Microsoft plans critical patches for IE, Exchange

Computerworld - Microsoft Corp. today said it will deliver four security updates on Tuesday, two of them pegged "critical," and will finally issue a patch for SQL Server that it's been working on since last April.

The four updates detailed in the advance notice published today will quash bugs in Internet Explorer 7 (IE7); its Exchange mail server software; the Visio application that's part of the Office lineup; and SQL Server. The IE and Exchange vulnerabilities will be labeled critical, the company's highest threat ranking, while the SQL Server and Visio bugs will be marked as "important," one step lower.

Microsoft will release the updates on Feb. 10.

The SQL Server update will fix the vulnerability Microsoft acknowledged in late December 2008, said Andrew Storms, director of security operations at nCircle Network Security Inc. "I did a lineup between the advisory with the affected versions of SQL Server," he said Thursday morning. "It's almost a one-for-one match."

That bug is notable for several reasons. When Micosoft confirmed the vulnerability in a Dec. 22 advisory, it noted that exploit code had been published. Several days later, the company admitted that it first received a report on the bug from Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company, in April 2008.

Mueller disclosed the bug in early December after he grew tired of Microsoft's silence; he claimed that the company failed to return numerous messages in the two months prior when he asked for an update on the patch's progress.

Some security analysts had expected Microsoft to act faster. In late December, for example, Wolfgang Kandek, chief technology officer at security company Qualys Inc., predicted that Microsoft would deliver a fix "out of band," a term used when patches are issued outside Microsoft's normal once-a-month schedule.

"Three of these are all equally important, at least with the information we have today," Storms said about the IE, Exchange and SQL Server patches. "It all depends on an enterprise's infrastructure."

Companies are always sensitive to Exchange fixes, Storms continued, so the critical fix set for Exchange Server 2000, 2003 and 2007 will be parsed carefully. "Messaging is so important to the enterprise," Storms said, "that they'll want to spend a little extra time making sure the patch works." One plus, he said, is a "Does not require restart" note by Microsoft in today's bulletin.

"That could mean it's not necessarily a giant hole, or that we're just going to get lucky," said Storms. Because they won't have to restart their Exchange servers, IT administrators should be able to deploy the patch more quickly, he said.

"The IE vulnerability has to be something unique to IE7," wagered Storms. According to Microsoft, the critical vulnerability affects only that version of the browser, not IE6 or IE5.01, the latter edition specific to Windows 2000, and the oldest browser that the company still supports with security updates. Storms hesitated to guess what IE7-only issue might be patched. "It could be any number of things," he said. "Could be scripting or the antiphishing filter."

Microsoft's advance notice reported that the IE7 bug will be rated critical for both Windows XP and Windows Vista, but only "moderate" on Server 2003 and Server 2008.

Microsoft will release February's four updates at approximately 1 p.m. EST Tuesday.

Read more about security in Computerworld's Security Knowledge Center.