Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Critical Patch Fixes 8 Vulnerabilities

Posted by CmdrTaco on from the your-server-is-sick dept.

nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server. Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."

22 of 202 comments (clear)

  1. Doesn't Sound so Bad by segedunum · · Score: 5, Funny

    Many people would love to outsource management of Exchange server, and it's even better if someone wants to do it for free.

    1. Re:Doesn't Sound so Bad by SatanicPuppy · · Score: 5, Insightful

      I've run it, and it doesn't. That you put them on the same page shows you've never run Exchange because Exchange is not about email.

      I'll tell you what I tell everyone: you need to go use Exchange for a while. Sit behind some manager and watch them fuck with their goddamn calendars for a while. Watch how neatly the calendars integrate with the email. Watch how it integrates with Office for document collaboration.

      There is no one product that handles all those features so well and so seamlessly.

      All those features can be had from a half dozen different OSS apps, and when you've laboriously cobbled them together into a working whole and presented it to management, they will give you a look like you handed them a plate full of dogshit, and then they will give you a list of things that aren't as good.

      And when you go back to your office you'll go over the list and you will grind your teeth because the fuckers are right. You will never convince people to ditch exchange until you can provide a product that is just as good.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    2. Re:Doesn't Sound so Bad by SatanicPuppy · · Score: 4, Insightful

      Who knows? The thing is, once you have 1000 people, the critical mass of pointy-hairs will make Exchange a requirement.

      Still, 70 bucks a seat sounds expensive when your budget is in the hundreds of thousands. When your budget is in the millions, that's like 1 manager's salary, so you fire the guy you like least, and buy exchange for the company.

      I am often at a loss to explain business decisions though. We use this huge proprietary design system, and for years we were shackled to the old version of the system by costs of the hardware upgrade (old solaris mainframes). I sat down one day and took the new version of the system (which we had for free, since we were paying support), and made it work on open solaris on x86 hardware.

      Took it to my boss expecting a raise, and maybe, you know, some appreciation. Got told off because my solution didn't account for the need to buy ~40 CS3 licenses (around 30k, for some new copies, and some upgrades).

      Fast forward 6 months, and we went out and bought a NEW system to do the same thing for more than 10 times what my upgrade would have cost. The new system only replaces half of the old system, so we still have half a crappy old system to maintain, and, AND, we still had to buy the fucking CS3 licenses!

      Front to back it cost us probably half a million dollars and the new system is universally hated for its crap speed and crap stability (it's running, I shit you not, on virtualized win2k boxes...I could fucking weep).

      The thing is, my solution was impossible because it couldn't be put on the capital budget because it was over the max budget for an in-house upgrade. But the much more expensive system could because it was under the budget for a purchased system. Penny wise, pound foolish.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  2. Is it that easy? by UnknowingFool · · Score: 4, Interesting

    I don't know anything about Exchange but you mean to tell me that someone sending an email to an Exchange server can allow it to take over the server? It's one thing for hackers to rely on social networking and fool a user into executing an attachment. It's another thing to be able to takeover simply by sending a message.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
    1. Re:Is it that easy? by Anonymous Coward · · Score: 5, Insightful

      Like sendmail has never had critical vulnerabilities in its address parsing code?

      The irony is that the error is in MS's proprietary TNEF format. This is a binary format so it should be easy to parse.

      Offtopic, but why can't slashdot link to the meat rather than some ad-laden rehash?

    2. Re:Is it that easy? by lukas84 · · Score: 3, Informative

      Unluckily for you, this vulnerability will still affect you. If you read the security announcement by Microsoft, a possible workaround is to block all TNEF / winmail.dat attachments, which will break all incoming RTF mail. Depending on what your business exactly does, this might not be a viable workaround.

    3. Re:Is it that easy? by Just+Some+Guy · · Score: 4, Interesting

      yeah but qmail hasn't :p

      Of course, it has about 5% of the features of Exchange or Postfix or Exim or Sendmail or...

      --
      Dewey, what part of this looks like authorities should be involved?
    4. Re:Is it that easy? by SatanicPuppy · · Score: 3, Funny

      Wow, you have a firewall that stops email from getting to a mail server! I gotta get me one of those...It would reduce my workload by 95%! Since I don't answer any of my phones, the only way people could contact me with problems would be by ambushing me on the way to the bathroom.

      It would keep the CEO from ever contacting me, that's for sure. God knows he'd never be caught down here with people who do work.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    5. Re:Is it that easy? by gzipped_tar · · Score: 5, Insightful

      Properly written C and C++ code can and should trap all exceptions. There is no excuse for untrapped buffer overflows in mature commercial code.

      Buffer overflows are programmer errors, not program exceptions that signal some kind of event. They can't be "handled" -- they must be eliminated from the source code.

      --
      Colorless green Cthulhu waits dreaming furiously.
  3. Stop spreading FUD by Fred_A · · Score: 4, Funny

    It's all closed source, so there aren't any real vulnerabilities. Even the certified professionals say so. They're certified what more do you need !

    As if you could spread havoc through email on a proprietary system. Bah.

    --

    May contain traces of nut.
    Made from the freshest electrons.
    1. Re:Stop spreading FUD by Fred_A · · Score: 4, Funny

      We DON'T want to know what demonic code is stored in the source files on some secure Microsoft server up in Redmond.

      Hmmm...

      Did you know that if you boot Windows backwards you can hear satanic APIs ?

      --

      May contain traces of nut.
      Made from the freshest electrons.
  4. Oddly enough... by smooth+wombat · · Score: 3, Informative

    the IE fix ONLY affects IE 7. If you're running IE 6 (or even 5) on any platform, you don't have a patch to install.

    Could it be, *gasp*, that IE 6 is more secure than IE 7? The mind wobbles.*

    *For you yungins, go look up Kelly Bundy and the above phrase.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re:Oddly enough... by whyareallthenamestak · · Score: 5, Funny

      *For you yungins, go look up Kelly Bundy and the above phrase.

      I just did. The top result is your post!

    2. Re:Oddly enough... by Anonymous Coward · · Score: 3, Funny

      And the next thing we will hear is that Kelly Bundy has been citing smooth wombat for all these years.

  5. Re:Why can't Microsoft ever get this right? by Anonymous Coward · · Score: 5, Informative

    Why in the world would an e-mail delivery system ever consider executing external code?

    Exploits such as the ones mentioned aren't because the system is executing external code intentionally, rather, a carefully crafted message will overflow a buffer and change the values of some CPU registers. If the values change in such a way that a pointer moves execution to a part of the carefully crafted message, that message is now external code that is being run.

  6. Re:Bandwagon by drsmithy · · Score: 4, Informative

    You're not looking at the actual history of Microsoft Windows, though. Windows was (and still is, to a large part) built off what was originally a single-user system that would exist ENTIRELY as a standalone unit that was never connected to any other computers.

    No, it's not. Windows NT was designed from the start to be a multiuser, networked OS.

    UNIX, on the other hand, started with that kind of functionality in mind.

    Actually, no. The very first versions of UNIX were single user. The multiuser stuff was added later, which is probably why it still had (and still has, in most configurations today) the concept of a superuser, even when other OSes had moved on.

  7. So.... by Trashman · · Score: 5, Funny

    ....What "carefully crafted message" would I need to send to take over an Exchange Server?

    To: ExchangeServer@company.com
    Subject: H3ll0

    I 0wn you Now. Please reply back with passwords.

    Regards,
    Hax0r

    --
    Do not read this .sig
  8. Oblig. Quote by Anonymous Coward · · Score: 4, Funny

    That's nothing! If you boot Windows forwards, it loads Windows!

  9. We installed it ... by humph2 · · Score: 3, Interesting

    ... and Exchange 2003 stopped delivering messages to mailboxes.

    Rolled it back, and everything worked fine ^H^H^H^H just as it used to.

    I may be missing the point of these "fixes", but surely "security updates" should actually be tested at some stage?

    1. Re:We installed it ... by lukas84 · · Score: 4, Funny

      Yes, they should. Namely by you. In your testing environment. Before deploying it to production.

  10. Re:I love the small of hot-fix patches in the morn by Craig+Davison · · Score: 3, Insightful

    A local exploit is a potential problem even if you're the only user. If an attacker combines a remote non-root exploit (say an Apache bug that gets him access as the 'nobody' user) with a local exploit (that upgrades 'nobody' to 'root'), he now has a remove root exploit.

    Local in this case just means a logged-in, unprivileged user that can run arbitrary code.

    Read up on blended threats.

    --
    Hands in my pocket
  11. oh get over yourself by citylivin · · Score: 5, Insightful

    I had the same with exchange 2007. Calendaring stopped working so I reinstalled rollup 5 and everything went back to normal.

    As for your comment, one day when you move into the "real world" you will realize that you dont always have the resources to test every single patch that comes down the line. Id much rather have a microsoft patch fubar the machine than have a haxxor pwning it because i was busy testing a patch. At least when i have to explain to management why the email was down for 30 minutes, I can blame microsoft instead of saying that we got exploited (which would then become MY fault).

    Not everyone can afford to have redundant everything. Especially machines that are only used for testing, and therefor not in a production environment, where it is easier to find bugs. Sure, if your exchange server services 2000+ users, or generates tens of thousands of dollars a day then maybe you can afford another machine to test on. Most people in the Real World do not have those luxuries.

    --
    As a potential lottery winner, I totally support tax cuts for the wealthy