Microsoft on Tuesday released security updates that fix four critical vulnerabilities in Internet Explorer and Exchange Server that could allow an attacker to take control of an affected computer remotely.
Microsoft Security Bulletin MS09-002 plugs two critical holes in IE that could allow remote code execution if an IE user views a web page that has malicious code, according to Microsoft's notification.
"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," the bulletin said.
Security Bulletin MS09-003 fixes two critical vulnerabilities in Exchange Server. One could allow for remote code execution if a maliciously crafted TNEF (Transport Neutral Encapsulation Format) message is sent to an Exchange Server and could allow an attacker to take complete control of the system with Exchange Server service account privileges. The second hole could allow for a denial-of-service attack if a maliciously crafted MAPI (Messaging Application Programming Interface) command is sent to an Exchange Server.
Security Bulletin MS09-004 fixes an important remote-code execution vulnerability in SQL Server that could be exploited if untrusted users access an affected system or if an SQL injection attack occurs. The vulnerability was discovered in December.
Security Bulletin MS09-005 closes three important vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a maliciously crafted Visio file. An attacker could then steal data and make changes to accounts with full user rights.
The updates affect Internet Explorer 7, Windows XP Professional Edition, Windows Vista, Exchange 2000 Server, Exchange Server 2003 and 2007, SQL Server 2000 and 2005 and Office Visio 2002, 2003 and 2007.
Andrew Storms, director of security operations for security firm nCircle, predicted that while there were no known exploits for the Exchange vulnerability, attackers were likely to be working on them.
"All kinds of highly confidential and proprietary information pass through an Exchange server every day," he said in a statement. "Gaining control over it and its content would be a goldmine to any cybercriminal."
Meanwhile, the IE update is less critical because it requires action on the part of the user, Storms added.
As it always does, Microsoft had provided advance notification last week that it would have four security updates on Patch Tuesday.
Talkback
Of the critical updates, MS09-002 (Cumulative Security Update for Internet Explorer) is the most important to address for the following reasons:
· The remote-code-execution vulnerabilities exist in IE 7 on both Windows XP and Windows Vista – probably the most prevalent Windows configurations in use today.
· This update addresses two separate vulnerabilities that are rated a “1” on Microsoft’s exploitability index and are noted as “Consistent exploit code can be crafted easily.” Although there is no known exploit code available today, we expect it to be available soon.
· Browser vulnerabilities are especially popular with the hacker community to deliver blended attacks where a compromised browser is used to introduce additional malware onto the computer.
MS09-003 (Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution ) should also be looked at carefully. Microsoft Exchange handles sensitive and mission critical e-mail communication.
This vulnerability has the potential to be exploited by sending an e-mail:
The remote-code-execution vulnerability would allow any anonymous user to take full control over the exchange server and the system it resides on simply by sending a specially crafted e-mail.
A similar vulnerability in the past that involves TNEF.
http://www.microsoft.com/technet/security/bulletin/MS06-003.mspx It’s possible these are related.
The Exchange bulletin is a remote code executive, and as far as sensitive information and critical data are concerned, this has proven to be the easiest target for hackers to infiltrate. If the bad guys are able to compromise an organisation’s Exchange Server, then they will be able to intercept every email coming and going, essentially making it open to every corporation across the globe. Given the proximity of the Exchange Server to external data entering the network, organisations will want to deploy this update immediately. However, critical email services are often subject to change control processes that could make an urgent deployment a complex matter.
If this ends up being a Web-facing vulnerability, then it will be highly critical to patch as IT professionals constantly have to make sure these types of systems are patched and secure while running efficiently at the same time. Although the Exchange vulnerability is critical, organisations will want to read the details of the patch carefully in case there are any mitigating controls.