Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Critical Patch Fixes 8 Vulnerabilities

Posted by CmdrTaco on from the your-server-is-sick dept.

nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server. Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."

7 of 202 comments (clear)

  1. Is it that easy? by UnknowingFool · · Score: 4, Interesting

    I don't know anything about Exchange but you mean to tell me that someone sending an email to an Exchange server can allow it to take over the server? It's one thing for hackers to rely on social networking and fool a user into executing an attachment. It's another thing to be able to takeover simply by sending a message.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
    1. Re:Is it that easy? by Just+Some+Guy · · Score: 4, Interesting

      yeah but qmail hasn't :p

      Of course, it has about 5% of the features of Exchange or Postfix or Exim or Sendmail or...

      --
      Dewey, what part of this looks like authorities should be involved?
    2. Re:Is it that easy? by DarkOx · · Score: 2, Interesting

      Well the firewall won't help you with this vulnerability because even after the message is handled though the other mail gateway it can still be a threat. It is however very common to not let exchange speak directly the the outside world. I for one block all smtp at my edge firewall except to and from a cluster of Barracuda Spam filters. They also used to be configured as a smart host in the E2K3 world. In 2k7 i simply don't use the edge transport rule and let the hub transport server treat them as a send connector, for * address space.

      I know lots of other people with the same setup.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  2. Re:Doesn't Sound so Bad by SatanicPuppy · · Score: 2, Interesting

    Maybe their budget doesn't stretch so far as to be able to employ 1 guy to do nothing but manage a mail server.

    Exchange is a big pain in the ass, and it doesn't scale very well. I hate it, and all I have to do with it is keep it from ever touching the web directly.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  3. Re:Bandwagon by rawr_one · · Score: 2, Interesting

    You're not looking at the actual history of Microsoft Windows, though. Windows was (and still is, to a large part) built off what was originally a single-user system that would exist ENTIRELY as a standalone unit that was never connected to any other computers. UNIX, on the other hand, started with that kind of functionality in mind. So, while UNIX has been building off of that original multi-system support, Microsoft had to build up theirs (this becomes especially important with netcode) on top of a system that wasn't made to work like that. To put it simply, Microsoft started with a shoe and tried to make a hat.

  4. Re:Doesn't Sound so Bad by SatanicPuppy · · Score: 2, Interesting

    Let me start by saying that I never want to see the words "bare" and "it professional" in the same sentence. Ew. Ew. Ewwwwwwwwwwww.

    That being said, I'll acknowledge that Exchange is actually improving pretty dramatically between releases. Even 2k3 is so far ahead of earlier Exchange releases as to be almost unrecognizable. We run about 300 users on a pretty small hardware footprint, and, provided you run everything through an antivirus before you send it to the users, it all works with little supervision.

    I used to spend time trying to ween people off of Exchange, but it's practically impossible. Nothing else on the market compares...Even the big commercial competitor Lotus is a joke compared to Exchange.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  5. We installed it ... by humph2 · · Score: 3, Interesting

    ... and Exchange 2003 stopped delivering messages to mailboxes.

    Rolled it back, and everything worked fine ^H^H^H^H just as it used to.

    I may be missing the point of these "fixes", but surely "security updates" should actually be tested at some stage?