Microsoft is out with its June Patch Tuesday vulnerability haul, this time issuing advisories on a range of technologies including Internet Explorer, Bluetooth, Microsoft Speech, DirectX, Windows Internet Name Service (WINS) and Pragmatic General Multicast (PGM) protocol.
Among the advisories labeled with the maximum severity of critical is MS08-31, which details a pair of vulnerabilities in Microsoft's Internet Explorer browser. One of them is titled, "Request Header Cross-Domain Information Disclosure Vulnerability" and it could potentially have allowed an attacker to read a user's data.
According to Microsoft's advisory on the issue, "an attacker who successfully exploited this vulnerability could read data from a Web page in another domain in Internet Explorer."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i Microsoft noted that some social engineering would be required for a user to be at risk from the vulnerability. The user would have to physically visit a Web site that hosted the malicious code in order to be at risk.
The second Internet Explorer vulnerability is titled "HTML Objects Memory Corruption Vulnerability" and could lead to arbitrary code execution on the user's PC.
"When Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects, it may corrupt memory in such a way that an attacker could execute arbitrary code," Microsoft stated in its advisory.
Also on the critical side are a pair of vulnerabilities in Microsoft's DirectX, which is core part of Windows multimedia handling infrastructure.
One the issues is a remote code execution vulnerability that could be trigged by viewing a malicious MJPEG file. The second DirectX issue is also a remote code execution risk, this time triggered by the way DirectX handles Synchronized Accessible Media Interchange (SAMI) file types. Microsoft's advisory notes that, "Microsoft Synchronized Accessible Media Interchange (SAMI) is a media format that allows a content developer to include captions with digital media files."
The Windows Internet Name Service (WINS) gets patched in the June update for a privilege escalation vulnerability.