Inside Microsoft’s February patch batch

Apply IE emergency update now, don’t ask questions — Eric Schultze

It’s a seemingly light batch of patches this month, trailing an even lighter, single patch release in January. Two critical items were released — including patches for Internet Explorer 7 and Microsoft Exchange Server. Additionally, two “important” items were released — for Microsoft SQL Server and Visio.

MS09-002 is a typical IE patch, providing protection if a user is surfing to an evil website. What’s unusual this month is that the vulnerability is only present in Internet Explorer 7. This leads to the question “what did Microsoft put in IE7 that they didn’t put in earlier versions that leads to this exploit, and why didn’t their new security testing program catch this vulnerability?”

[ SEE: Microsoft: ‘Consistent exploit code likely’ for IE vulnerabilities ]

Microsoft says that it’s easy for hackers to create an evil webpage to exploit this issue.

MS09-003 is a Critical patch for Exchange Server (versions 2000, 2003, 2007) that could lead to code execution and/or Denial of Service. The attacker can send a malformed winmail.dat file to an Exchange Server in hopes of having that server execute code of their choosing. (winmail.dat files are configuration files that instruct the email client how to render and display Rich Text Formatted documents.) Alternatively, the attacker can send a series of packets to the Exchange Server in an attempt to take down the mail services - creating a denial of service attack. Microsoft says that inconsistent exploit code is likely to be released.

MS09-004 is probably the most interesting patch this month. This patch addresses the zero-day SQL Server flaw reported by Sec-Consult on December 9th, 2008. This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull of this exploit.

[ SEE: Microsoft confirms critical SQL Server vulnerability ]

However, unauthenticated attackers (since when you do authenticate your attacker anyway?) can still leverage this flaw if they can plant their code using SQL Server injection techniques via poorly coded websites. Proof of concept code has been published on the Internet but Microsoft says they have not seen proof of exploitation (maybe they aren’t looking hard enough?). I’d probably rate this patch as Critical - given the end result capable. I’m guessing Microsoft has downgraded this severity because of the “authentication” requirement. (although they give this a ‘1′ in the exploitability index - saying that consistent exploit code is likely).

MS09-005 is an Important patch for Visio. Open a malformed Visio document and the evil-doer can run code on your system in the context of your currently logged on account. Microsoft says this was privately reported and they’ve seen no reports of exploitation. They recommend not opening Visio documents from untrusted sources.

[ SEE: BlackBerry bitten by ActiveX control flaw ]

I recommend a two pronged approach to patching this month. Two patches are for Server issues (09-003 and 4 - Exchange and SQL) and two are for client side applications (09-002 and 5 - IE7 and Visio). Give the two server patches to the Server maintenance team and ask that they install these two as soon as possible - given what I believe is the severity of these issues. Give the two client side patches to the desktop team and have them install these patches in the next update cycle or as they see fit - but no need to burn the weekend candle for these.

* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company.

[Source: zdnet]