I can't believe it is February already. It seems like yesterday my family was opening Christmas presents among the plethora of activities that day, eating cinnamon rolls, keeping tabs on the turkey in the oven and trying to stay on schedule for our visit with family members on the other side of town. But wait, back to the presents -- my wife wanted the new DVD recorder set up before we left. After all, she couldn't miss her favorite show. To my dismay, the instruction manual was at least 25 pages long -- a panic set-in because I thought I would never get this done in time. To my surprise, I realized that I was sitting on the quick start instruction foldout. It took only a few steps and I was done in five minutes.
With this month's column, I will open the "foldout" to help you prioritize and deploy the bulletins to get you to a protected state quickly. While it's always essential to internalize any given bulletin(s), the brevity that I provide this month will help you in your risk assessment and deployment strategies. Moreover, it will also help you know which bulletins don't currently apply to your environment, but which may apply at some future date because of a product rollout/upgrade, consolidation of IT, etc.
As part of this monthly security bulletin release process, we released four security bulletins -- two rated critical and two rated important -- to address vulnerabilities in Internet Explorer, Microsoft Exchange Server, Microsoft SQL Server and Microsoft Office.
This bulletin addresses a remote code execution vulnerability in Internet Explorer 7 and is rated critical. Platforms affected are Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. Windows Server 2003 and Windows Server 2008 are only rated as moderate.
One of the mitigations, among others listed in the bulletin, is to add sites that you trust to the Internet Explorer Trusted sites zone. This can be performed en masse via Group Policy or the Microsoft Internet Explorer Administration Kit (IEAK).
This bulletin addresses a remote code execution vulnerability as well as denial-of-service in Microsoft Exchange, which are rated critical and moderate respectively. Platforms affected are Exchange 2000 Server, Exchange Server 2003 and Exchange Server 2007. Microsoft Exchange Server 2007 is not affected by the denial-of-service. The attack vector in both cases is an attacker sending a malformed email to an Exchange Server. It is important to point out the type of email message, because it is central to mitigating against an attacker trying to exploit the vulnerability, which if effective, could allow for a remote code execution.
When an Outlook client is used to send a Rich Text Format (RTF) message, it encapsulates it in the Transport Neutral Encapsulation Format (TNEF). At a high level, it takes all of the formatting attributes of the RTF formatted email and stores it in a file named winmail.dat. On the receiving end, the winmail.dat file is unpacked and the attributes are reapplied to the email. Why the transport?
The vulnerability resides in the way Exchange decodes the TNEF formatted message. Along these same lines, messages formatted as HTML and plain text are not affected by the vulnerability.
Back to mitigating against an attack: Block TNEF formatted messages. The MS09-003 bulletin goes into great detail in this matter.
There is a remote code execution vulnerability in Microsoft SQL Server that is rated as important. Platforms affected are SQL Server 2000, SQL Server 2005 Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (WMSDE) on Windows 2000 and Windows Server 2003. Also affected are Windows Internal Database (WYukon) on Windows Server 2003 and Windows Server 2008. Systems with SQL Server 7.0 Service Pack 4, SQL Server 2005 Service Pack 3 and SQL Server 2008 are not affected by this issue.
There are two ways in which the vulnerability can be exploited. To begin with, only an authenticated user can exploit it by leveraging how SQL Server checks parameters in the "sp_replwritetovarbin" extended stored procedure.
Secondly, it can be exploited by an unauthenticated user. However, the attacker must first find a SQL injection vulnerability in another application that already exists on an affected system. Once the attacker exploits an application on the system, they can compromise the system as an unauthenticated user.
NOTE: The attacker need go no further if a SQL injection vulnerability is found present in an application.
At Microsoft we are truly committed to help secure the computing ecosystem at large. To that end, we take every opportunity to provide information. You may recall that in 2008 there was a sudden upsurge in SQL Injection attacks against a wide range of websites on the Internet. My colleagues over in the SQL and IIS product teams compiled some great information regarding SQL Injection attacks in general, and specifics on how to be protected. Review Advisory 954462 for more information. MS09-005
This bulletin is pretty straightforward. There are three Microsoft Office Visio vulnerabilities rated as important that could allow for remote code execution. Platforms affected are Office Visio 2002, Office Visio 2003 and Office Visio 2007. To be exploited, the attacker would send an email with a malformed Visio file and a user would have to open it. This vulnerability cannot be exploited through the preview pane in Microsoft Outlook.
Malicious Software Removal Tool
The monthly installment of the technology to remove malicious software from users' systems is available today as well. This month's update removes Win32/Srizbi. Customers can download the tool at the Malicious Software Removal Tool information page. Additional details can also be found on the Microsoft Malware Protection Center blog. Microsoft Active Protections Program (MAPP)
To improve security protections for you, we are also offering this month's vulnerability information to security software providers, allowing them to provide updated protections for customers via their security software or devices. MAPP is one of the key ways we work with security researchers and industry partners to improve the broader security ecosystem. More information is available on the Microsoft Active Protections Program.
In closing, please take a moment and register for our monthly security bulletin webcast, which will be held on Wednesday, Feb. 11 at 11 a.m. PDT.
To further aid in your planning and deployment, Security Response Communications Lead Christopher Budd and Lead Security Program Manager Adrian Stone will review information about each bulletin.
Immediately following the review session they will answer your questions with information from our assembled panel of experts. If you are not able to view the live webcast, it will also be available on demand.
In addition, please take a moment and mark your calendars for the March 2009 monthly bulletin release scheduled for Tuesday, March 10, and the advance notification scheduled for Thursday, March 5. Look for the March edition of this column on release day to help you plan and deploy the most recent security bulletins.