Microsoft released its scheduled security patches Tuesday, fixing some browser and mail server flaws and patching a SQL Server flaw publicly disclosed in December. All told, Patch Tuesday consisted of four updates including critical fixes for Exchange and Internet Explorer, with two important updates, for SQL Server and Visio, rated "important."
According to Microsoft patch guru Eric Schultze, CTO of Shavlik Technologies, MS09-002 is a typical IE patch, designed to protect users if they visit an evil web site that takes advantage of the flaw, but, oddly, is a hole only found in IE7. MS09-003 is a critical patch for Exchange Server (versions 2000, 2003, 2007) that could lead to code execution and/or Denial of Service by using an evil winmail.dat file. MS09-004 is, to Schultze's way of thinking, the most interesting as it fixes a zero-day SQL Server flaw reported by Sec-Consult on December 9th, 2008.
"This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull of this exploit. However, unauthenticated attackers (since when you do authenticate your attacker anyway?) can still leverage this flaw if they can plant their code using SQL Server injection techniques via poorly coded websites," he said in an e-mail sent to journalists.
The attack has proof-of-concept code available already, and although it is rated important, not critical, it should be treated by network executives as a high priority because of the potential damage it can cause.
Last by not least is MS09-005, an important patch for Visio -- in which an evil Visio document, should it be opened, may allow an attacker to run code on the system.
Read more about this month's updates on Microsoft's TechNet.
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at email@example.com, 970-482-6454 or follow Julie on Twitter @Julie188.
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited