Microsoft's February Patch Tuesday release contains four security bulletins. Two are rated critical, one affecting Internet Explorer and the other Microsoft Exchange Server. The other security bulletins affect editions of SQL Server and Microsoft Office Visio.
issued four security bulletins for February's Patch Tuesday
release in order to plug a number of remote code execution vulnerabilities in
Two of the bulletins are rated "critical." Arguably the one with
the greatest impact is MS09-003, which addresses two bugs affecting Microsoft
Exchange Server. The first vulnerability could allow remote code execution if a
malicious TNEF (Transport Neutral Encapsulation Format) message is sent to
a Microsoft Exchange Server. The second vulnerability could allow denial of
service if a specially crafted MAPI (Messaging API)
command is sent to a Microsoft Exchange Server.
An attacker who successfully exploited the second vulnerability could cause
the Microsoft Exchange System Attendant service and other services that use the
EMSMDB32 provider to stop responding, according to Microsoft.
But perhaps just as likely to be targeted by hackers are two bugs swatted in
MS09-02, which covers vulnerabilities affecting Internet Explorer (IE) 7. The first vulnerability is due to the way IE accesses
an object that has been deleted. An attacker could exploit the vulnerability by
getting a user to view a specially crafted Web page, Microsoft warned.
The second IE bug is a memory corruption issue tied to how IE handles CSS
(Cascading Style Sheets). As with the other bug, an attacker could exploit the
bug by luring a vulnerable user into visiting a malicious Web page.
"My personal opinion is that MS09-002 is absolutely the most critical,
just because it is the highest exposure point," said Wes Miller, senior
technical product manager at CoreTrace. "Most Windows users are running as
administrators, and they run Internet Explorer as the default browser. This
vulnerability has the potential of having exploits created easily that will run
reliably simply by convincing a user to visit a specially crafted Web
Microsoft officials said they have not seen evidence that either the
Exchange or the IE vulnerabilities are being exploited in the wild.
The two bulletins rated "important" are aimed at SQL Server and
Microsoft Office Visio. In the case of SQL Server, there is a remote code
execution vulnerability in the way SQL Server checks parameters in the
"sp_replwritetovarbin" extended stored procedure. The situation could
allow remote code execution if untrusted users have access to an affected
system or if a SQL injection vulnerability exists on an affected system,
Though the SQL Server vulnerability was disclosed publicly earlier,
Microsoft reported that it has not seen any attacks targeting the flaw. The
bulletin only affects editions of SQL Server 2000 and 2005 and the SQL Server
2000 Desktop Engine.
The Visio bulletin, meanwhile, addresses three bugs that could lead to
remote code execution.
"I recommend a two-pronged approach to patching
this month," Eric Schultze, CTO of
Shavlik Technologies, said in a statement. "Give the two server patches to
the Server maintenance team and ask that they install these two as soon as
possible-given what I believe is the severity of these issues. Give the two
client-side patches to the desktop team and have them install these patches in
the next update cycle or as they see fit-but no need to burn the weekend candle
*Correction: This story was corrected to state the IE vulnerability only affects version 7.