Microsoft issued four security bulletins for February’s Patch Tuesday release in order to plug a number of remote code execution vulnerabilities in its products.
Two of the bulletins are rated “critical.” Arguably the one with the greatest impact is MS09-003, which addresses two bugs affecting Microsoft Exchange Server. The first vulnerability could allow remote code execution if a malicious TNEF (Transport Neutral Encapsulation Format) message is sent to a Microsoft Exchange Server. The second vulnerability could allow denial of service if a specially crafted MAPI (Messaging API) command is sent to a Microsoft Exchange Server.
An attacker who successfully exploited the second vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding, according to Microsoft.
But perhaps just as likely to be targeted by hackers are two bugs swatted in MS09-02, which covers vulnerabilities affecting Internet Explorer (IE) 7. The first vulnerability is due to the way IE accesses an object that has been deleted. An attacker could exploit the vulnerability by getting a user to view a specially crafted Web page, Microsoft warned.
The second IE bug is a memory corruption issue tied to how IE handles CSS (Cascading Style Sheets). As with the other bug, an attacker could exploit the bug by luring a vulnerable user into visiting a malicious Web page.
“My personal opinion is that MS09-002 is absolutely the most critical, just because it is the highest exposure point,” said Wes Miller, senior technical product manager at CoreTrace. “Most Windows users are running as administrators, and they run Internet Explorer as the default browser. This vulnerability has the potential of having exploits created easily that will run reliably simply by convincing a user to visit a specially crafted Web page.”
Microsoft officials said they have not seen evidence that either the Exchange or the IE vulnerabilities are being exploited in the wild.
The two bulletins rated “important” are aimed at SQL Server and Microsoft Office Visio. In the case of SQL Server, there is a remote code execution vulnerability in the way SQL Server checks parameters in the “sp_replwritetovarbin” extended stored procedure. The situation could allow remote code execution if untrusted users have access to an affected system or if a SQL injection vulnerability exists on an affected system, Microsoft said.
Though the SQL Server vulnerability was disclosed publicly earlier, Microsoft reported that it has not seen any attacks targeting the flaw. The bulletin only affects editions of SQL Server 2000 and 2005 and the SQL Server 2000 Desktop Engine.
The Visio bulletin, meanwhile, addresses three bugs that could lead to remote code execution.
“I recommend a two-pronged approach to patching this month,” Eric Schultze, CTO of Shavlik Technologies, said in a statement. “Give the two server patches to the Server maintenance team and ask that they install these two as soon as possible-given what I believe is the severity of these issues. Give the two client-side patches to the desktop team and have them install these patches in the next update cycle or as they see fit-but no need to burn the weekend candle for these.”
*Correction: This story was corrected to state the IE vulnerability only affects version 7.