Patch Tuesday: Microsoft fixes "critical" flaws in Exchange, IE

Share this article:
Microsoft delivered four patches on Tuesday to address eight vulnerabilities, including two in Exchange that experts suggest soon could give rise to active exploits.

Two of the four patches from Microsoft were labeled "critical" and resolved four vulnerabilities -- two each in Exchange and Internet Explorer (IE).

The Exchange holes appear to be the most serious because they do not require users to take any action for businesses to be infected, said Alex Wheeler, labs manager at intrusion prevention systems maker TippingPoint.

"As an attacker, I would create a malicious attachment in my email and send it to someone -- anyone -- at the domain," Wheeler told SCMagazineUS.com. "The email server would receive it and process it. If I did the attack right, if the attachment was not formed properly, it would execute code on the server. No one has to do anything. All the server has to do is be up and running and processing."

Microsoft said it expects to see "inconsistent" exploit code result from the Exchange flaws, but Wheeler said the bugs are wormable and can lead to an "enterprise-wide compromise from one email."

The IE patch, meanwhile, fixes two vulnerabilities in version 7 of the browser on Windows XP and Vista. Microsoft said it expects "consistent" exploit code to result.

"Browser vulnerabilities are especially popular with the hacker community to deliver blended attacks, where a compromised browser is used to introduce additional malware onto the computer," said Paul Zimski, vice president of market strategy at Lumension, a vulnerability management provider.

The other two patches released Tuesday carry designations of "important" and correct a vulnerability in SQL Server and three bugs in Microsoft Office Visio.

In addition, Microsoft released an advisory that provides more information on ActiveX kill bits. Additional kill bits -- for Akamai Download Manager and Research In Motion (RIM) AxLoader -- were added to bulletin MS08-070, which resolves six flaws in ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files.

Holly Stewart, a threat response manager with IBM-ISS' X-Force research team, said vulnerable ActiveX controls were responsible for 34 percent of all web-based exploits in the last quarter of 2008.

"From an exploitation economics standpoint, these types of vulnerabilities go into the upper-right-hand quadrant because they are incredibly cheap to integrate into web exploit toolkit frameworks...and very easy to monetize the data contained on the exploited PCs," she said.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.