Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Critical Patch Fixes 8 Vulnerabilities

Posted by CmdrTaco on from the your-server-is-sick dept.

nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server. Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."

8 of 202 comments (clear)

  1. Doesn't Sound so Bad by segedunum · · Score: 5, Funny

    Many people would love to outsource management of Exchange server, and it's even better if someone wants to do it for free.

    1. Re:Doesn't Sound so Bad by SatanicPuppy · · Score: 5, Insightful

      I've run it, and it doesn't. That you put them on the same page shows you've never run Exchange because Exchange is not about email.

      I'll tell you what I tell everyone: you need to go use Exchange for a while. Sit behind some manager and watch them fuck with their goddamn calendars for a while. Watch how neatly the calendars integrate with the email. Watch how it integrates with Office for document collaboration.

      There is no one product that handles all those features so well and so seamlessly.

      All those features can be had from a half dozen different OSS apps, and when you've laboriously cobbled them together into a working whole and presented it to management, they will give you a look like you handed them a plate full of dogshit, and then they will give you a list of things that aren't as good.

      And when you go back to your office you'll go over the list and you will grind your teeth because the fuckers are right. You will never convince people to ditch exchange until you can provide a product that is just as good.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
  2. Re:Is it that easy? by Anonymous Coward · · Score: 5, Insightful

    Like sendmail has never had critical vulnerabilities in its address parsing code?

    The irony is that the error is in MS's proprietary TNEF format. This is a binary format so it should be easy to parse.

    Offtopic, but why can't slashdot link to the meat rather than some ad-laden rehash?

  3. Re:Oddly enough... by whyareallthenamestak · · Score: 5, Funny

    *For you yungins, go look up Kelly Bundy and the above phrase.

    I just did. The top result is your post!

  4. Re:Why can't Microsoft ever get this right? by Anonymous Coward · · Score: 5, Informative

    Why in the world would an e-mail delivery system ever consider executing external code?

    Exploits such as the ones mentioned aren't because the system is executing external code intentionally, rather, a carefully crafted message will overflow a buffer and change the values of some CPU registers. If the values change in such a way that a pointer moves execution to a part of the carefully crafted message, that message is now external code that is being run.

  5. Re:Is it that easy? by gzipped_tar · · Score: 5, Insightful

    Properly written C and C++ code can and should trap all exceptions. There is no excuse for untrapped buffer overflows in mature commercial code.

    Buffer overflows are programmer errors, not program exceptions that signal some kind of event. They can't be "handled" -- they must be eliminated from the source code.

    --
    Colorless green Cthulhu waits dreaming furiously.
  6. So.... by Trashman · · Score: 5, Funny

    ....What "carefully crafted message" would I need to send to take over an Exchange Server?

    To: ExchangeServer@company.com
    Subject: H3ll0

    I 0wn you Now. Please reply back with passwords.

    Regards,
    Hax0r

    --
    Do not read this .sig
  7. oh get over yourself by citylivin · · Score: 5, Insightful

    I had the same with exchange 2007. Calendaring stopped working so I reinstalled rollup 5 and everything went back to normal.

    As for your comment, one day when you move into the "real world" you will realize that you dont always have the resources to test every single patch that comes down the line. Id much rather have a microsoft patch fubar the machine than have a haxxor pwning it because i was busy testing a patch. At least when i have to explain to management why the email was down for 30 minutes, I can blame microsoft instead of saying that we got exploited (which would then become MY fault).

    Not everyone can afford to have redundant everything. Especially machines that are only used for testing, and therefor not in a production environment, where it is easier to find bugs. Sure, if your exchange server services 2000+ users, or generates tens of thousands of dollars a day then maybe you can afford another machine to test on. Most people in the Real World do not have those luxuries.

    --
    As a potential lottery winner, I totally support tax cuts for the wealthy