MS Critical Patch Fixes 8 Vulnerabilities 202
nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server.
Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."
Oddly enough... (Score:4, Informative)
the IE fix ONLY affects IE 7. If you're running IE 6 (or even 5) on any platform, you don't have a patch to install.
Could it be, *gasp*, that IE 6 is more secure than IE 7? The mind wobbles.*
*For you yungins, go look up Kelly Bundy and the above phrase.
Re:Is it that easy? (Score:2, Informative)
It is possible... this is usually the symptom of buffer overflow error in the server code. An attacker discovers the hole, takes advantage of the vulnerable buffer to "smash the stack", and dupe the process to execute the shellcode (concise machine code that does whatever an attacker wants) planted in the "specially crafted" mail text.
There are other possibilities but buffer overflows are among the most common ones. I didn't RTFA and neither do I know whether this is one but yes, taking over the server by malicious input *is* possible without social engineering, provided the service code is bad enough to be exploited.
Re:I love the small of hot-fix patches in the morn (Score:3, Informative)
There is a difference between the hole you posted and the one that is being discussed though, a very big difference.
The security hole in the Kernel that Ubuntu fixed required local access to the machine in question, the exchange bug could be exploited by sending the server an email so not access what so ever was required.
Privilege escalation vulnerabilities are generally considered to be of a lower priority to fix and not as severe as you must have modicum of trust in order to give someone a shell account. No trust is required to send someone an email.
incase anyone is wondering... (Score:1, Informative)
the exchange fix is part of exchange rollup 6 which showed up in wsus yesterday:
http://support.microsoft.com/kb/942846
specifics about the vulnerability:
http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx
Re:Why can't Microsoft ever get this right? (Score:5, Informative)
Why in the world would an e-mail delivery system ever consider executing external code?
Exploits such as the ones mentioned aren't because the system is executing external code intentionally, rather, a carefully crafted message will overflow a buffer and change the values of some CPU registers. If the values change in such a way that a pointer moves execution to a part of the carefully crafted message, that message is now external code that is being run.
Re:Is it that easy? (Score:3, Informative)
Unluckily for you, this vulnerability will still affect you. If you read the security announcement by Microsoft, a possible workaround is to block all TNEF / winmail.dat attachments, which will break all incoming RTF mail. Depending on what your business exactly does, this might not be a viable workaround.
Re:Bandwagon (Score:5, Informative)
You're not looking at the actual history of Microsoft Windows, though. Windows was (and still is, to a large part) built off what was originally a single-user system that would exist ENTIRELY as a standalone unit that was never connected to any other computers.
No, it's not. Windows NT was designed from the start to be a multiuser, networked OS.
UNIX, on the other hand, started with that kind of functionality in mind.
Actually, no. The very first versions of UNIX were single user. The multiuser stuff was added later, which is probably why it still had (and still has, in most configurations today) the concept of a superuser, even when other OSes had moved on.
Re:Its really time to spread the word: (Score:2, Informative)
You can debate it all you like, but the simple fact that the free product has practically no marketshare compared to the product that costs 500 bucks a license is pretty fucking telling.
Firefox proves decisively that the superiour product will make strong gains even against an entrenched monopoly. That OO.org is still languishing in obscurity has more to do with it's flaws than some gigantic conspiracy of users who just can't think of anything better to do with their money.
Re:Its really time to spread the word: (Score:3, Informative)
That OO.org is still languishing in obscurity has more to do with it's flaws than some gigantic conspiracy of users who just can't think of anything better to do with their money.
What rock have YOU been under?
Gross market share moves slowly. Great change takes years or decades, and if you see change where the majority product becomes a minority in 10 years, that's very rapid change. There's every sign that this is, in fact, happening. It's by no means comprehensive, but it's pretty clear that OO.o is making some pretty serious headway [openoffice.org]. Whole nations are standardizing on Open Office!
And on a related note, OO's document format, ODF, is now a recognized international standard, is a mandatory standard for NATO, and is also being adopted by governments around the world. [wikipedia.org]
It may not be all that visible where YOU sit, but the impact is both real and international in scope.
Re:MS Proprietary Protocols have a history of flaw (Score:2, Informative)
Regarding performance, both APIs are functional. DirectX is more an interface to hardware where OpenGL is a generic interface that may or may not be hardware accelerated. Performance is driven largely from the drivers. In my experience games that support both DirectX and OpenGL perform better in DirectX. Does that mean it's better? No, maybe Nvidia does a better job with DirectX than OpenGL. Regardless, you can't say one is always clearly better than the other.
Your UAC rant is still misplaced. I don't know anyone who likes the implementation. But what does it have to do with performance, stability or backwards compatibility with other software? It was a bad implementation of a good idea. Well, assuming you don't want to fix security (and break compatibility) with the Win32 API it's about the best you can do. An example of how MS tried to band-aid a poor design problem maybe. An example of broken backward compatibility it is not.
Okay, I'll bite on automatic updates. It's not the best. Nor did I claim it was. apt-get is better and my personal favorite. Solaris is on-par with Windows in that it will detect a "major" update and won't detect patches for that major update until the next time the update is run (possibly after a reboot). I've seen the same thing with OS X (such as after an iTunes upgrade). Why does Safari or iTunes reboot the computer? I have no idea. Why can't all update software look ahead and see if there are patches to what it has planned to install/upgrade? I don't know. What I do know is that Windows Update is not alone. Patching NetWare servers has to be many times worse than Windows.
I'm not sure how you miss the point of Windows (the OS) not being compatible with anyone else. They want it that way. POSIX wasn't implemented for a reason. You can't switch out Windows and replace it with something else without a huge investment (time and/or money). I am crystal clear on the issue of why it's not compatible with other operating systems. I don't suspect that it will ever change. Why would they want to compete against UNIX on equal ground when they have their own API that UNIX can't implement (or when doing so breaks apps because the API doesn't function as is publicly documented)? The only reason to be compatible with another OS is if you want to move applications between them. Microsoft doesn't want to. So what is the point of an OS that isn't compatible with anyone else? Money. And lots of it. And if you have to deal with the public sector where
As far as rarely compatible with their own legacy software? Well Vista broke some things in an attempt to lock things down better. A lot of the problems are due to bad coding -- code which if ran in *NIX would also not work due to some dubious assumptions on the part of the developer. The difference is in that *NIX software developer know (and often prefer) that their software will not run as root. Much of the MS software out there requires that it be run as an administrator. When you start locking things down (non-root users in Linux, roles in Solaris, SELinux, CSA and Vista/UAC) bad software breaks.
I'm not a fan of Windows for many reasons. One of those reasons is backwards compatibility. It's really, really hard to "fix" security problems with a bad API when you carry forward that bad API into every future release. Sure, some of the really bad API is removed (and applications break) but most of it has carried forward. At the expense of security, it has definitely allowed for backward compatibility.