Update: Microsoft goes all-critical to patch 19 bugs

Apply the Exchange flaw fix first, say researchers

In a set of seven security bulletins that one researcher called "amazing" because all were tagged critical, Microsoft Corp. yesterday patched 19 separate vulnerabilities, including three zero-day bugs already known to attackers.

But it was the update for Microsoft Exchange, the company's popular e-mail server software that caught analysts' attention. "All an attacker needs to do is send a malformed e-mail [attachment] to the server to exploit this," said Minoo Hamilton, senior security researcher with nCircle Network Security Inc. He recommended that administrators put the MS07-026 update at the top of the slate. "An exploit looks trivial at this point, which might mean the [patching] window is even smaller than usual."

Tom Cross, a researcher with IBM Internet Security Systems Inc.'s X-Force, called the four-vulnerability Exchange update the "most significant this month. Considering the level of privilege an attacker can gain through this vulnerability, I would not be surprised to see public exploitation very soon," Cross said in an e-mail.

Patching is the only defense; Microsoft did not offer any workarounds that could protect against attack while the fix is tested.

"Exchange servers are the last things you want to patch," said Hamilton, noting the mission-critical role that e-mail serves. One bright spot for pressed IT administrators: Microsoft's bulletin said that in most cases updated Exchange servers won't need to be rebooted.

Other updates unveiled yesterday include three for Microsoft Office (which patch seven vulnerabilities), one for Internet Explorer (patching six vulnerabilities), one for the CAPICOM encryption component (one vulnerability), and one for Windows Server 2000/2003 (one vulnerability).

Three of the vulnerabilities in the batch had already been disclosed, and two had already been exploited. The latter include a Domain Name Server (DNS) vulnerability in the Windows Server line and a bug in Word. The fix for the DNS flaw was expected, since Microsoft's security group had promised the fix after botworms started sniffing for vulnerable servers. The Word patch -- one of three for Word, one of seven for Office as a whole -- fix a bug exploited for at least three months. Neither that Word patch, nor the other two, affected the new Word 2007, however.

But Office 2007 didn't escape unscathed. One of three Excel patches and a fix for an Office-wide issue affected the new suite. This was the first time that Office 2007 has had to be patched since its Jan. 30 general release.

Windows Vista, however, which has been fixed before, needed patching again. Internet Explorer 7 (IE7), the updated and supposedly more-secure browser released last year, was patched to plug six bugs. Five affected Vista's edition of IE7, with two of those judged critical because they could be used to hijack a PC simply by enticing users to a malicious Web site.

The all-critical set of bulletins was unusual enough to warrant comment from several researchers. nCircle's Hamilton, for instance, called it "amazing." And of the 19 patches total, 14 were classified as critical. "That's spectacular as far as so many critical," Hamilton said. "And they're in the [enterprise] core server infrastructure, Exchange and Server."

This month's collection again shows that Microsoft's Security Development Lifecycle (SDL), an aggressive initiative by the company to produce more secure code in its software, hasn't put an end to bugs, said researchers. "An interesting trend in today's release was that Microsoft 2007 software, including Exchange and Office, continue to come up vulnerable, demonstrating that the SDL is not infallible," said Amol Sarwate, vulnerability lab manager for Qualys Inc. Office 2007 and Exchange 2007 were, like Vista, developed under the SDL program.

And sometimes Microsoft just can't seem to get a break, no matter how hard it tries, said Hamilton. He pointed to the update to CAPICOM, an encryption component used by some Web developers and in Microsoft's own BizTalk Server 2004. "They tried to make things more secure, but they wrapped it in an ActiveX control," said Hamilton. According to the MS07-028 bulletin, the flawed code is in the CAPICOM.Certificate ActiveX control. "ActiveX remains an Achilles' heel for Microsoft."

Copyright © 2007 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon