Microsoft Releases Critical Patches For IE, Exchange Server

All four patches Microsoft issued in its February Patch Tuesday security update affected numerous versions of Microsoft Exchange Server, SQL Server and Office, but only version 7 of Internet Explorer.

Two of the four security bulletins were labeled critical, indicating that the vulnerabilities could be exploited by hackers executing malicious code remotely.

Security experts say that of the two critical errors, the Microsoft Exchange Server vulnerability is possibly the most severe. If exploited, this could leave users vulnerable to a remote attack by opening an e-mail with a malicious file attachment designed to execute code on the Exchange Server. Once malicious code was launched, hackers could then take complete control of the affected system with elevated Exchange Server privileges.

Meanwhile, another Exchange Server flaw could allow attackers to launch a denial of service attack on users, shutting down users' systems completely.

"The Exchange Server is one of those mission-critical systems," said Eric Schultze, CTO of Shavlik Technologies. "[A denial of service attack] is just as bad. When you have a hundred or a thousand people who can't send e-mails, you better start running pretty quick."

In addition, the IE security fix addressed two critical flaws that allowed hackers to execute remote attacks after enticing users to open a malicious Web page on IE. However, unlike previous IE security glitches that have affected all versions of Microsoft's Web browser, this one was relegated only to IE7.

"It's [probably] a flaw in a section of code that is brand-new or rewritten," Schultze said, "and not caught in security code reviews."

Microsoft also fixed a serious flaw in the SQL server, which researchers ranked as "important." The error, if exploited, could allow hackers to launch a remote attack if authorized users inappropriately access and modify code on an affected server, or if hackers execute a SQL injection attack on a vulnerable system.

Despite being rated important, Schultze said that the patch addressing the SQL Server flaw should have been ranked critical because it allows remote attackers to inject malicious code in Web sites created to steal users' financial and personal data.

"SQL injections are a dime a dozen on Web sites. It's pretty easy for the hacker to do some type of injection to gather information," Schultze said.

While Microsoft says that, so far, there are no known attacks exploiting these vulnerabilities, Schultze said that the SQL Server exploit code has already been published and is likely being used in targeted SQL injection attacks designed to deface Web sites and steal information.

Meanwhile, the final patch, ranked "important," plugged security holes in Microsoft Office Visio, which could allow remote code execution if a user opened a malicious Visio file.

February is the second month in a row that Microsoft issued a light patch load -- in January the company released a single, yet critical, security update. However, security experts say that trend will likely change in the months to come.

"I would brace for a barrage of patches in the upcoming months," said Schultze. "It's all a matter of timing. They always have a backlog of items that they're working on."