MS Critical Patch Fixes 8 Vulnerabilities 202
nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server.
Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."
Is it that easy? (Score:5, Interesting)
Re:Doesn't Sound so Bad (Score:3, Interesting)
Maybe their budget doesn't stretch so far as to be able to employ 1 guy to do nothing but manage a mail server.
Exchange is a big pain in the ass, and it doesn't scale very well. I hate it, and all I have to do with it is keep it from ever touching the web directly.
Comment removed (Score:2, Interesting)
Re:Is it that easy? (Score:5, Interesting)
yeah but qmail hasn't :p
Of course, it has about 5% of the features of Exchange or Postfix or Exim or Sendmail or...
Re:Is it that easy? (Score:3, Interesting)
Well the firewall won't help you with this vulnerability because even after the message is handled though the other mail gateway it can still be a threat. It is however very common to not let exchange speak directly the the outside world. I for one block all smtp at my edge firewall except to and from a cluster of Barracuda Spam filters. They also used to be configured as a smart host in the E2K3 world. In 2k7 i simply don't use the edge transport rule and let the hub transport server treat them as a send connector, for * address space.
I know lots of other people with the same setup.
Re:Doesn't Sound so Bad (Score:3, Interesting)
Let me start by saying that I never want to see the words "bare" and "it professional" in the same sentence. Ew. Ew. Ewwwwwwwwwwww.
That being said, I'll acknowledge that Exchange is actually improving pretty dramatically between releases. Even 2k3 is so far ahead of earlier Exchange releases as to be almost unrecognizable. We run about 300 users on a pretty small hardware footprint, and, provided you run everything through an antivirus before you send it to the users, it all works with little supervision.
I used to spend time trying to ween people off of Exchange, but it's practically impossible. Nothing else on the market compares...Even the big commercial competitor Lotus is a joke compared to Exchange.
We installed it ... (Score:3, Interesting)
... and Exchange 2003 stopped delivering messages to mailboxes.
Rolled it back, and everything worked fine ^H^H^H^H just as it used to.
I may be missing the point of these "fixes", but surely "security updates" should actually be tested at some stage?