Network News

X My Profile
View More Activity

Critical IE, Exchange Flaws in Microsoft's Patch Tuesday

Microsoft Corp. today released four patch bundles to fix at least eight security vulnerabilities in PCs powered by its Windows operating system and other software. The fixes are available through Microsoft Update or via Automatic Updates.

Half of the flaws fixed in February's patch batch earned Microsoft's most urgent "critical" rating, meaning attackers could wield them to break into vulnerable systems with little or no assistance from users, aside from maybe convincing users to visit a booby-trapped Web site or open a specially-crafted e-mail.

Two of the critical vulnerabilities reside in Microsoft's Internet Explorer 7 Web browser (oddly enough, Microsoft says IE6 is not affected).

The other two critical flaws Redmond fixed are found in Microsoft Exchange, an e-mail server program used by tens of millions of organizations.

Andrew Storms, director of security operations for nCircle, a network security company, said the Exchange vulnerability is especially serious for businesses, because an attacker could seize control over an Exchange server merely by sending a well-crafted e-mail attachment to a company's Exchange server.

"All kinds of highly confidential and proprietary information pass through an Exchange server every day," Storms said. "Gaining control over it and its content would be a gold mine to any cyber criminal."

Microsoft says it is unlikely that criminals will develop code capable of exploiting the reliably, and that it is not aware of any attacks yet against this privately reported vulnerability.

Despite those assurances, Storms said bad guys are likely to latch onto this flaw.

"Don't be surprised if we begin to see early exploit code within a week," he said.

The two remaining updates fix a privately reported vulnerability in SQL Server database software, and three privately reported flaws in Microsoft Office Visio.

By Brian Krebs  |  February 10, 2009; 6:15 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Covering Your Tracks in Firefox
Next: Microsoft Offers $250,000 Reward for Conficker Worm Author(s)

Comments

How worried should I be that IE doesn't want to load the update page on one of my computers (which is frequently updated) and that when it does actually load the page, it just locks on the screen where it says that MS is checking to make sure I have the latest version of the installation software (I'm pretty sure that I should, but can't be certain.)

Update was uneventful on my other computers which are updated on more or less the same schedule but use different virus protection software.

Posted by: Tim106 | February 10, 2009 7:39 PM | Report abuse

Windows is a patch bundle.

Posted by: edbyronadams | February 10, 2009 7:53 PM | Report abuse

Securia was previously doing a good job with updates, by connecting directly to the update itself.

With Microsoft updates, that is no longer the case and it repeatedly attempts to download Outlook 2003 updates for my 2002 installation.

Apparently, one of the Realtor organizations I was previously associated with installed a version of XP Pro [removing my home edition] which exceeded the authorized number of copies, so Microsoft repeatedly attempts to download their 'genuine windows' update, which I keep declining to install.

Hot installations by private DP shops is one thing, but when a major organization purchases a software system from a vendor, it doesn't take a rocket scientist to know that with a 'wink and a nod' excessive installation numbers were NEVER issues by the sales team involved.

It is one thing to install 'pirated software' and quite another to have an in-house DP Dept exceed their authorized number based on a 'wink & a nod' sales approach.

HELLO SECURIA -- get back to the direct file access.

Posted by: brucerealtor@gmail.com | February 10, 2009 7:56 PM | Report abuse

So they managed to introduce two new "critical" security vulnerabilities in IE7? Score one--well, two, I guess--for Firefox.

Posted by: ComfortablyDumb | February 11, 2009 10:22 AM | Report abuse

Still using Windoze, anyone? Unless you enjoy paying ransom to Redmond for bad software, you ought to try Linux- fast, secure, *free of charge*. Put a free download on a spare box and try it out. http://www.ubuntu.com/getubuntu/download

Posted by: hairguy01 | February 11, 2009 10:50 AM | Report abuse

@ Tim106: you should be alert to any other odd behaviors.

There is a work-around to using Internet Explorer for Windows critical updates: If you are in an organization that doesn't block the use of Windows' "Automatic Updates" feature, then turn on Automatic updates and set that up to pull down critical updates.

Automatic Updates are turned on in Windows XP via Control Panel > System Properties > Automatic Updates tab.

Additionally, make sure that your anti-virus software is up-to-date.

Lastly (well, this is probably the first thing to try), clear Internet Explorer's cache, history, etc. That step can sometimes rectify issues of this nature.

Good luck!

Posted by: CB12 | February 11, 2009 11:04 AM | Report abuse

Thanks, CB12.

I'll bet clearing the cache will do the trick. Funny how easy it is to forget these little tricks sometimes, isn't it?

Posted by: Tim106 | February 11, 2009 4:04 PM | Report abuse

Microsoft should be designated as the internets worst virus. They should be forced to buy back every POS OS they have sold. It's sad when a 16 year old kid is smarter then the people MS hired to build the systems. MS always down plays their mistakes as if the rest of the computing world is full of idiots. MS should be held liable and forced to pay any damages.

Posted by: askgees | February 11, 2009 4:13 PM | Report abuse

@askgees

If you're going to comment, can you please be relevant? A company is a virus? the internet can be an entity?

And a 16 year old kid with some time on his hands can write some exploit code for an MS product, big deal, it is the nature of security that nothing can actually be completely secured.

In conclusion, please shut your mouth until you have something relevant to say.

Peter Fellenz
IS Consultant

Posted by: PeterFellenz | February 12, 2009 10:59 AM | Report abuse

@ peterfellenz
You were OK with your post up until you asked the previous poster to "shut up."

Posted by: peterpallesen | February 12, 2009 12:04 PM | Report abuse

The title reads "Critical IE, Exchange Flaws in Microsoft's Patch Tuesday"

Makes one wonder:
1. Were the flaws in IE and Exchange IN the patch? or

2. did the patch fix the flaws in IE and Exchange?

Reading the title as written would lead any reasonable person to deduce 1. (above) is the case. No wonder when I downloaded the patch, my computer acted differently.

Of course, the apologists for Microsoft will state that the patch fixed 'unexpectedly found, and previously unknown weaknesses' of IE and Exchange, without admitting that Microsoft had anything to do with creating, or knowing about, the holes (so big a semi truck could roar through) in the software.

Posted by: critter69 | February 15, 2009 5:42 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company