Microsoft plugs critical Exchange, IE holes
Hackers can trigger 'blatant' Exchange bug just by sending malicious e-mail
The most serious of the flaws is a bug in Exchange that attackers can trigger simply by sending a specially crafted message to a company's mail server.
In today's four security updates, Microsoft delivered fixes for the three critical flaws, as well as patches for five additional bugs it pegged as "important," the second-highest threat level in the company's four-step scoring system.
Several researchers put the Exchange update, MS09-003, at the top of their list because of the likely attack vector. According to Microsoft, the critical Exchange vulnerability can be exploited when a user "opens or previews a specially crafted e-mail message sent in TNEF format or when the Microsoft Exchange Server Information Store processes the specially crafted message."
TNEF, for Transport Neutral Encapsulation Format, is a proprietary e-mail attachment format used by Microsoft's popular Outlook e-mail client as well as Exchange.
Andrew Storms, director of security operations at nCircle Network Security Inc., agreed. "What we're seeing here is that you can send a message and take control of an Exchange server," said Storms. "I don't remember an Exchange vulnerability that's quite so blatant. The functionality that the server provides is the way that you attack the system."
Attackers would love to get their hands on corporate mail servers, both researchers said. "So much intellectual property and confidential information is passed around via e-mail," said Storms, who suggested that the potential rewards of hacking into a mail server would tempt criminals immediately. "All the smart minds will start looking at this."
"In addition to snooping corporate secrets, [a compromised Exchange server] can be used as a launch pad for attacks against other servers in the enterprise," Rohit Dhamankar, director of 3Com Corp.'s TippingPoint DVLabs, noted in an e-mail today.
On the plus side, said Storms, is Microsoft's exploitability rating for the Exchange bug. Because the company labeled it as "Inconsistent exploit code likely," Storms said, enterprises might have some breathing room. "Attackers might not be so quick to come up with an exploit," he said, "so we may have a little window here before having to patch."
The second critical update, MS09-002, patches a pair of vulnerabilities in IE7, Microsoft's current production browser and supposedly its most secure. The two flaws -- one in IE7's handling of Cascading Style Sheets (CSS), the other a memory corruption vulnerability -- likely cropped up in the browser when Microsoft rewrote sections of its older IE6, said Storms and Kandek.
"This is another head-scratcher," said Storms. "Why is it IE7 only? What did they introduce or miss? You would have thought that [IE7] would have been fully tested, so the answer may be in what they rewrote."
"This should be patched immediately," added Kandek. "I cannot imagine anything breaking by patching IE."
As expected, the SQL Server update patched a vulnerability that Microsoft acknowledged in December 2008 -- before admitting a few days later that it had been working on the flaw since April, when an Austrian security researcher first reported it. The researcher, Bernhard Mueller of SEC Consult Security, eventually went public with his findings after he was ignored by Microsoft.
"It's still interesting," said Storms of the SQL Server fix, "just not nearly as interesting now that we know what else was patched today."
The fourth update fixes three separate flaws in the file formats parsed by Visio, the diagramming application that's part of the Office family. Microsoft rated MS09-005 as "important."
"The Exchange [update] is the most serious," said Qualys' Kandek. "Patch that first. And if you cannot [patch], go into your attachment manager and filter attachments there."
"Don't sit on the couch for this one," echoed Storms.
February's four security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts