Exchange and IE in line for Patch Tuesday attention
Critical, nasty, flawed.
By Robert McMillan, IDG News Service | Published: 06:42, 11 February 2009
Microsoft has released four software security patches, fixing some nasty browser and mail server flaws as well as a bug in SQL Server that was publicly disclosed in December.
The company released four updates, including critical fixes for Exchange and Internet Explorer. Two other updates, for SQL Server and Visio, were rated "important," meaning it would be a little harder for hackers to exploit the bugs they fix.
The Exchange patch is considered the most important, according to security vendor TippingPoint. Without the patch, hackers could shut down or possibly even take control of an Exchange mail server by sending a specially written mail attachment.
"A compromised email server, in addition to snooping corporate secrets, can be used as a launch pad for attacks against other servers in the enterprise," said TippingPoint.
The critical update for Internet Explorer fixes two vulnerabilities in the browser that could be exploited by hackers to run unauthorised software on a victim's computer. For this attack to work, the victim would have to be tricked into visiting a maliciously crafted web page. Although no attacks have yet been reported exploiting these bugs, Microsoft believes that now that the patches are out, it will be easy for attackers to work up a reliable attack.
The SQL Server patch had been expected. It fixes a bug in the database software that Microsoft acknowledged late last year. According to the researcher who disclosed the SQL issue, Microsoft has known about it since April and wrote its initial patch for the bug back in September.
In all, the updates released this month are "much more critical" than January's patches, TippingPoint said. Last month, Microsoft released just one update, for its Windows Server Message Block file and print service.
