manage the DNS cache," Microsoft informed.

All the editions of Windows Vista SP1 along with Windows Server 2008 (both x86 and x64) are instead impacted by a patch set up to resolve a vulnerability in Windows Explorer which puts users at risk of remote code execution. The flaw, related to malicious crafted saved-search files is the only vulnerability which was not privately reported to the Redmond giant.

"If you have the Windows Internal Database (Microsoft Windows 2003 or Microsoft Windows 2008) installed on or enabled without SQL Server 2005 SP2 and you have are opt-into Microsoft Update, the SQL Server 2005 service pack 2 update may be offered incorrectly and fail to install. The Windows Internal Database will be updated as expected, since the Windows Internal Database update is also offered. Microsoft is working on resolving this issue and will be updating the detection logic to avoid the incorrect offering," the MSRC Release Manager added.