Slashdot Mirror
MS Critical Patch Fixes 8 Vulnerabilities
nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server.
Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."
Many people would love to outsource management of Exchange server, and it's even better if someone wants to do it for free.
it seesm the updates delete some critical files from the reports I have seen
I don't know anything about Exchange but you mean to tell me that someone sending an email to an Exchange server can allow it to take over the server? It's one thing for hackers to rely on social networking and fool a user into executing an attachment. It's another thing to be able to takeover simply by sending a message.
Well, there's spam egg sausage and spam, that's not got much spam in it.
It's all closed source, so there aren't any real vulnerabilities. Even the certified professionals say so. They're certified what more do you need !
As if you could spread havoc through email on a proprietary system. Bah.
May contain traces of nut.
Made from the freshest electrons.
And I love a parade! Go Microsoft!! I don't see any of you linux lusers getting patches each and every month!!
http://software.silicon.com/os/0,39024651,39275144,00.htm
"Ubuntu became the latest Linux vendor to patch a vulnerability in the open-source operating system's kernel that could have left the door open for hackers to find their way into users' machines."
The only "problem" here is that you don't read about this on /. (or any other place, for that matter). False sense of security is the worse security.
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
the IE fix ONLY affects IE 7. If you're running IE 6 (or even 5) on any platform, you don't have a patch to install.
Could it be, *gasp*, that IE 6 is more secure than IE 7? The mind wobbles.*
*For you yungins, go look up Kelly Bundy and the above phrase.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
With Ninnle Linux, patching is never needed, thanks to the 1024 bit encryption available throughout. So why use Windoze at all?
OH Heavens! A local vulnerability which could leave to privilege escalation!
The exchange bugs in question were remote hole mr troll.
Oh! hey! Someone got mad :P
Why in the world would an e-mail delivery system ever consider executing external code? Exchange should simply look at the delivery address. If it is a local address, place the message in the user's mailbox. If an external address, forward to the next hop. What's so difficult with that task?
CommuniGate Pro has never had this problem. IronPort appliances don't have this problem. Exchange should stick to its sole job as a delivery agent and stop trying to be so smart.
Can't we live without OLE?
signature pending slashdot approval
To all you Windows users, we feel your pain. Seriously, you don't even know how bad you have it. What's worse, you have been sucked into a mind set that, on one hand, you hate your computer because of all the problems you have with it, but think you *need* windows because of all the programs you feel you can't live without.
You don't need Microsoft Office, you can go to http://www.openoffice.org/ and download a fully functional office suite that, in many ways, is better than Microsoft Office. What's even better, is that it runs on system other than Windows!
Linux is a system, more similar to the macintosh than it is to Windows, and it will run on your PC. It replaces Windows completely. Not only that, out of the box, it is slick, beautiful, and easy to use, and if you like to tinker, there is absolutely no limit to what you can change.
Best of all its free! That's right, free!
Go to http://www.ubuntu.com/ and look around. (There are other vendors for Linux too, so you are not stuck with only one.)
I know, you ask "How can it be free?" Well, you know how your friends who know about cars will sometimes fix your car as a favor? That's because they enjoy working on cars. Well, with the internet, millions of guys who know about computers started working on a system in the '80s that was eventually called Linux. The software comes from places like IBM, Sun, U.C. Berkeley, MIT, HP, and a whole list of other companies and organizations. It is a collaborative system that is put together, not to make money for Microsoft, but to make computers more usable for everyone. In fact, a lot of the web sites you visit every day run Linux.
So, if you are fed up with your computer and Windows, now is a great time to start a new adventure. Try something new, learn something new! It won't be hard, but not too easy either, as a lot of things are different than what you are used to, but once you get the hang of it, you'll realize that sometimes "different" is the only to get "better."
Now I know why Microsoft calls it "Exchange"!
There is a difference between the hole you posted and the one that is being discussed though, a very big difference.
The security hole in the Kernel that Ubuntu fixed required local access to the machine in question, the exchange bug could be exploited by sending the server an email so not access what so ever was required.
Privilege escalation vulnerabilities are generally considered to be of a lower priority to fix and not as severe as you must have modicum of trust in order to give someone a shell account. No trust is required to send someone an email.
I dont read
I don't use Outlook but it's on my box, do I have to patch it?
Of course not, they get them on a daily bases, per app.
I wouldn't surprise me if the sum development time on the core system and apps of any given Linux install was greater than that of any given MS install, for any given duration.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
the exchange fix is part of exchange rollup 6 which showed up in wsus yesterday:
http://support.microsoft.com/kb/942846
specifics about the vulnerability:
http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx
Microsoft has gotten a large amount of heat for its operating system. In large part due to the number of well crafted viruses that exploit weaknesses in the programming. Apple was long toted to be virus free. That was only due to the obscurity of the system and people's willingness to write viruses for it. I don't think we should bash the quality of Mircosoft's code because anyones code can be full of holes when people work at breaking it. I think Microsoft's issue is updating. Update when the exploit is found not the second Tuesday of the month after the exploit has been abused for a while.
I am not surprised by the announcement of these major flaws, many directly related to MS proprietary components/protocols. Microsoft has a history of manipulating open standards into MS proprietary protocols in order to prevent development outside Windows. However, as a result, Windows OS's become less compatible with other OS's and do not reap the benefit of improvements to open source alternatives made in the open source and standard organization communities. Several examples of flawed Windows proprietary technologies: WMI (no longer supported in newest Windows Servers), Direct X (unstable and high overhead compared with OpenGL), UAC (worst Vista feature) and Windows Automatic Updates (incremental updates with multiple reboots to update, memory leaks and high resource consumption under idle conditions).
The verbiage there is mind numbingly stupid. I quote, "Ubuntu became the latest Linux vendor to patch a vulnerability in the open-source operating system's kernel". In other words, a kernel fix was made available and it was applied. They make it sound like it has far reach consequences and by have multiple distros, the problem is somehow made far, far worse.
Huge difference between local and remote exploits. The fact you seem to not understand the difference squarely places you into your own worst scenario, "False sense of security is the worse security."
Since I'm the only user on my box I don't think I have to worry about me exploiting my self and doing unknown harm.
....What "carefully crafted message" would I need to send to take over an Exchange Server?
To: ExchangeServer@company.com
Subject: H3ll0
I 0wn you Now. Please reply back with passwords.
Regards,
Hax0r
Do not read this
Well, this little Slashbot has certainly been studying his talking points. I'm sorry to inform you, but this flaw is not in the underlying protocol; it is in the implementation.
As for your other allegations...
WMI is not only supported in Windows Server 2008, but additional providers have been added. This is the most ridiculous of your claims as it has absolutely no basis in reality whatsoever.
I don't know enough about DirectX to comment on your assertion, but I suspect you are probably equally delusional.
UAC is just a band-aid; it is better than nothing, but it doesn't fix the underlying problems.
I do agree that rebooting for Automatic Updates is a pain. However, I've never even heard of anyone complaining about memory or resource usage or leaks while using it.
That's nothing! If you boot Windows forwards, it loads Windows!
So having addressed the FUD, look at your main point. "Windows OS's become less compatible with other OS's and do not reap the benefit..." Windows has never tried to be compatible with other OS. When it comes to Windows compatability I would go so far as to say they've done a damn good job (possibly *too* good) considering the mess with which they're keeping backward compatibility and the crud that keeps getting carried forward.
Microsoft may have many faults, but you seem to have missed the mark.
... and Exchange 2003 stopped delivering messages to mailboxes.
Rolled it back, and everything worked fine ^H^H^H^H just as it used to.
I may be missing the point of these "fixes", but surely "security updates" should actually be tested at some stage?
You're wrong about WMI - no longer supported in Exchange - EWS used instead. While it still exists, it is continuing to be replaced by other Microsoft protocols for Microsoft Server products, like Exchange and MS SQL Direct X - requires more hardware than OpenGL to run and many third-party developers will report problems programming under this API - XBOX issues have occurred as a result of Direct X instablities Also, you clearly know little about OpenGL if you think it is less stable and performs poorer than Direct X. UAC - seriously, what use is this - can I really be more secureusing an annoying pop-up notifier? I think not. Automatic Updates - seriously, show me another update manager that is worse. Examples that are much better: linux yum and OS X Software Updates. Furthermore, what is the point of an OS that isn't compatible with anyone else???? Windows is rarely compatible with their own legacy software, let alone others...
Win98 doesn't need any of these silly patches, so is it also more secure?
Please go back to reddit and/or digg.
A local exploit is a potential problem even if you're the only user. If an attacker combines a remote non-root exploit (say an Apache bug that gets him access as the 'nobody' user) with a local exploit (that upgrades 'nobody' to 'root'), he now has a remove root exploit.
Local in this case just means a logged-in, unprivileged user that can run arbitrary code.
Read up on blended threats.
Hands in my pocket
Have you evaluated Zimbra?
At my company (I'm CTO) we have a mix of Windows, Mac, and Linux clients. (Sales/Support use Windows/Mac, tech dept is nearly all Linux) Throw in a few palm and Windows mobile phones, and you have a support nightmare. Supposedly, Zimbra supports all of these without issue.
I'm in the beginning stages of implementation (just allocated a dual-CPU server to trial it on today ON CentOS) but I'm wondering if anybody out there has anything to say about this?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Since I'm the only user on my box I don't think I have to worry about me exploiting my self and doing unknown harm
How do you know you don't have DID? ;)
Free Martian Whores!
In all fairness regarding Exchange, things break on every release. My comments regarding backward compatibility were specifically regarding Windows the OS, not the Microsoft server applications. While there are some good ones (SQL) there are some terrible ones (Exchange, SMS) too.
.DOCs are the "standard" or have to access corporate web applications that only run in IE you see the point very clearly.
Regarding performance, both APIs are functional. DirectX is more an interface to hardware where OpenGL is a generic interface that may or may not be hardware accelerated. Performance is driven largely from the drivers. In my experience games that support both DirectX and OpenGL perform better in DirectX. Does that mean it's better? No, maybe Nvidia does a better job with DirectX than OpenGL. Regardless, you can't say one is always clearly better than the other.
Your UAC rant is still misplaced. I don't know anyone who likes the implementation. But what does it have to do with performance, stability or backwards compatibility with other software? It was a bad implementation of a good idea. Well, assuming you don't want to fix security (and break compatibility) with the Win32 API it's about the best you can do. An example of how MS tried to band-aid a poor design problem maybe. An example of broken backward compatibility it is not.
Okay, I'll bite on automatic updates. It's not the best. Nor did I claim it was. apt-get is better and my personal favorite. Solaris is on-par with Windows in that it will detect a "major" update and won't detect patches for that major update until the next time the update is run (possibly after a reboot). I've seen the same thing with OS X (such as after an iTunes upgrade). Why does Safari or iTunes reboot the computer? I have no idea. Why can't all update software look ahead and see if there are patches to what it has planned to install/upgrade? I don't know. What I do know is that Windows Update is not alone. Patching NetWare servers has to be many times worse than Windows.
I'm not sure how you miss the point of Windows (the OS) not being compatible with anyone else. They want it that way. POSIX wasn't implemented for a reason. You can't switch out Windows and replace it with something else without a huge investment (time and/or money). I am crystal clear on the issue of why it's not compatible with other operating systems. I don't suspect that it will ever change. Why would they want to compete against UNIX on equal ground when they have their own API that UNIX can't implement (or when doing so breaks apps because the API doesn't function as is publicly documented)? The only reason to be compatible with another OS is if you want to move applications between them. Microsoft doesn't want to. So what is the point of an OS that isn't compatible with anyone else? Money. And lots of it. And if you have to deal with the public sector where
As far as rarely compatible with their own legacy software? Well Vista broke some things in an attempt to lock things down better. A lot of the problems are due to bad coding -- code which if ran in *NIX would also not work due to some dubious assumptions on the part of the developer. The difference is in that *NIX software developer know (and often prefer) that their software will not run as root. Much of the MS software out there requires that it be run as an administrator. When you start locking things down (non-root users in Linux, roles in Solaris, SELinux, CSA and Vista/UAC) bad software breaks.
I'm not a fan of Windows for many reasons. One of those reasons is backwards compatibility. It's really, really hard to "fix" security problems with a bad API when you carry forward that bad API into every future release. Sure, some of the really bad API is removed (and applications break) but most of it has carried forward. At the expense of security, it has definitely allowed for backward compatibility.
I have an incredible philosophical problem with any software designed to cause code to run as a result of you receiving an email, and which then takes that email as its input data, particularly if it starts processing it before it verifies the referential integrity of the MIME container(s) in the message.
The primary reason OutLook has been such a cesspit of exploits is "Exchange integration". Loosely translated, this means that it ignores encapsulation enforcement by starting to interpret the contents of an email prior to verifying that the container object for the email itself is intact and contains what the headers say it contains. That it also runs code in arbitrary and unverified DLLs registered to handle decoding a particular MIME type when you receive an email, and AGAIN without verifying the referential integrity of the container is almost criminal.
You take those pieces away, and the "neatly integrated" quickly becomes not nearly so "neatly".
I have to agree with one of the other posters, that the best example of this done correctly is the server-side AJAX integration that's used in Zimbra. For non-Zimbra solutions, recognizing dates as things you can put on a schedule or addresses or signatures as things you can attach to an address book entry is about a 90% solution, and doesn't require the risk of premature decoding to make it work. Apple's Mail.app does this rather well, although it also is starting down the "active email message" path-to-hell blazed by Outllook, at least it's not turned on in the preferences by default, and container integrity is checked up front.
-- Terry
I agree that OS X Updates often do require one reboot, after the software update process is complete. This is still much better than Windows: Incremental Update, reboot, incremental update, reboot, etc.... As far as UAC goes, this is more of an example of a new, MS proprietary idea badly implemented that was used instead of embracing alternative security models that have existed for decades under UNIX. I'm not saying that other OS's don't have proprietary components, but if I write a program in Visual Studio with C++ and use Direct X or MFC, how do I port such a program to linux? I really can't. In the end, I would have to re-write most of the program. Compare this to proprietary UNIX-based OS's where ports are much easier to accomplish between systems. The purpose of technical standards is to integrate technology across vendors, which, does not really exist under the Microsoft philosophy to control their majority market share. So Microsoft's claims of compatibility are only true if you are using another Microsoft system.
I had the same with exchange 2007. Calendaring stopped working so I reinstalled rollup 5 and everything went back to normal.
As for your comment, one day when you move into the "real world" you will realize that you dont always have the resources to test every single patch that comes down the line. Id much rather have a microsoft patch fubar the machine than have a haxxor pwning it because i was busy testing a patch. At least when i have to explain to management why the email was down for 30 minutes, I can blame microsoft instead of saying that we got exploited (which would then become MY fault).
Not everyone can afford to have redundant everything. Especially machines that are only used for testing, and therefor not in a production environment, where it is easier to find bugs. Sure, if your exchange server services 2000+ users, or generates tens of thousands of dollars a day then maybe you can afford another machine to test on. Most people in the Real World do not have those luxuries.
As a potential lottery winner, I totally support tax cuts for the wealthy
A local exploit is a potential problem even if you're the only user. If an attacker combines a remote non-root exploit (say an Apache bug that gets him access as the 'nobody' user) with a local exploit (that upgrades 'nobody' to 'root'), he now has a remove root exploit.
Local in this case just means a logged-in, unprivileged user that can run arbitrary code.
Read up on blended threats.
We need a section on Milw0rm called, "Will it Blend?"
Like sendmail has never had critical vulnerabilities in its address parsing code?
The last time there was a sendmail release for a major security reason was 8.13.6, back in March 2006:
http://www.sendmail.com/sm/security/
http://www.sendmail.org/releases/8.13.6
There was a DoS issue that was fixed in May 2006 (8.13.7).
TNEF was M$s way of punishing non-windows sites. Any message using M$ Outlook composed in rich text format is automatically sent in this proprietary format. There are free TNEF decoders (reverse engineered), but none is perfect. Most spam virus filtering gateways use these free TNEF decoders, so the bad guys can get their payloads into organizations by encapsulating it in TNEF that the free decoders can't decode, but the vulnerable soon-to-be-zombie pcs can. It also seems that a service pack for Office 2k3 has added additional cases where outlook encodes messages with TNEF.
It is petty, but... payback time-- no sympathy from me.
It is Microsoft Exchange Software Feature.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
I can't believe this was modded insightful. In other words this local exploit is an issue because of imaginary remote exploits? WTF? That's like being worried about local exploits when I don't have physical security. If I don't have physical security, nothing else matters. If I don't have remote security, nothing else matters.
Simple fact is, first order concerns always are and always will be physical security and remote exploits; assuming a system with network connectivity. Period. Everything else is secondary.
This is not true. There are plenty of things in place on your linux box that minimize the impact of a network intrusion.
First of all, you run network services as nonprivileged users. If I find a vulnerability in your ntpd, and exploit it, I can't for example delete files or shut down the server, or setup a keylogger, because the ntpd user doesn't have the rights to do any of that.
You might even run certain services in chroot jails, where they have no access to most of the filesystem.
However, a local root exploit makes this all much more serious. You would be able to turn the unprivileged ntpd login into a root login.
If you don't run any network services at all (or you firewall them from the world), fine, local exploits aren't going to be an issue for you.
Hands in my pocket