Microsoft issued four bulletins Tuesday, addressing critical flaws in Internet Explorer 7 and Exchange and holes in SQL Server and its Office Visio diagramming software.
The most serious holes in IE 7 and Exchange could be exploited remotely to gain access to critical files or conduct a denial-of-service attack.
Two holes in IE 7 allow an attacker to gain access to critical files or sensitive session data if a user views a specially crafted Web page. The browser has memory corruption issues when it attempts to access an object that has been deleted or process Cascading Style Sheets (CSS), Microsoft said. The MS09-002 update affects IE 7 on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
A remote code execution vulnerability and a denial of service in Microsoft Exchange were addressed in MS09-003. The update is rated critical and affects Exchange 2000 Server, Exchange Server 2003 and Exchange Server 2007. Microsoft said an error exists in the way Exchange processes Rich Text Formatted (RTF) messages. To exploit the flaw an attacker has to pass a malformed email to an Exchange Server.
The flaw leaves a dangerous pathway that could be used by an attacker to look at email, find other holes that lead to database servers or other file servers or conduct network reconnaissance, said Wolfgang Kandek, chief technology officer of patch management vendor Qualys Inc.
"I would expect the attackers to work on an exploit right now," Kandek said.
Jan. - Microsoft updates critical SMB server flaws: The latest Microsoft security update addresses two critical remote code execution vulnerabilities and a denial-of-service flaw in the Server Message Block.
Dec. - Microsoft issues emergency patch to fix IE flaw: The software giant repaired a dangerous flaw being exploited if a user browses some legitimate websites.
Dec. - Microsoft fixes critical flaws in Office, IE: Microsoft issued eight security bulletins, including six rated critical, addressing serious flaws in Internet Explorer and Microsoft Office that could be remotely exploited by an attacker to gain access to critical flaws and take control of a computer.
As with most server-side patches, this one will be difficult for administrators to deploy, Kandek said. To deploy the latest patch, admins must already have the latest service packs installed. Some administrators may decide to deploy the workaround, which involves blocking the kind of attachment used to pull off the attack.
Microsoft issued a bulletin rated important for SQL Server, repairing a zero-day vulnerability it warned about in December. At the time, Microsoft acknowledged that exploit code was published in the wild by Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company. The exploit code targeted an extended stored procedure flaw, allowing an authenticated user to increase their privileges and gain access to unauthorized files. A second method mode of attack can be exploited by an unauthenticated attacker who must first conduct a SQL injection attack on a Web application flaw. The MS09-004 update affects SQL Server 2000, SQL Server 2005 Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE) on Windows 2000 and Windows Server 2003. Also affected are Windows Internal Database (WYukon) on Windows Server 2003 and Windows Server 2008.
Although the update is rated important, Shavlik CTO Eric Schultze said the overall impact to sensitive systems is critical. The flaw was already fixed in recent versions of SQL Server service pack updates, but its not uncommon for companies to delay the deployment of service packs, Schultze said.
Mueller published the exploit code for the flaw after being frustrated with Microsoft's response. He said he told Microsoft of his discovery last April and expected an update. When no update came by December, he published the code. Schultze called Mueller's decision to publish the exploit code irresponsible.
"He needlessly put people at risk, but what he did do is force Microsoft's hands to get a hot fix out," Schultze said.
Microsoft Office Visio, the software makers Visio diagramming software, contained three flaws that were patched Tuesday. Visio contains a memory validation error when it validates object data when opening up Visio files and memory corruption error when it copies object data in memory. MS09-005 addressed the vulnerabilities which could be remotely exploited by an attacker who successfully gets a person to open an email attachment containing a malicious Visio file.
Schultze said he recommends giving the two client side patches to the desktop team and have them install these patches in the next update cycle or as they see fit. The two server patches should be addressed as soon as possible by the server maintenance team, he said.