Microsoft released its scheduled security patches Tuesday, fixing some browser and mail server flaws and patching a SQL Server flaw publicly disclosed in December. All told, Patch Tuesday consisted of four updates including critical fixes for Exchange and Internet Explorer, with two important updates, for SQL Server and Visio, rated "important."
According to Microsoft patch guru Eric Schultze, CTO of Shavlik Technologies, MS09-002 is a typical IE patch, designed to protect users if they visit an evil web site that takes advantage of the flaw, but, oddly, is a hole only found in IE7. MS09-003 is a critical patch for Exchange Server (versions 2000, 2003, 2007) that could lead to code execution and/or Denial of Service by using an evil winmail.dat file. MS09-004 is, to Schultze's way of thinking, the most interesting as it fixes a zero-day SQL Server flaw reported by Sec-Consult on December 9th, 2008.
"This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull of this exploit. However, unauthenticated attackers (since when you do authenticate your attacker anyway?) can still leverage this flaw if they can plant their code using SQL Server injection techniques via poorly coded websites," he said in an e-mail sent to journalists.
The attack has proof-of-concept code available already, and although it is rated important, not critical, it should be treated by network executives as a high priority because of the potential damage it can cause.
Last by not least is MS09-005, an important patch for Visio -- in which an evil Visio document, should it be opened, may allow an attacker to run code on the system.
Read more about this month's updates on Microsoft's TechNet.