MS Critical Patch Fixes 8 Vulnerabilities

← Back to Stories (view on slashdot.org)

MS Critical Patch Fixes 8 Vulnerabilities

Posted by CmdrTaco on Wednesday February 11, 2009 @04:39AM from the your-server-is-sick dept.

nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server. Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."

34 of 202 comments (clear)

Doesn't Sound so Bad by segedunum · 2009-02-11 04:41 · Score: 5, Funny

Many people would love to outsource management of Exchange server, and it's even better if someone wants to do it for free.
1. Re:Doesn't Sound so Bad by SatanicPuppy · 2009-02-11 05:59 · Score: 2, Interesting
  
  Maybe their budget doesn't stretch so far as to be able to employ 1 guy to do nothing but manage a mail server.
  Exchange is a big pain in the ass, and it doesn't scale very well. I hate it, and all I have to do with it is keep it from ever touching the web directly.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
2. Re:Doesn't Sound so Bad by SatanicPuppy · 2009-02-11 06:26 · Score: 2, Interesting
  
  Let me start by saying that I never want to see the words "bare" and "it professional" in the same sentence. Ew. Ew. Ewwwwwwwwwwww.
  That being said, I'll acknowledge that Exchange is actually improving pretty dramatically between releases. Even 2k3 is so far ahead of earlier Exchange releases as to be almost unrecognizable. We run about 300 users on a pretty small hardware footprint, and, provided you run everything through an antivirus before you send it to the users, it all works with little supervision.
  I used to spend time trying to ween people off of Exchange, but it's practically impossible. Nothing else on the market compares...Even the big commercial competitor Lotus is a joke compared to Exchange.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
3. Re:Doesn't Sound so Bad by SatanicPuppy · 2009-02-11 06:48 · Score: 5, Insightful
  
  I've run it, and it doesn't. That you put them on the same page shows you've never run Exchange because Exchange is not about email.
  I'll tell you what I tell everyone: you need to go use Exchange for a while. Sit behind some manager and watch them fuck with their goddamn calendars for a while. Watch how neatly the calendars integrate with the email. Watch how it integrates with Office for document collaboration.
  There is no one product that handles all those features so well and so seamlessly.
  All those features can be had from a half dozen different OSS apps, and when you've laboriously cobbled them together into a working whole and presented it to management, they will give you a look like you handed them a plate full of dogshit, and then they will give you a list of things that aren't as good.
  And when you go back to your office you'll go over the list and you will grind your teeth because the fuckers are right. You will never convince people to ditch exchange until you can provide a product that is just as good.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
4. Re:Doesn't Sound so Bad by SatanicPuppy · 2009-02-11 12:40 · Score: 4, Insightful
  
  Who knows? The thing is, once you have 1000 people, the critical mass of pointy-hairs will make Exchange a requirement.
  Still, 70 bucks a seat sounds expensive when your budget is in the hundreds of thousands. When your budget is in the millions, that's like 1 manager's salary, so you fire the guy you like least, and buy exchange for the company.
  I am often at a loss to explain business decisions though. We use this huge proprietary design system, and for years we were shackled to the old version of the system by costs of the hardware upgrade (old solaris mainframes). I sat down one day and took the new version of the system (which we had for free, since we were paying support), and made it work on open solaris on x86 hardware.
  Took it to my boss expecting a raise, and maybe, you know, some appreciation. Got told off because my solution didn't account for the need to buy ~40 CS3 licenses (around 30k, for some new copies, and some upgrades).
  Fast forward 6 months, and we went out and bought a NEW system to do the same thing for more than 10 times what my upgrade would have cost. The new system only replaces half of the old system, so we still have half a crappy old system to maintain, and, AND, we still had to buy the fucking CS3 licenses!
  Front to back it cost us probably half a million dollars and the new system is universally hated for its crap speed and crap stability (it's running, I shit you not, on virtualized win2k boxes...I could fucking weep).
  The thing is, my solution was impossible because it couldn't be put on the capital budget because it was over the max budget for an in-house upgrade. But the much more expensive system could because it was under the budget for a purchased system. Penny wise, pound foolish.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Is it that easy? by UnknowingFool · 2009-02-11 04:44 · Score: 4, Interesting

I don't know anything about Exchange but you mean to tell me that someone sending an email to an Exchange server can allow it to take over the server? It's one thing for hackers to rely on social networking and fool a user into executing an attachment. It's another thing to be able to takeover simply by sending a message.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
1. Re:Is it that easy? by Anonymous Coward · 2009-02-11 05:01 · Score: 5, Insightful
  
  Like sendmail has never had critical vulnerabilities in its address parsing code?
  The irony is that the error is in MS's proprietary TNEF format. This is a binary format so it should be easy to parse.
  Offtopic, but why can't slashdot link to the meat rather than some ad-laden rehash?
2. Re:Is it that easy? by gzipped_tar · 2009-02-11 05:03 · Score: 2, Informative
  
  It is possible... this is usually the symptom of buffer overflow error in the server code. An attacker discovers the hole, takes advantage of the vulnerable buffer to "smash the stack", and dupe the process to execute the shellcode (concise machine code that does whatever an attacker wants) planted in the "specially crafted" mail text.
  There are other possibilities but buffer overflows are among the most common ones. I didn't RTFA and neither do I know whether this is one but yes, taking over the server by malicious input *is* possible without social engineering, provided the service code is bad enough to be exploited.
  
  --
  Colorless green Cthulhu waits dreaming furiously.
3. Re:Is it that easy? by lukas84 · 2009-02-11 05:42 · Score: 3, Informative
  
  Unluckily for you, this vulnerability will still affect you. If you read the security announcement by Microsoft, a possible workaround is to block all TNEF / winmail.dat attachments, which will break all incoming RTF mail. Depending on what your business exactly does, this might not be a viable workaround.
4. Re:Is it that easy? by Just+Some+Guy · 2009-02-11 06:03 · Score: 4, Interesting
  
  yeah but qmail hasn't :p
  Of course, it has about 5% of the features of Exchange or Postfix or Exim or Sendmail or...
  
  --
  Dewey, what part of this looks like authorities should be involved?
5. Re:Is it that easy? by SatanicPuppy · 2009-02-11 06:04 · Score: 3, Funny
  
  Wow, you have a firewall that stops email from getting to a mail server! I gotta get me one of those...It would reduce my workload by 95%! Since I don't answer any of my phones, the only way people could contact me with problems would be by ambushing me on the way to the bathroom.
  It would keep the CEO from ever contacting me, that's for sure. God knows he'd never be caught down here with people who do work.
  
  --
  ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
6. Re:Is it that easy? by gzipped_tar · 2009-02-11 06:19 · Score: 5, Insightful
  
  Properly written C and C++ code can and should trap all exceptions. There is no excuse for untrapped buffer overflows in mature commercial code.
  Buffer overflows are programmer errors, not program exceptions that signal some kind of event. They can't be "handled" -- they must be eliminated from the source code.
  
  --
  Colorless green Cthulhu waits dreaming furiously.
7. Re:Is it that easy? by DarkOx · 2009-02-11 06:24 · Score: 2, Interesting
  
  Well the firewall won't help you with this vulnerability because even after the message is handled though the other mail gateway it can still be a threat. It is however very common to not let exchange speak directly the the outside world. I for one block all smtp at my edge firewall except to and from a cluster of Barracuda Spam filters. They also used to be configured as a smart host in the E2K3 world. In 2k7 i simply don't use the edge transport rule and let the hub transport server treat them as a send connector, for * address space.
  I know lots of other people with the same setup.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Stop spreading FUD by Fred_A · 2009-02-11 04:44 · Score: 4, Funny

It's all closed source, so there aren't any real vulnerabilities. Even the certified professionals say so. They're certified what more do you need !
As if you could spread havoc through email on a proprietary system. Bah.

--

May contain traces of nut.
Made from the freshest electrons.
1. Re:Stop spreading FUD by Fred_A · 2009-02-11 06:39 · Score: 4, Funny
  
  We DON'T want to know what demonic code is stored in the source files on some secure Microsoft server up in Redmond.
  Hmmm...
  Did you know that if you boot Windows backwards you can hear satanic APIs ?
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
Oddly enough... by smooth+wombat · 2009-02-11 04:49 · Score: 3, Informative

the IE fix ONLY affects IE 7. If you're running IE 6 (or even 5) on any platform, you don't have a patch to install.
Could it be, *gasp*, that IE 6 is more secure than IE 7? The mind wobbles.*
*For you yungins, go look up Kelly Bundy and the above phrase.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
1. Re:Oddly enough... by whyareallthenamestak · 2009-02-11 05:29 · Score: 5, Funny
  
  *For you yungins, go look up Kelly Bundy and the above phrase.
  I just did. The top result is your post!
2. Re:Oddly enough... by Anonymous Coward · 2009-02-11 05:52 · Score: 3, Funny
  
  And the next thing we will hear is that Kelly Bundy has been citing smooth wombat for all these years.
Why can't Microsoft ever get this right? by msblack · 2009-02-11 05:24 · Score: 2, Insightful

Why in the world would an e-mail delivery system ever consider executing external code? Exchange should simply look at the delivery address. If it is a local address, place the message in the user's mailbox. If an external address, forward to the next hop. What's so difficult with that task?
CommuniGate Pro has never had this problem. IronPort appliances don't have this problem. Exchange should stick to its sole job as a delivery agent and stop trying to be so smart.
Can't we live without OLE?

--
signature pending slashdot approval
1. Re:Why can't Microsoft ever get this right? by Anonymous Coward · 2009-02-11 05:42 · Score: 5, Informative
  
  Why in the world would an e-mail delivery system ever consider executing external code?
  Exploits such as the ones mentioned aren't because the system is executing external code intentionally, rather, a carefully crafted message will overflow a buffer and change the values of some CPU registers. If the values change in such a way that a pointer moves execution to a part of the carefully crafted message, that message is now external code that is being run.
2. Re:Why can't Microsoft ever get this right? by pmarini · 2009-02-11 09:53 · Score: 2, Insightful
  
  Let me be the first to laugh at this one...
  
  the only built-in groupware feature that I've seen people using in Exchange (without shelling out xBox credits for half a dozen other additional applications like SharePoint, SQL Server, BizTalk, InfoPath, etc) is the one allowing to click on predefined Yes, No, Maybe buttons to reply to a message...
  
  --
  Can I put a spell on those who can't spell?
  Your wheels are loose and they're losing their grip, good you're there.
Re:I love the small of hot-fix patches in the morn by Ash+Vince · 2009-02-11 05:31 · Score: 2, Informative

There is a difference between the hole you posted and the one that is being discussed though, a very big difference.
The security hole in the Kernel that Ubuntu fixed required local access to the machine in question, the exchange bug could be exploited by sending the server an email so not access what so ever was required.
Privilege escalation vulnerabilities are generally considered to be of a lower priority to fix and not as severe as you must have modicum of trust in order to give someone a shell account. No trust is required to send someone an email.

--
I dont read /. to RTFA, I read /. to offend people in ignorance.
Re:Its really time to spread the word: by techamed · 2009-02-11 05:38 · Score: 2, Funny

Hang on I'll send an email
Re:Bandwagon by rawr_one · 2009-02-11 05:59 · Score: 2, Interesting

You're not looking at the actual history of Microsoft Windows, though. Windows was (and still is, to a large part) built off what was originally a single-user system that would exist ENTIRELY as a standalone unit that was never connected to any other computers. UNIX, on the other hand, started with that kind of functionality in mind. So, while UNIX has been building off of that original multi-system support, Microsoft had to build up theirs (this becomes especially important with netcode) on top of a system that wasn't made to work like that. To put it simply, Microsoft started with a shoe and tried to make a hat.
MS Proprietary Protocols have a history of flaws by compusci · 2009-02-11 06:09 · Score: 2, Insightful

I am not surprised by the announcement of these major flaws, many directly related to MS proprietary components/protocols. Microsoft has a history of manipulating open standards into MS proprietary protocols in order to prevent development outside Windows. However, as a result, Windows OS's become less compatible with other OS's and do not reap the benefit of improvements to open source alternatives made in the open source and standard organization communities. Several examples of flawed Windows proprietary technologies: WMI (no longer supported in newest Windows Servers), Direct X (unstable and high overhead compared with OpenGL), UAC (worst Vista feature) and Windows Automatic Updates (incremental updates with multiple reboots to update, memory leaks and high resource consumption under idle conditions).
Re:Bandwagon by drsmithy · 2009-02-11 06:11 · Score: 4, Informative

You're not looking at the actual history of Microsoft Windows, though. Windows was (and still is, to a large part) built off what was originally a single-user system that would exist ENTIRELY as a standalone unit that was never connected to any other computers.
No, it's not. Windows NT was designed from the start to be a multiuser, networked OS.
UNIX, on the other hand, started with that kind of functionality in mind.
Actually, no. The very first versions of UNIX were single user. The multiuser stuff was added later, which is probably why it still had (and still has, in most configurations today) the concept of a superuser, even when other OSes had moved on.
So.... by Trashman · 2009-02-11 06:33 · Score: 5, Funny

....What "carefully crafted message" would I need to send to take over an Exchange Server?
To: ExchangeServer@company.com
Subject: H3ll0
I 0wn you Now. Please reply back with passwords.
Regards,
Hax0r

--
Do not read this .sig
Oblig. Quote by Anonymous Coward · 2009-02-11 06:44 · Score: 4, Funny

That's nothing! If you boot Windows forwards, it loads Windows!
We installed it ... by humph2 · 2009-02-11 06:50 · Score: 3, Interesting

... and Exchange 2003 stopped delivering messages to mailboxes.
Rolled it back, and everything worked fine ^H^H^H^H just as it used to.
I may be missing the point of these "fixes", but surely "security updates" should actually be tested at some stage?
1. Re:We installed it ... by lukas84 · 2009-02-11 07:17 · Score: 4, Funny
  
  Yes, they should. Namely by you. In your testing environment. Before deploying it to production.
Re:I love the small of hot-fix patches in the morn by Craig+Davison · 2009-02-11 07:34 · Score: 3, Insightful

A local exploit is a potential problem even if you're the only user. If an attacker combines a remote non-root exploit (say an Apache bug that gets him access as the 'nobody' user) with a local exploit (that upgrades 'nobody' to 'root'), he now has a remove root exploit.
Local in this case just means a logged-in, unprivileged user that can run arbitrary code.
Read up on blended threats.

--
Hands in my pocket
Re:Its really time to spread the word: by mcrbids · 2009-02-11 07:54 · Score: 2, Informative

That OO.org is still languishing in obscurity has more to do with it's flaws than some gigantic conspiracy of users who just can't think of anything better to do with their money.
What rock have YOU been under?
Gross market share moves slowly. Great change takes years or decades, and if you see change where the majority product becomes a minority in 10 years, that's very rapid change. There's every sign that this is, in fact, happening. It's by no means comprehensive, but it's pretty clear that OO.o is making some pretty serious headway. Whole nations are standardizing on Open Office!
And on a related note, OO's document format, ODF, is now a recognized international standard, is a mandatory standard for NATO, and is also being adopted by governments around the world.
It may not be all that visible where YOU sit, but the impact is both real and international in scope.

--
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Re:MS Proprietary Protocols have a history of flaw by tignet · 2009-02-11 09:33 · Score: 2, Informative

In all fairness regarding Exchange, things break on every release. My comments regarding backward compatibility were specifically regarding Windows the OS, not the Microsoft server applications. While there are some good ones (SQL) there are some terrible ones (Exchange, SMS) too.

Regarding performance, both APIs are functional. DirectX is more an interface to hardware where OpenGL is a generic interface that may or may not be hardware accelerated. Performance is driven largely from the drivers. In my experience games that support both DirectX and OpenGL perform better in DirectX. Does that mean it's better? No, maybe Nvidia does a better job with DirectX than OpenGL. Regardless, you can't say one is always clearly better than the other.

Your UAC rant is still misplaced. I don't know anyone who likes the implementation. But what does it have to do with performance, stability or backwards compatibility with other software? It was a bad implementation of a good idea. Well, assuming you don't want to fix security (and break compatibility) with the Win32 API it's about the best you can do. An example of how MS tried to band-aid a poor design problem maybe. An example of broken backward compatibility it is not.

Okay, I'll bite on automatic updates. It's not the best. Nor did I claim it was. apt-get is better and my personal favorite. Solaris is on-par with Windows in that it will detect a "major" update and won't detect patches for that major update until the next time the update is run (possibly after a reboot). I've seen the same thing with OS X (such as after an iTunes upgrade). Why does Safari or iTunes reboot the computer? I have no idea. Why can't all update software look ahead and see if there are patches to what it has planned to install/upgrade? I don't know. What I do know is that Windows Update is not alone. Patching NetWare servers has to be many times worse than Windows.

I'm not sure how you miss the point of Windows (the OS) not being compatible with anyone else. They want it that way. POSIX wasn't implemented for a reason. You can't switch out Windows and replace it with something else without a huge investment (time and/or money). I am crystal clear on the issue of why it's not compatible with other operating systems. I don't suspect that it will ever change. Why would they want to compete against UNIX on equal ground when they have their own API that UNIX can't implement (or when doing so breaks apps because the API doesn't function as is publicly documented)? The only reason to be compatible with another OS is if you want to move applications between them. Microsoft doesn't want to. So what is the point of an OS that isn't compatible with anyone else? Money. And lots of it. And if you have to deal with the public sector where .DOCs are the "standard" or have to access corporate web applications that only run in IE you see the point very clearly.

As far as rarely compatible with their own legacy software? Well Vista broke some things in an attempt to lock things down better. A lot of the problems are due to bad coding -- code which if ran in *NIX would also not work due to some dubious assumptions on the part of the developer. The difference is in that *NIX software developer know (and often prefer) that their software will not run as root. Much of the MS software out there requires that it be run as an administrator. When you start locking things down (non-root users in Linux, roles in Solaris, SELinux, CSA and Vista/UAC) bad software breaks.

I'm not a fan of Windows for many reasons. One of those reasons is backwards compatibility. It's really, really hard to "fix" security problems with a bad API when you carry forward that bad API into every future release. Sure, some of the really bad API is removed (and applications break) but most of it has carried forward. At the expense of security, it has definitely allowed for backward compatibility.
oh get over yourself by citylivin · 2009-02-11 10:37 · Score: 5, Insightful

I had the same with exchange 2007. Calendaring stopped working so I reinstalled rollup 5 and everything went back to normal.
As for your comment, one day when you move into the "real world" you will realize that you dont always have the resources to test every single patch that comes down the line. Id much rather have a microsoft patch fubar the machine than have a haxxor pwning it because i was busy testing a patch. At least when i have to explain to management why the email was down for 30 minutes, I can blame microsoft instead of saying that we got exploited (which would then become MY fault).
Not everyone can afford to have redundant everything. Especially machines that are only used for testing, and therefor not in a production environment, where it is easier to find bugs. Sure, if your exchange server services 2000+ users, or generates tens of thousands of dollars a day then maybe you can afford another machine to test on. Most people in the Real World do not have those luxuries.

--
As a potential lottery winner, I totally support tax cuts for the wealthy