February's Patch Contains "Critical" IE and Exchange Fixes
Internet Explorer vulnerabilities should be given highest priority, patched first
Redmond's February slate of security bulletins includes four patches -- two deemed "critical" and two "important."
Most security pros agree that the first critical item, associated with Internet Explorer, will be the most crucial task for security pros, given the browser's pervasive use. The patch, affecting only IE7 on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 operating systems, is said to resolve two "newly discovered and privately reported vulnerabilities" in IE.
"Typically, we are reluctant to elevate one vulnerability over the other. However, looking at the 2008 data, we agree that Internet Explorer vulnerabilities should be given the highest priority and patched first," said Wolfgang Kandek, chief technology officer at Qualys. "The browser is the heaviest used software application that interacts with the Internet, the most likely source of malicious content."
Kandek added that browser patches are usually "heavily tested" by Microsoft and unlikely to break any existing functionality on the desktop.
The second critical item in the rollout deals with Microsoft Exchange Server. Redmond is issuing a fix for Microsoft Exchange Server 2000, Exchange Server 2003, and Exchange Server 2007. This update is supposed to stave off two privately reported vulnerabilities that involve both remote code execution (RCE) exploits and denial of service attacks.
"While Microsoft labels the Exchange bulletin as 'Inconsistent exploit code likely,' and there are no known public exploits yet, attackers are going to latch onto this like flies to honey," said Andrew Storm, director of security at nCircle. "Don't be surprised if we begin to see early exploit code within a week."
Paul Zimski, a vice president for Lumension, said Exchange has been one of the easiest server-side targets for hackers to infiltrate. He added that critical e-mail services are often subject to change control processes. Consequently, deployment of the Exchange patch could be a somewhat complex matter for IT pros to consider.
"Although the Exchange vulnerability is critical, organizations will want to read the details of the patch carefully in case there are any mitigating controls," he said.
The security patch addresses a privately reported vulnerability that "allows for remote code execution if a SQL injection attack occurs on an affected system or if untrusted users access an affected system," according to a Microsoft spokesperson. Microsoft's exploitability index labels this vulnerability as an instance where consistent exploit code is likely. With this patch release, Microsoft has started to include the index as a guide for IT administrators.
The software giant is patching SQL Server running on Windows 2000, Windows Server 2003, and Windows Server 2008 operating systems. It fixes SQL Server 2000 to SQL Server 2005 versions.
Security pros believe Microsoft downgraded the patch to important because of the authentication requirements needed to dump bad code into the database. However it's still possible that outside hackers can exploit the flaw when attacking poorly defended Web sites.
The second important bulletin deals with the Microsoft Office Visio diagramming application, covering Visio 2002, 2003 and 2007. The patch fixes a theoretical exploit.
Redmond also this month is releasing Security Advisory 960715, which it describes as an "update rollup" for ActiveX kill bits. According to the advisory, ActiveX kill bits were added to December's critical patch for Visual Basic 6.0 runtime extended files. In that vein, MS08-070 is being updated specifically for Akamai Download Manager and for Research in Motion (RIM) AxLoader.
There are additional nonsecurity updates that can be found in this month's Knowledgebase article, which describes changes in Microsoft's software update services bundle.
As for Tuesday's patch release, Shavlik Technologies Chief Technology Officer Eric Schultze recommends that IT shops that are capable of doing so split duties on installing these fixes, three of which will require restarts. He recommends that approach because two fixes address server-side vulnerabilities, while the others tackle holes on the client side.
"Give the two server patches to the server maintenance team and ask that they install these two as soon as possible -- given what I believe is the severity of these issues," he said. "Give the two client-side patches to the desktop team and have them install these patches in the next update cycle or as they see fit -- but no need to burn the weekend candle for these."
-- Jabulani Leffall