Microsoft today shipped four bulletins with patches for at least 8 documented security vulnerabilities affecting Windows users and warned that "consistent exploit code could be easily crafted" to launch attacks via the Internet Explorer browser.
The Patch Tuesday batch includes fixes for a pair of code execution holes in IE, two bugs in the Microsoft Exchange Server, a remote code execution issue in the Microsoft SQL Server, and three separate flaws haunting users of Microsoft Office Visio.
The Internet Explorer bulletin (MS09-002) should be treated with urgency because the flaws can be exploited to launch drive-by download attacks.
- This security update is rated Critical for Internet Explorer 7 running on supported editions of Windows XP and Windows Vista. For Internet Explorer 7 running on supported editions of Windows Server 2003 and Windows Server 2008, this security update is rated Moderate.
The Microsoft warning that consistent exploit code was likely suggests that it's very easy for an attacker to host a specially crafted Web site and attack unpatched users who surfed to the rigged Web site.
- The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability.
Enterprise administrators will also want to pay special attention to the Microsoft Exchange update (MS09-003) which covers two different vulnerabilities that expose users to code execution or denial-of-service attacks.
- The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.
The company says it expects to see "inconsistent exploit code" published for this bulletin. However, nCircle director of security operations Andrew Storms says this is a very serious problem.
"This vulnerability means that any cybercriminal sending a well crafted email attachment to an enterprise could gain complete control over the server and gaining one of the keys to the kingdom," Storms said.
"All kinds of highly confidential and proprietary information pass through an Exchange server every day. Gaining control over it and its content would be a gold mine to any cyber criminal," he added.