Microsoft plugs critical Exchange, IE holes
Hackers can trigger 'blatant' Exchange bug just by sending malicious e-mail
The most serious of the flaws is a bug in Exchange that attackers can trigger simply by sending a specially crafted message to a company's mail server.
In today's four security updates, Microsoft delivered fixes for the three critical flaws, as well as patches for five additional bugs it pegged as "important," the second-highest threat level in the company's four-step scoring system.
Several researchers put the Exchange update, MS09-003, at the top of their list because of the likely attack vector. According to Microsoft, the critical Exchange vulnerability can be exploited when a user "opens or previews a specially crafted e-mail message sent in TNEF format or when the Microsoft Exchange Server Information Store processes the specially crafted message."
TNEF, for Transport Neutral Encapsulation Format, is a proprietary e-mail attachment format used by Microsoft's popular Outlook e-mail client as well as Exchange.
Andrew Storms, director of security operations at nCircle Network Security Inc., agreed. "What we're seeing here is that you can send a message and take control of an Exchange server," said Storms. "I don't remember an Exchange vulnerability that's quite so blatant. The functionality that the server provides is the way that you attack the system."
Attackers would love to get their hands on corporate mail servers, both researchers said. "So much intellectual property and confidential information is passed around via e-mail," said Storms, who suggested that the potential rewards of hacking into a mail server would tempt criminals immediately. "All the smart minds will start looking at this."
"In addition to snooping corporate secrets, [a compromised Exchange server] can be used as a launch pad for attacks against other servers in the enterprise," Rohit Dhamankar, director of 3Com Corp.'s TippingPoint DVLabs, noted in an e-mail today.
On the plus side, said Storms, is Microsoft's exploitability rating for the Exchange bug. Because the company labeled it as "Inconsistent exploit code likely," Storms said, enterprises might have some breathing room. "Attackers might not be so quick to come up with an exploit," he said, "so we may have a little window here before having to patch."
The second critical update, MS09-002, patches a pair of vulnerabilities in IE7, Microsoft's current production browser and supposedly its most secure. The two flaws -- one in IE7's handling of Cascading Style Sheets (CSS), the other a memory corruption vulnerability -- likely cropped up in the browser when Microsoft rewrote sections of its older IE6, said Storms and Kandek.
"This is another head-scratcher," said Storms. "Why is it IE7 only? What did they introduce or miss? You would have thought that [IE7] would have been fully tested, so the answer may be in what they rewrote."
"This should be patched immediately," added Kandek. "I cannot imagine anything breaking by patching IE."
As expected, the SQL Server update patched a vulnerability that Microsoft acknowledged in December 2008 -- before admitting a few days later that it had been working on the flaw since April, when an Austrian security researcher first reported it. The researcher, Bernhard Mueller of SEC Consult Security, eventually went public with his findings after he was ignored by Microsoft.
"It's still interesting," said Storms of the SQL Server fix, "just not nearly as interesting now that we know what else was patched today."
The fourth update fixes three separate flaws in the file formats parsed by Visio, the diagramming application that's part of the Office family. Microsoft rated MS09-005 as "important."
"The Exchange [update] is the most serious," said Qualys' Kandek. "Patch that first. And if you cannot [patch], go into your attachment manager and filter attachments there."
"Don't sit on the couch for this one," echoed Storms.
February's four security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts