Patch Tuesday: Microsoft fixes "critical" flaws in Exchange, IE

Share this article:
Microsoft delivered four patches on Tuesday to address eight vulnerabilities, including two in Exchange that experts suggest soon could give rise to active exploits.

Two of the four patches from Microsoft were labeled "critical" and resolved four vulnerabilities -- two each in Exchange and Internet Explorer (IE).

The Exchange holes appear to be the most serious because they do not require users to take any action for businesses to be infected, said Alex Wheeler, labs manager at intrusion prevention systems maker TippingPoint.

"As an attacker, I would create a malicious attachment in my email and send it to someone -- anyone -- at the domain," Wheeler told "The email server would receive it and process it. If I did the attack right, if the attachment was not formed properly, it would execute code on the server. No one has to do anything. All the server has to do is be up and running and processing."

Microsoft said it expects to see "inconsistent" exploit code result from the Exchange flaws, but Wheeler said the bugs are wormable and can lead to an "enterprise-wide compromise from one email."

The IE patch, meanwhile, fixes two vulnerabilities in version 7 of the browser on Windows XP and Vista. Microsoft said it expects "consistent" exploit code to result.

"Browser vulnerabilities are especially popular with the hacker community to deliver blended attacks, where a compromised browser is used to introduce additional malware onto the computer," said Paul Zimski, vice president of market strategy at Lumension, a vulnerability management provider.

The other two patches released Tuesday carry designations of "important" and correct a vulnerability in SQL Server and three bugs in Microsoft Office Visio.

In addition, Microsoft released an advisory that provides more information on ActiveX kill bits. Additional kill bits -- for Akamai Download Manager and Research In Motion (RIM) AxLoader -- were added to bulletin MS08-070, which resolves six flaws in ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files.

Holly Stewart, a threat response manager with IBM-ISS' X-Force research team, said vulnerable ActiveX controls were responsible for 34 percent of all web-based exploits in the last quarter of 2008.

"From an exploitation economics standpoint, these types of vulnerabilities go into the upper-right-hand quadrant because they are incredibly cheap to integrate into web exploit toolkit frameworks...and very easy to monetize the data contained on the exploited PCs," she said.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters


More in News

Popular Science served up Rig Exploit Kit on its website

The monthly science magazine served up malicious code to readers earlier this week and has remedied the issue.

Deloitte releases paper on vetting leaks, avoiding costly hoax

Deloitte releases paper on vetting leaks, avoiding costly ...

The research presents techniques for distinguishing legit data leaks from false claims.

Attack on White House systems breached unclassified networks

The White House experienced a sustained cyberattack on its systems that impacted its network for nearly two weeks.