Patch Tuesday: Microsoft fixes "critical" flaws in Exchange, IE

Share this article:
Microsoft delivered four patches on Tuesday to address eight vulnerabilities, including two in Exchange that experts suggest soon could give rise to active exploits.

Two of the four patches from Microsoft were labeled "critical" and resolved four vulnerabilities -- two each in Exchange and Internet Explorer (IE).

The Exchange holes appear to be the most serious because they do not require users to take any action for businesses to be infected, said Alex Wheeler, labs manager at intrusion prevention systems maker TippingPoint.

"As an attacker, I would create a malicious attachment in my email and send it to someone -- anyone -- at the domain," Wheeler told SCMagazineUS.com. "The email server would receive it and process it. If I did the attack right, if the attachment was not formed properly, it would execute code on the server. No one has to do anything. All the server has to do is be up and running and processing."

Microsoft said it expects to see "inconsistent" exploit code result from the Exchange flaws, but Wheeler said the bugs are wormable and can lead to an "enterprise-wide compromise from one email."

The IE patch, meanwhile, fixes two vulnerabilities in version 7 of the browser on Windows XP and Vista. Microsoft said it expects "consistent" exploit code to result.

"Browser vulnerabilities are especially popular with the hacker community to deliver blended attacks, where a compromised browser is used to introduce additional malware onto the computer," said Paul Zimski, vice president of market strategy at Lumension, a vulnerability management provider.

The other two patches released Tuesday carry designations of "important" and correct a vulnerability in SQL Server and three bugs in Microsoft Office Visio.

In addition, Microsoft released an advisory that provides more information on ActiveX kill bits. Additional kill bits -- for Akamai Download Manager and Research In Motion (RIM) AxLoader -- were added to bulletin MS08-070, which resolves six flaws in ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files.

Holly Stewart, a threat response manager with IBM-ISS' X-Force research team, said vulnerable ActiveX controls were responsible for 34 percent of all web-based exploits in the last quarter of 2008.

"From an exploitation economics standpoint, these types of vulnerabilities go into the upper-right-hand quadrant because they are incredibly cheap to integrate into web exploit toolkit frameworks...and very easy to monetize the data contained on the exploited PCs," she said.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.