MS Critical Patch Fixes 8 Vulnerabilities 202
nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server.
Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."
Re:Is it that easy? (Score:5, Insightful)
Like sendmail has never had critical vulnerabilities in its address parsing code?
The irony is that the error is in MS's proprietary TNEF format. This is a binary format so it should be easy to parse.
Offtopic, but why can't slashdot link to the meat [microsoft.com] rather than some ad-laden rehash?
Why can't Microsoft ever get this right? (Score:2, Insightful)
Why in the world would an e-mail delivery system ever consider executing external code? Exchange should simply look at the delivery address. If it is a local address, place the message in the user's mailbox. If an external address, forward to the next hop. What's so difficult with that task?
CommuniGate Pro has never had this problem. IronPort appliances don't have this problem. Exchange should stick to its sole job as a delivery agent and stop trying to be so smart.
Can't we live without OLE?
Re:Doesn't Sound so Bad (Score:1, Insightful)
wat
MS Proprietary Protocols have a history of flaws (Score:2, Insightful)
Re:Is it that easy? (Score:5, Insightful)
Properly written C and C++ code can and should trap all exceptions. There is no excuse for untrapped buffer overflows in mature commercial code.
Buffer overflows are programmer errors, not program exceptions that signal some kind of event. They can't be "handled" -- they must be eliminated from the source code.
Re:Doesn't Sound so Bad (Score:5, Insightful)
I've run it, and it doesn't. That you put them on the same page shows you've never run Exchange because Exchange is not about email.
I'll tell you what I tell everyone: you need to go use Exchange for a while. Sit behind some manager and watch them fuck with their goddamn calendars for a while. Watch how neatly the calendars integrate with the email. Watch how it integrates with Office for document collaboration.
There is no one product that handles all those features so well and so seamlessly.
All those features can be had from a half dozen different OSS apps, and when you've laboriously cobbled them together into a working whole and presented it to management, they will give you a look like you handed them a plate full of dogshit, and then they will give you a list of things that aren't as good.
And when you go back to your office you'll go over the list and you will grind your teeth because the fuckers are right. You will never convince people to ditch exchange until you can provide a product that is just as good.
Re:I love the small of hot-fix patches in the morn (Score:4, Insightful)
A local exploit is a potential problem even if you're the only user. If an attacker combines a remote non-root exploit (say an Apache bug that gets him access as the 'nobody' user) with a local exploit (that upgrades 'nobody' to 'root'), he now has a remove root exploit.
Local in this case just means a logged-in, unprivileged user that can run arbitrary code.
Read up on blended threats.
Re:Why can't Microsoft ever get this right? (Score:2, Insightful)
the only built-in groupware feature that I've seen people using in Exchange (without shelling out xBox credits for half a dozen other additional applications like SharePoint, SQL Server, BizTalk, InfoPath, etc) is the one allowing to click on predefined Yes, No, Maybe buttons to reply to a message...
oh get over yourself (Score:5, Insightful)
I had the same with exchange 2007. Calendaring stopped working so I reinstalled rollup 5 and everything went back to normal.
As for your comment, one day when you move into the "real world" you will realize that you dont always have the resources to test every single patch that comes down the line. Id much rather have a microsoft patch fubar the machine than have a haxxor pwning it because i was busy testing a patch. At least when i have to explain to management why the email was down for 30 minutes, I can blame microsoft instead of saying that we got exploited (which would then become MY fault).
Not everyone can afford to have redundant everything. Especially machines that are only used for testing, and therefor not in a production environment, where it is easier to find bugs. Sure, if your exchange server services 2000+ users, or generates tens of thousands of dollars a day then maybe you can afford another machine to test on. Most people in the Real World do not have those luxuries.
Re:Doesn't Sound so Bad (Score:5, Insightful)
Who knows? The thing is, once you have 1000 people, the critical mass of pointy-hairs will make Exchange a requirement.
Still, 70 bucks a seat sounds expensive when your budget is in the hundreds of thousands. When your budget is in the millions, that's like 1 manager's salary, so you fire the guy you like least, and buy exchange for the company.
I am often at a loss to explain business decisions though. We use this huge proprietary design system, and for years we were shackled to the old version of the system by costs of the hardware upgrade (old solaris mainframes). I sat down one day and took the new version of the system (which we had for free, since we were paying support), and made it work on open solaris on x86 hardware.
Took it to my boss expecting a raise, and maybe, you know, some appreciation. Got told off because my solution didn't account for the need to buy ~40 CS3 licenses (around 30k, for some new copies, and some upgrades).
Fast forward 6 months, and we went out and bought a NEW system to do the same thing for more than 10 times what my upgrade would have cost. The new system only replaces half of the old system, so we still have half a crappy old system to maintain, and, AND, we still had to buy the fucking CS3 licenses!
Front to back it cost us probably half a million dollars and the new system is universally hated for its crap speed and crap stability (it's running, I shit you not, on virtualized win2k boxes...I could fucking weep).
The thing is, my solution was impossible because it couldn't be put on the capital budget because it was over the max budget for an in-house upgrade. But the much more expensive system could because it was under the budget for a purchased system. Penny wise, pound foolish.