Two of the four patches from Microsoft were labeled “critical” and resolved four vulnerabilities — two each in Exchange and Internet Explorer (IE).
The Exchange holes appear to be the most serious because they do not require users to take any action for businesses to be infected, said Alex Wheeler, labs manager at intrusion prevention systems maker TippingPoint.
“As an attacker, I would create a malicious attachment in my email and send it to someone — anyone — at the domain,” Wheeler told SCMagazineUS.com. “The email server would receive it and process it. If I did the attack right, if the attachment was not formed properly, it would execute code on the server. No one has to do anything. All the server has to do is be up and running and processing.”
Microsoft said it expects to see “inconsistent” exploit code result from the Exchange flaws, but Wheeler said the bugs are wormable and can lead to an “enterprise-wide compromise from one email.”
The IE patch, meanwhile, fixes two vulnerabilities in version 7 of the browser on Windows XP and Vista. Microsoft said it expects “consistent” exploit code to result.
“Browser vulnerabilities are especially popular with the hacker community to deliver blended attacks, where a compromised browser is used to introduce additional malware onto the computer,” said Paul Zimski, vice president of market strategy at Lumension, a vulnerability management provider.
In addition, Microsoft released an advisory that provides more information on ActiveX kill bits. Additional kill bits — for Akamai Download Manager and Research In Motion (RIM) AxLoader — were added to bulletin MS08-070, which resolves six flaws in ActiveX controls for Microsoft Visual Basic 6.0 Runtime Extended Files.
Holly Stewart, a threat response manager with IBM-ISS’ X-Force research team, said vulnerable ActiveX controls were responsible for 34 percent of all web-based exploits in the last quarter of 2008.
“From an exploitation economics standpoint, these types of vulnerabilities go into the upper-right-hand quadrant because they are incredibly cheap to integrate into web exploit toolkit frameworks…and very easy to monetize the data contained on the exploited PCs,” she said.