Microsoft: 'Consistent exploit code likely' for IE vulnerabilities

Microsoft: 'Consistent exploit code likely' for IE vulnerabilities

Summary: Microsoft today shipped four bulletins with patches for at least 8 documented security vulnerabilities affecting Windows users and warned that "consistent exploit code could be easily crafted" to launch attacks via the Internet Explorer browser.The Patch Tuesday batch includes fixes for a pair of code execution holes in IE, two bugs in the Microsoft Exchange Server, a remote code execution issue in the Microsoft SQL Server, and three separate flaws haunting users of Microsoft Office Visio.

SHARE:

Microsoft today shipped four bulletins with patches for at least 8 documented security vulnerabilities affecting Windows users and warned that "consistent exploit code could be easily crafted" to launch attacks via the Internet Explorer browser.

The Patch Tuesday batch includes fixes for a pair of code execution holes in IE, two bugs in the Microsoft Exchange Server, a remote code execution issue in the Microsoft SQL Server, and three separate flaws haunting users of Microsoft Office Visio.

The Internet Explorer bulletin (MS09-002) should be treated with urgency because the flaws can be exploited to launch drive-by download attacks.

  • This security update is rated Critical for Internet Explorer 7 running on supported editions of Windows XP and Windows Vista. For Internet Explorer 7 running on supported editions of Windows Server 2003 and Windows Server 2008, this security update is rated Moderate.

The Microsoft warning that consistent exploit code was likely suggests that it's very easy for an attacker to host a specially crafted Web site and attack unpatched users who surfed to the rigged Web site.

  • The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability.

Enterprise administrators will also want to pay special attention to the Microsoft Exchange update (MS09-003) which covers two different vulnerabilities that expose users to code execution or denial-of-service attacks.

Microsoft explains:

  • The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.

The company says it expects to see "inconsistent exploit code" published for this bulletin.  However, nCircle director of security operations Andrew Storms says this is a very serious problem.

"This vulnerability means that any cybercriminal sending a well crafted email attachment to an enterprise could gain complete control over the server and gaining one of the keys to the kingdom," Storms said.

"All kinds of highly confidential and proprietary information pass through an Exchange server every day.  Gaining control over it and its content would be a gold mine to any cyber criminal," he added.

Topics: Browser, Collaboration, Enterprise Software, Microsoft, Security, Servers, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

163 comments
Log in or register to join the discussion
  • IE8 and Windows 7 aren't mentioned

    [i]This security update is rated Critical for Internet Explorer 7 running on supported editions of Windows XP and Windows Vista.[/i]

    I notice there is no mention anywhere of IE8 and Windows 7. Does that mean they aren't affected or does it mean that MS doesn't release vulnerability information for Beta products? This is kind of important to know considering I (and millions others) am using Windows 7 and IE8 every day.
    NonZealot
    • I agree

      Good questions. Not that I'm running IE8 or Win7 betas...I'm just in an agreeable mood today. ;-)
      MGP2
      • I disagree

        It isn't important. Just use Firefox, Opera, Safari, Chrome, or any other superior browser. Problem solved, whatever OS you run.


        You might argue that there are a lot of uneducated people out there who will blindly use IE and be effected by its problems.. those people don't read the news though (or they wouldn't use IE), so it doesn't matter to them, either.

        NonZealot was obviously employing sarcasm.
        AzuMao
        • What was I being sarcastic about?

          I didn't mean to be, my question was 100% honest. Did you think it was my comment that there are millions of people using Win7? According to Microsoft, the number is in the low millions.

          And while I primarily use Firefox because I like it, I have a feeling that IE with Protected Mode is actually the more secure browser. It is actually the #1 feature that I would [b]really[/b] like to see added to Firefox.
          NonZealot
    • Don't worry!

      You're not using OS X or Safari. That should be good enough for you shouldn't it? ;)
      Kid Icarus-21097050858087920245213802267493
      • True, OS X was the first to fall in PWN2OWN

        I do use IE8 for some sites although 90%+ of my browsing is done with Firefox.
        NonZealot
        • It's all good

          I'm not sure how PWN2OWN is really relevant anymore, that happened how long ago now? Move on. I just thought I would poke a little fun at ya.

          I don't really care one way or the other, though I will be trying out 7 as soon as I get my roomier drive in a couple a days...

          How does Firefox run on 7?
          Kid Icarus-21097050858087920245213802267493
          • It's very relevant.

            [i]I'm not sure how PWN2OWN is really relevant anymore, that happened how long ago now?[/i]

            It proved there is nothing inherent in OS X which protects it from the very same types of attacks Windows faces.
            ye
          • Let it go...

            It's patched. Who cares? You two are obviously obsessed. LOL!
            Kid Icarus-21097050858087920245213802267493
          • Too bad that same courtesy is not extended to MS.

            As we continue to hear about things which are no longer issues and haven't been for years.

            With that said it's not the specific vulnerability that is interesting. That in and of itself is boring. What's interesting is the point said vulnerability made. Which, I'll repeat again, showed there is nothing inherent in OS X that protects it from the exact same types of exploits that Windows faces. THAT is what's important.
            ye
          • Have fun beatin that dead horse!

            LOL
            Kid Icarus-21097050858087920245213802267493
          • Re: Patched

            Many windows exploits are still exploited long after they've been patched.

            For example, the conficker patch and removal was released in Oct 08, and in Jan 09 it was reported there were still many PCs infected.

            In fact, one of the reasons virus propagation is dependent on population size is because of the ratio of patched to unpatched machines.
            ModernMech
          • Not quite

            the PWN2OWN hack was not a drive-by exploit. It was a phishing attack
            IIRC.

            I cut MS slack on phishing exploits. There's no real way to protect against
            those, but far too often IE and Windows have drive-by exploits, where
            you are compromised just by clicking a link and doing nothing else. The
            critical IE patch today is for just such a flaw.
            frgough
          • It's the exact same type of exploit used to...

            [i]The exploit involved getting an end user to click on a link, which opened up a port that he was then able to telnet into. Once connected, he was able to remotely run code of his choosing.[/i]

            ...exploit Windows. How does it differ from this:

            [i]but far too often IE and Windows have drive-by exploits, where you are compromised just by clicking a link and doing nothing else.[/i]

            ye
          • quite

            Nope, it wasn't a phishing attack, it was a vulnerability that allowed a code execution attack via a maliciously crafted Web page. Drive-by would have definitely been possible if anyone had cared to try to commercialize it.

            No cutting Apple any slack on this. ;-)
            rtk
          • Right

            When there are dozens of drive-by exploits for IE, anyone who points it out is an "evil ms hater", but when there is one single drive-by exploit for Safari (which is promptly fixed) it's all "ooooooooooooo apple got soooo owned go ms!!111".


            Hilarious!
            AzuMao
          • It wasn't relevant then.

            And it's not relevant now. The exploit was independent of the OS. OS X was owned because the hacker was familiar with it.
            kozmcrae
          • This has got to be the stupidest defense I've ever read.

            [i]OS X was owned because the hacker was familiar with it.[/i]

            Yeah...because we all know the people who hack Windows have no familiarity with it at all. LOL!
            ye
          • So let me get this straight

            We need to excuse any vulnerability in an operating system if the hacker is familiar with that operating system?

            That's great news for MS, no?

            rtk
          • A "stupid defense" works fine for Linux and OS X.

            For Microsoft's OS you need full body armor and a small army of security software tenders. Not to mention money that could be better spent elsewhere. Take some advice ye, really. Don't ever bring up security when defending Microsoft and if others mention it, ignore them. You simply cannot win. If you do win, it's only in your mind.
            kozmcrae