EmailSafety.net - Microsoft plugs critical Exchange, IE holes

Microsoft plugs critical Exchange, IE holes

Anti-Spam Software

What is Spam?

Spam Laws

Spam Facts

User Tips

Common Email Scams

What Are Visuses?

Virus Prevention Tips

Anti-Virus Software

Basic Tips

Recent News

Microsoft Tuesday patched eight vulnerabilities -- three of them marked "critical" -- in the company's Internet Explorer (IE), Office, Exchange and SQL Server software.

The most serious of the flaws is a bug in Exchange that attackers can trigger simply by sending a specially-crafted message to a company's mail server.

In Tuesday's four security updates, Microsoft delivered fixes for the three critical flaws, as well as patches for five additional bugs it pegged as "important," the second-highest threat level in the company's four-step scoring system.

Several researchers put the Exchange update, MS09-003 , at the top of their list because of the likely attack vector. According to Microsoft, the critical Exchange vulnerability can be exploited when a user "opens or previews a specially crafted e-mail message sent in TNEF format or when the Microsoft Exchange Server Information Store processes the specially crafted message."

Related Content

TNEF, for Transport Neutral Encapsulation Format, is a proprietary e-mail attachment format used by Microsoft's popular Outlook e-mail client as well as Exchange.

"This seems to be a pretty bad one," said Wolfgang Kandek , CTO at security company Qualys Inc. "Just receiving an e-mail triggers it."

Andrew Storms , director of security operations at nCircle Network Security Inc., agreed. "What we're seeing here is that you can send a message and take control of an Exchange server," said Storms. "I don't remember an Exchange vulnerability that's quite so blatant. The functionality that the server provides is the way that you attack the system."

Attackers would love to get their hands on corporate mail servers, both researchers said. "So much intellectual property and confidential information is passed around via e-mail," said Storms, who wagered that the rewards would tempt criminals immediately. "All the smart minds will start looking at this."

"In addition to snooping corporate secrets, [a compromised Exchange server] can be used as a launch pad for attacks against other servers in the enterprise," Rohit Dhamankar, director of 3Com Corp.'s TippingPoint DVLabs, noted in an e-mail Tuesday.

On the plus side, said Storms, is Microsoft's exploitability rating for the Exchange bug. Because the company labeled it as "Inconsistent exploit code likely," Storms said, enterprises might have some breathing space. "Attackers might not be so quick to come up with an exploit," he said, "so we may have a little window here before having to patch."

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Recent News:

· Feds draw a bead on Russian behind Mega-D botnet
· Ransomware Attack Resurfaces to Hold Files Hostage
· Adobe Reader X Makes PDF Files Safer
· PayPal Users Beware of Holiday Phishing Scam
· McAfee Reports Malware at All-Time High

Site Map | Recent News | Related Sites