Slashdot Log In
MS Critical Patch Fixes 8 Vulnerabilities
Posted by
CmdrTaco
on Wed Feb 11, 2009 11:39 AM
from the your-server-is-sick dept.
from the your-server-is-sick dept.
nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server.
Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."
Related Stories
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Doesn't Sound so Bad (Score:5, Funny)
Re: (Score:2)
Re: (Score:3, Interesting)
Maybe their budget doesn't stretch so far as to be able to employ 1 guy to do nothing but manage a mail server.
Exchange is a big pain in the ass, and it doesn't scale very well. I hate it, and all I have to do with it is keep it from ever touching the web directly.
Re: (Score:3, Interesting)
Let me start by saying that I never want to see the words "bare" and "it professional" in the same sentence. Ew. Ew. Ewwwwwwwwwwww.
That being said, I'll acknowledge that Exchange is actually improving pretty dramatically between releases. Even 2k3 is so far ahead of earlier Exchange releases as to be almost unrecognizable. We run about 300 users on a pretty small hardware footprint, and, provided you run everything through an antivirus before you send it to the users, it all works with little supervision.
I
Re:Doesn't Sound so Bad (Score:5, Insightful)
I've run it, and it doesn't. That you put them on the same page shows you've never run Exchange because Exchange is not about email.
I'll tell you what I tell everyone: you need to go use Exchange for a while. Sit behind some manager and watch them fuck with their goddamn calendars for a while. Watch how neatly the calendars integrate with the email. Watch how it integrates with Office for document collaboration.
There is no one product that handles all those features so well and so seamlessly.
All those features can be had from a half dozen different OSS apps, and when you've laboriously cobbled them together into a working whole and presented it to management, they will give you a look like you handed them a plate full of dogshit, and then they will give you a list of things that aren't as good.
And when you go back to your office you'll go over the list and you will grind your teeth because the fuckers are right. You will never convince people to ditch exchange until you can provide a product that is just as good.
Parent
Re:Doesn't Sound so Bad (Score:5, Insightful)
Who knows? The thing is, once you have 1000 people, the critical mass of pointy-hairs will make Exchange a requirement.
Still, 70 bucks a seat sounds expensive when your budget is in the hundreds of thousands. When your budget is in the millions, that's like 1 manager's salary, so you fire the guy you like least, and buy exchange for the company.
I am often at a loss to explain business decisions though. We use this huge proprietary design system, and for years we were shackled to the old version of the system by costs of the hardware upgrade (old solaris mainframes). I sat down one day and took the new version of the system (which we had for free, since we were paying support), and made it work on open solaris on x86 hardware.
Took it to my boss expecting a raise, and maybe, you know, some appreciation. Got told off because my solution didn't account for the need to buy ~40 CS3 licenses (around 30k, for some new copies, and some upgrades).
Fast forward 6 months, and we went out and bought a NEW system to do the same thing for more than 10 times what my upgrade would have cost. The new system only replaces half of the old system, so we still have half a crappy old system to maintain, and, AND, we still had to buy the fucking CS3 licenses!
Front to back it cost us probably half a million dollars and the new system is universally hated for its crap speed and crap stability (it's running, I shit you not, on virtualized win2k boxes...I could fucking weep).
The thing is, my solution was impossible because it couldn't be put on the capital budget because it was over the max budget for an in-house upgrade. But the much more expensive system could because it was under the budget for a purchased system. Penny wise, pound foolish.
Parent
Re: (Score:2)
Is it that easy? (Score:5, Interesting)
Re:Is it that easy? (Score:5, Insightful)
Like sendmail has never had critical vulnerabilities in its address parsing code?
The irony is that the error is in MS's proprietary TNEF format. This is a binary format so it should be easy to parse.
Offtopic, but why can't slashdot link to the meat [microsoft.com] rather than some ad-laden rehash?
Parent
Re: (Score:2)
yeah but qmail hasn't :p
Re:Is it that easy? (Score:5, Interesting)
yeah but qmail hasn't :p
Of course, it has about 5% of the features of Exchange or Postfix or Exim or Sendmail or...
Parent
Re: (Score:2)
Sendmail is infinitely more configurable and complex than Exchange Server's SMTP MTA. Don't get me wrong, I'm not defending sendmail's history, but using flaws in something as complex as humans to justify flaws in unrelated bacteria doesn't cut it.
Re: (Score:2, Informative)
It is possible... this is usually the symptom of buffer overflow error in the server code. An attacker discovers the hole, takes advantage of the vulnerable buffer to "smash the stack", and dupe the process to execute the shellcode (concise machine code that does whatever an attacker wants) planted in the "specially crafted" mail text.
There are other possibilities but buffer overflows are among the most common ones. I didn't RTFA and neither do I know whether this is one but yes, taking over the server by m
Re: (Score:2)
> this is usually the symptom of buffer overflow error in the server code.
I really don't understand much about MS technologies, but why their Exchange server is not rewritten in C# so at least buffer overflows can be avoided?
Re:Is it that easy? (Score:5, Insightful)
Properly written C and C++ code can and should trap all exceptions. There is no excuse for untrapped buffer overflows in mature commercial code.
Buffer overflows are programmer errors, not program exceptions that signal some kind of event. They can't be "handled" -- they must be eliminated from the source code.
Parent
Re: (Score:2)
Thank goodness my Exchange server is behind a firewall *and* a Postfix SMTP proxy running on a Linux box. There's no direct exposure of Exchange to the outside world.
Re: (Score:3, Informative)
Unluckily for you, this vulnerability will still affect you. If you read the security announcement by Microsoft, a possible workaround is to block all TNEF / winmail.dat attachments, which will break all incoming RTF mail. Depending on what your business exactly does, this might not be a viable workaround.
Re:Is it that easy? (Score:4, Funny)
Wow, you have a firewall that stops email from getting to a mail server! I gotta get me one of those...It would reduce my workload by 95%! Since I don't answer any of my phones, the only way people could contact me with problems would be by ambushing me on the way to the bathroom.
It would keep the CEO from ever contacting me, that's for sure. God knows he'd never be caught down here with people who do work.
Parent
Re: (Score:3, Interesting)
Well the firewall won't help you with this vulnerability because even after the message is handled though the other mail gateway it can still be a threat. It is however very common to not let exchange speak directly the the outside world. I for one block all smtp at my edge firewall except to and from a cluster of Barracuda Spam filters. They also used to be configured as a smart host in the E2K3 world. In 2k7 i simply don't use the edge transport rule and let the hub transport server treat them as a sen
Stop spreading FUD (Score:4, Funny)
It's all closed source, so there aren't any real vulnerabilities. Even the certified professionals [slashdot.org] say so. They're certified what more do you need !
As if you could spread havoc through email [google.com] on a proprietary system. Bah.
Re:Stop spreading FUD (Score:5, Funny)
We DON'T want to know what demonic code is stored in the source files on some secure Microsoft server up in Redmond.
Hmmm...
Did you know that if you boot Windows backwards you can hear satanic APIs ?
Parent
Oblig. Quote (Score:4, Funny)
That's nothing! If you boot Windows forwards, it loads Windows!
Parent
Oddly enough... (Score:4, Informative)
the IE fix ONLY affects IE 7. If you're running IE 6 (or even 5) on any platform, you don't have a patch to install.
Could it be, *gasp*, that IE 6 is more secure than IE 7? The mind wobbles.*
*For you yungins, go look up Kelly Bundy and the above phrase.
Re: (Score:2)
How about no.
http://secunia.com/advisories/product/11/ [secunia.com]
22 unpatched vulnerabilities, some of which are critical.
Re:Oddly enough... (Score:5, Funny)
*For you yungins, go look up Kelly Bundy and the above phrase.
I just did. The top result [google.com] is your post!
Parent
Re: (Score:3, Funny)
And the next thing we will hear is that Kelly Bundy has been citing smooth wombat for all these years.
Re: (Score:2)
That is both hilarious and scary. Thanks!
Re: (Score:2)
Kelly Bundy.. hmm, can't remember how I know that name....
Re: (Score:2)
Oh geez, Peg, why can't you remember that? I'm going to the Nudie Bar.
Re: (Score:2)
Or it could be that they no longer support IE 5 and 6 and so won't release a patch even if they are affected?
The other possibility is that the bug is in the code responsible for the much better standards compliance in IE7, in which case IE5 and IE6 are only more secure because they don't support the feature, which doesn't really count.
Why can't Microsoft ever get this right? (Score:2, Insightful)
Why in the world would an e-mail delivery system ever consider executing external code? Exchange should simply look at the delivery address. If it is a local address, place the message in the user's mailbox. If an external address, forward to the next hop. What's so difficult with that task?
CommuniGate Pro has never had this problem. IronPort appliances don't have this problem. Exchange should stick to its sole job as a delivery agent and stop trying to be so smart.
Can't we live without OLE?
Re:Why can't Microsoft ever get this right? (Score:5, Informative)
Why in the world would an e-mail delivery system ever consider executing external code?
Exploits such as the ones mentioned aren't because the system is executing external code intentionally, rather, a carefully crafted message will overflow a buffer and change the values of some CPU registers. If the values change in such a way that a pointer moves execution to a part of the carefully crafted message, that message is now external code that is being run.
Parent
MS Proprietary Protocols have a history of flaws (Score:2, Insightful)
So.... (Score:5, Funny)
....What "carefully crafted message" would I need to send to take over an Exchange Server?
To: ExchangeServer@company.com
Subject: H3ll0
I 0wn you Now. Please reply back with passwords.
Regards,
Hax0r
We installed it ... (Score:3, Interesting)
... and Exchange 2003 stopped delivering messages to mailboxes.
Rolled it back, and everything worked fine ^H^H^H^H just as it used to.
I may be missing the point of these "fixes", but surely "security updates" should actually be tested at some stage?
Re:We installed it ... (Score:4, Funny)
Yes, they should. Namely by you. In your testing environment. Before deploying it to production.
Parent
oh get over yourself (Score:5, Insightful)
I had the same with exchange 2007. Calendaring stopped working so I reinstalled rollup 5 and everything went back to normal.
As for your comment, one day when you move into the "real world" you will realize that you dont always have the resources to test every single patch that comes down the line. Id much rather have a microsoft patch fubar the machine than have a haxxor pwning it because i was busy testing a patch. At least when i have to explain to management why the email was down for 30 minutes, I can blame microsoft instead of saying that we got exploited (which would then become MY fault).
Not everyone can afford to have redundant everything. Especially machines that are only used for testing, and therefor not in a production environment, where it is easier to find bugs. Sure, if your exchange server services 2000+ users, or generates tens of thousands of dollars a day then maybe you can afford another machine to test on. Most people in the Real World do not have those luxuries.
Parent
Re:I love the small of hot-fix patches in the morn (Score:2)
Of course not, they get them on a daily bases, per app.
I wouldn't surprise me if the sum development time on the core system and apps of any given Linux install was greater than that of any given MS install, for any given duration.
Re: (Score:3, Informative)
There is a difference between the hole you posted and the one that is being discussed though, a very big difference.
The security hole in the Kernel that Ubuntu fixed required local access to the machine in question, the exchange bug could be exploited by sending the server an email so not access what so ever was required.
Privilege escalation vulnerabilities are generally considered to be of a lower priority to fix and not as severe as you must have modicum of trust in order to give someone a shell account.
Re:I love the small of hot-fix patches in the morn (Score:4, Insightful)
A local exploit is a potential problem even if you're the only user. If an attacker combines a remote non-root exploit (say an Apache bug that gets him access as the 'nobody' user) with a local exploit (that upgrades 'nobody' to 'root'), he now has a remove root exploit.
Local in this case just means a logged-in, unprivileged user that can run arbitrary code.
Read up on blended threats.
Parent
Re: (Score:2, Funny)
Re: (Score:2)
Posting this sort of bullshit on Slashdot just comes off as being unbearably smug and condescending. Go take it to a windows forum or Expert Sexchange or wherever. Everyone here knows about Linux.
On top of that, like a lot of smug amateurs, you don't have any knowledge whereof you speak. Lack of Exchange is a deal breaker for a huge chunk of the business world.
Until there is a real Exchange/Outlook replacement that is available open source, people are never going to drop it, because, for them, the functiona
Re: (Score:2)
My time is valuable.
So is everybody else's.
I don't have all night to sit up recompiling to get the thing to work.
FUD alert FUD alert FUD alert.
Oh, and don't forget the legions of friendly, helpful Linux users who will be glad to listen to my problems and recommend a solution.
There are legions of helpful companies who will charge you money to support you and it will still cost less than Window$
Re: (Score:2)
Hehe, after posting a negative response to your original post ... I have to say that not only are there helpful companies who will charge less than supporting Windows, but there ARE quite a few helpful Linux users. It seems to vary by distro.
Re: (Score:2)
when i can play every game i've purchased in the last 15 years out of the box NATIVELY without having to run it in wine, cedega, crossover or whatever the fuck the new "emulator" is these days, then i'll consider switching to linux.
When you can do that in Vista or Windows 7, let us know. Most programs written in 1994 won't even run correctly on Vista or XP. A lot of programs written prior to 2002 for DOS Windows (95,98,98SE,ME) have difficulty on the NT kernel line.
Re: (Score:2)
No, it was called Linux very early on, somewhere around 0.9, by one person, in 1991 (not the 80s); and the number of developers involved is still quite short of "millions of guys".
What is now Linux started, possible as early as the lat 60s, but definitely by 1984 in the form of GNU. The Linux kernel didn't come on the scene until 1991.
Re: (Score:2)
OO.org is pretty cool. Some parts of it are definitely NOT as good, definitely ont better, than MS Office.
This is a subjective evaluation and very open do debate. Since the two products are not from an "identical" specification, it is impossible to evaluate how one is better than another based on a side by side comparison. We have to weight the features of one against another, factor in quality, and weight the feature sets. MS Office does have more features, but by and large, not features the 99% of the use
Re: (Score:3, Informative)
That OO.org is still languishing in obscurity has more to do with it's flaws than some gigantic conspiracy of users who just can't think of anything better to do with their money.
What rock have YOU been under?
Gross market share moves slowly. Great change takes years or decades, and if you see change where the majority product becomes a minority in 10 years, that's very rapid change. There's every sign that this is, in fact, happening. It's by no means comprehensive, but it's pretty clear that OO.o is making
Re: (Score:2, Interesting)
Re:Bandwagon (Score:5, Informative)
You're not looking at the actual history of Microsoft Windows, though. Windows was (and still is, to a large part) built off what was originally a single-user system that would exist ENTIRELY as a standalone unit that was never connected to any other computers.
No, it's not. Windows NT was designed from the start to be a multiuser, networked OS.
UNIX, on the other hand, started with that kind of functionality in mind.
Actually, no. The very first versions of UNIX were single user. The multiuser stuff was added later, which is probably why it still had (and still has, in most configurations today) the concept of a superuser, even when other OSes had moved on.
Parent