Microsoft Exchange gets critical patch

Microsoft has released a critical patch designed to thwart hackers who could take over Exchange Servers or shut them down with denial-of-service attacks.


Microsoft has released a critical patch designed to thwart hackers who could take over Exchange Servers or shut them down with denial-of-service attacks.

Microsoft also issued a critical patch for Internet Explorer 7 and patches rated "important" for both SQL Server and Visio. In total, Microsoft issued four patches on Patch Tuesday that address eight vulnerabilities.

The Exchange patch -- MS09-003 -- is likely the most pressing issue for corporations, which host hundreds of millions of Exchange seats. There are two vulnerabilities addressed in MS09-003. Both hacks can be carried out without the need for interaction from end users.

With the first vulnerability, hackers would use a specially designed Transport Neutral Encapsulation Format (TNEF) message to attack the server. TNEF is a proprietary format used by the Exchange Server and Outlook clients to send messages in Rich Text Format.

Hackers simply have to address the TNEF message to any e-mail address tagged to a company's domain name to gain access to the server where they could execute code.

The second Exchange vulnerability is exploited using a specially formatted Messaging Application Programming Interface (MAPI) message and can lead to a denial-of-service attack.

The affected Exchange versions are 2000, 2003 and 2007. Microsoft rates the probability of a hack as a two on its Exploitability Index, which means attack code would not work every time.

Experts say hackers able to exploit an Exchange Server could end up with a valuable piece of real estate from which to do damage.

"You would be sitting in a privileged spot on the network where you could do network reconnaissance and look for file shares and resources like that," says Wolfgang Kandek, CTO of Qualys.

The critical patch for IE 7 -- MS09-002 -- addresses vulnerabilities in the latest Microsoft browser running on Windows XP and Vista. The vulnerability, which could allow hackers to take over a user's desktop and install software, is rated moderate for IE 7 running on Windows Server 2003 and 2008.

Microsoft also issued two other patches, including one for SQL Server that some experts say should have been rated "critical" rather than "important."

"The prerequisite for the vulnerability is that the user has to be authenticated, which is why it is rated important, but you can get around that with an SQL injection attack," says Eric Schultze, CTO at Shavlik. "I would probably rate this patch as critical."

Microsoft said "functional exploit code" has already been published and the company rated the vulnerability a one on its Exploit Index, meaning exploits could be carried out consistently.

The final patch addresses a flaw in Visio that could result in remote code execution. The issue is rated as "important."

After the patches were released, BeyondTrust issued a statement saying five of the eight vulnerabilities could be mitigated by limiting administrative rights on Windows systems. The company recently issued a report stating that 92% of all critical vulnerabilities reported by Microsoft in 2008 could have been mitigated by removing administrative rights from Windows systems.

"Recommended For You"

Microsoft to patch Windows, SQL Server & Exchange Server next week Microsoft to patch three zero-day flaws next week