- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Microsoft has patched bugs in its Exchange, SQL Server and Windows software that could give hackers new ways to break into computers.
The company released four sets of patches Tuesday, all rated "important." They address a total of nine bugs in Microsoft's products.
Although Microsoft has not rated any of its patches as critical, they will still keep corporate system administrators busy this week, said Andrew Storms, director of security operations with security vendor nCircle. "Not only will the IT admins have their hands full with the normal client-side updates, but they also need to go patch two of the most important enterprise services in an organization -- e-mail and databases," he said via instant message.
Security experts say that the DNS (Domain Name System) bug, is particularly worrisome. That's because the bug is due to a design flaw in the DNS protocol that affects all DNS servers on the Internet.
By sending certain types of queries to DNS servers, the attacker could then redirect victims away from a legitimate Web site -- say, Bofa.com -- to a malicious Web site without the victim realizing it. This type of attack, known as DNS cache poisoning, doesn't affect only the Web. It could be used to redirect all Internet traffic to the hacker's servers.
The bug could be exploited "like a phishing attack without sending you e-mail," said Wolfgang Kandek, chief technical officer with Qualys.
Other DNS software providers, including the Internet Software Consortium, Cisco and Sun Microsystems are also patching this vulnerability.
Although this flaw does affect some home routers and client DNS software, it is mostly an issue for corporate users and ISPs (Internet service providers) that run the DNS servers used by PCs to find their way around the Internet, said Dan Kaminsky, the IOActive security researcher who discovered the problem. "Home users should not panic," he said in a Tuesday conference call.
One of the bugs that Microsoft patched on Tuesday had previously been disclosed, making it a priority fix. That flaw, which lies in the version of Windows Explorer used by Vista and Windows Server 2008, could give criminals a way of running unauthorized software on a Windows PC. For that to happen, the attacker would first have to convince the user to open and save a specially crafted saved-search file using Windows Explorer.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment