Microsoft’s February bulletins. Patch Now!
(2 votes, average: 4.50 out of 5)
Loading ...Today Microsoft announced its February Security Bulletins. There are four bulletins available, two of them handles critical vulnerabilities and the other two handles vulnerabilities rated as important. There’s also a very nice summary document of the bulletins available here
An interesting part of the summary is the Exploitability Index. The documentation of the score is available here, but in short:
(1) means that remote code execution (RCE) exploit can be done
(2) means RCE-exploit can be done, but its more difficult and might not work every time or against all targets.
(3) means that RCE is difficult or impossible, but denial of service is still possible
Lets see:
There’s total of 3 number ones and 5 twos.
The IE vulnerabilities are type (1) and said to be easy to exploit. Patch Now!
The SQL server vulnerability is type (2). So exploits are likely. One mitigating factor for the vulnerability is that it cannot be exploited anonymously, but requires account. Well consider this: the web server application using the SQL server has account, so this means that a potential SQL inject vulnerability in a web-application just changed into a potential SQL-server administrator RCE vulnerability. Patch Now!
The Exchange Server vulnerabilities are very nasty. The other allows remote termination of the Exchange Server and might allow RCE, I’m not sure about that. But the other allows remote command execution. And The remote command execution vulnerability is particularly evil as it is marked type (2), so RCE exploits are likely. The attack vector involves a malformed email message, so this means that anyone on the internet could create an email and send it to your Exchange server and own it. Blocking SMTP to an Exchange Server is something you would not do, but this vulnerability is facing the internet right now and can be exploited quite anonymously. It is severe. It might be wormable,
I really hope it’s not. But it still might. Patch Now!
The fourth bulleting is about buffer overflow in Visio. Even this can be used for remote code execution, but the exploit involves victim to open malformed Visio file. Don’t open before you’ve applied the patches.
Huh. That’s it. Please apply patches.
//Opi
2 Responses to “Microsoft’s February bulletins. Patch Now!”
Leave a Reply
You must be logged in to post a comment.
February 12th, 2009 at 12:02 am
Opi, can you comment how StoneGate protects against these vulnerabilities? Thank you!
February 12th, 2009 at 4:24 pm
Update Package 204 takes care of the SQL vulnerability described MS09-004. Update Package 205 takes care of the MS Exchange vulnerabilities described in MS09-003. MS09-002 conserning IE will be handled in Update Package 206.