Microsoft plugs critical Exchange, IE holes
Hackers can trigger 'blatant' Exchange bug just by sending malicious e-mail
The most serious of the flaws is a bug in Exchange that attackers can trigger simply by sending a specially crafted message to a company's mail server.
In today's four security updates, Microsoft delivered fixes for the three critical flaws, as well as patches for five additional bugs it pegged as "important," the second-highest threat level in the company's four-step scoring system.
Several researchers put the Exchange update, MS09-003, at the top of their list because of the likely attack vector. According to Microsoft, the critical Exchange vulnerability can be exploited when a user "opens or previews a specially crafted e-mail message sent in TNEF format or when the Microsoft Exchange Server Information Store processes the specially crafted message."
TNEF, for Transport Neutral Encapsulation Format, is a proprietary e-mail attachment format used by Microsoft's popular Outlook e-mail client as well as Exchange.
Andrew Storms, director of security operations at nCircle Network Security Inc., agreed. "What we're seeing here is that you can send a message and take control of an Exchange server," said Storms. "I don't remember an Exchange vulnerability that's quite so blatant. The functionality that the server provides is the way that you attack the system."
Attackers would love to get their hands on corporate mail servers, both researchers said. "So much intellectual property and confidential information is passed around via e-mail," said Storms, who suggested that the potential rewards of hacking into a mail server would tempt criminals immediately. "All the smart minds will start looking at this."
"In addition to snooping corporate secrets, [a compromised Exchange server] can be used as a launch pad for attacks against other servers in the enterprise," Rohit Dhamankar, director of 3Com Corp.'s TippingPoint DVLabs, noted in an e-mail today.
On the plus side, said Storms, is Microsoft's exploitability rating for the Exchange bug. Because the company labeled it as "Inconsistent exploit code likely," Storms said, enterprises might have some breathing room. "Attackers might not be so quick to come up with an exploit," he said, "so we may have a little window here before having to patch."
The second critical update, MS09-002, patches a pair of vulnerabilities in IE7, Microsoft's current production browser and supposedly its most secure. The two flaws -- one in IE7's handling of Cascading Style Sheets (CSS), the other a memory corruption vulnerability -- likely cropped up in the browser when Microsoft rewrote sections of its older IE6, said Storms and Kandek.
"This is another head-scratcher," said Storms. "Why is it IE7 only? What did they introduce or miss? You would have thought that [IE7] would have been fully tested, so the answer may be in what they rewrote."
"This should be patched immediately," added Kandek. "I cannot imagine anything breaking by patching IE."
As expected, the SQL Server update patched a vulnerability that Microsoft acknowledged in December 2008 -- before admitting a few days later that it had been working on the flaw since April, when an Austrian security researcher first reported it. The researcher, Bernhard Mueller of SEC Consult Security, eventually went public with his findings after he was ignored by Microsoft.
"It's still interesting," said Storms of the SQL Server fix, "just not nearly as interesting now that we know what else was patched today."
The fourth update fixes three separate flaws in the file formats parsed by Visio, the diagramming application that's part of the Office family. Microsoft rated MS09-005 as "important."
"The Exchange [update] is the most serious," said Qualys' Kandek. "Patch that first. And if you cannot [patch], go into your attachment manager and filter attachments there."
"Don't sit on the couch for this one," echoed Storms.
February's four security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Read more about Security in Computerworld's Security Topic Center.
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Data Protection eGuide In this eGuide, CSO and sister publications IDG News Service, Computerworld, and CIO pull together news, trend, and how-to articles about the increasingly...
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!