Hackers can trigger 'blatant' Exchange bug just by sending malicious e-mail
The most serious of the flaws is a bug in Exchange that attackers can trigger simply by sending a specially crafted message to a company's mail server.
In today's four security updates, Microsoft delivered fixes for the three critical flaws, as well as patches for five additional bugs it pegged as "important," the second-highest threat level in the company's four-step scoring system.
Several researchers put the Exchange update, MS09-003, at the top of their list because of the likely attack vector. According to Microsoft, the critical Exchange vulnerability can be exploited when a user "opens or previews a specially crafted e-mail message sent in TNEF format or when the Microsoft Exchange Server Information Store processes the specially crafted message."
TNEF, for Transport Neutral Encapsulation Format, is a proprietary e-mail attachment format used by Microsoft's popular Outlook e-mail client as well as Exchange.
Andrew Storms, director of security operations at nCircle Network Security Inc., agreed. "What we're seeing here is that you can send a message and take control of an Exchange server," said Storms. "I don't remember an Exchange vulnerability that's quite so blatant. The functionality that the server provides is the way that you attack the system."
Attackers would love to get their hands on corporate mail servers, both researchers said. "So much intellectual property and confidential information is passed around via e-mail," said Storms, who suggested that the potential rewards of hacking into a mail server would tempt criminals immediately. "All the smart minds will start looking at this."
"In addition to snooping corporate secrets, [a compromised Exchange server] can be used as a launch pad for attacks against other servers in the enterprise," Rohit Dhamankar, director of 3Com Corp.'s TippingPoint DVLabs, noted in an e-mail today.
On the plus side, said Storms, is Microsoft's exploitability rating for the Exchange bug. Because the company labeled it as "Inconsistent exploit code likely," Storms said, enterprises might have some breathing room. "Attackers might not be so quick to come up with an exploit," he said, "so we may have a little window here before having to patch."
The second critical update, MS09-002, patches a pair of vulnerabilities in IE7, Microsoft's current production browser and supposedly its most secure. The two flaws -- one in IE7's handling of Cascading Style Sheets (CSS), the other a memory corruption vulnerability -- likely cropped up in the browser when Microsoft rewrote sections of its older IE6, said Storms and Kandek.
"This is another head-scratcher," said Storms. "Why is it IE7 only? What did they introduce or miss? You would have thought that [IE7] would have been fully tested, so the answer may be in what they rewrote."
"This should be patched immediately," added Kandek. "I cannot imagine anything breaking by patching IE."
As expected, the SQL Server update patched a vulnerability that Microsoft acknowledged in December 2008 -- before admitting a few days later that it had been working on the flaw since April, when an Austrian security researcher first reported it. The researcher, Bernhard Mueller of SEC Consult Security, eventually went public with his findings after he was ignored by Microsoft.
"It's still interesting," said Storms of the SQL Server fix, "just not nearly as interesting now that we know what else was patched today."
The fourth update fixes three separate flaws in the file formats parsed by Visio, the diagramming application that's part of the Office family. Microsoft rated MS09-005 as "important."
"The Exchange [update] is the most serious," said Qualys' Kandek. "Patch that first. And if you cannot [patch], go into your attachment manager and filter attachments there."
"Don't sit on the couch for this one," echoed Storms.
February's four security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services