Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing four bulletins covering a total of eight vulnerabilities.Of those, three are “Critical” issues affecting Exchange Server and Internet Explorer. We haven’t seen email-based attacks in a while, but the first Exchange Server issue is exactly that. To exploit the issue, an attacker only needs to send an email with a specially crafted attachment and entice an unsuspecting victim into opening the email. The other Exchange issue, rated “Important,” can be remotely exploited to cause an affected server to crash. This could have a significant impact on enterprise users.We've noticed what appears to be a trend regarding Internet Explorer. The vendor has released a cumulative security bulletin for that product every other month for the past 18 months.The remaining issues, all rated “Important,” affect Visio and SQL Server. As always, customers are advised to follow these security best practices:- Install vendor patches as soon as they are available.- Block external access at the network perimeter to all but specific sites and computers only.- Run all software with the least privileges required while still maintaining functionality.- Do not follow links or open files from unknown or questionable sources.Microsoft’s summary of the February releases can be found here:http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx1. MS09-003 Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)CVE-2009-0098 (BID 33134) Microsoft Exchange Server TNEF Decoding Remote Command Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.8/10)A remote code-execution vulnerability affects Microsoft Exchange Server because of the way it handles Transport Neutral Encapsulation Format (TNEF) data. Attackers can exploit this issue by sending a specially crafted email message to an affected server and tricking a victim into opening the email. A successful exploit will result in the execution of attacker-supplied code in the context of the affected service.Affects: Microsoft Exchange Server 2000 SP3, Microsoft Exchange Server 2003 SP2, and Microsoft Exchange Server 2007 SP1.CVE-2009-0099 (BID 33136) Microsoft Exchange Server EMSMDB2 MAPI Command Remote Denial of Service Vulnerability (MS Rating: Important / Symantec Urgency Rating 5.7/10)A denial-of-service vulnerability affects the EMSMDB32 (Electronic Messaging System Microsoft Data Base, 32 bit build) component of Microsoft Exchange. An attacker can exploit this issue by sending a specially malformed MAPI command to an affected server. A successful exploit will cause the server to stop responding, effectively denying service to legitimate users.Affects: Microsoft Exchange Server 2000 SP3 and Microsoft Exchange Server 2003 SP2.2. MS09-002 Cumulative Security Update for Internet Explorer (961260)CVE-2009-0075 (BID 33627) Microsoft Internet Explorer Uninitialized Memory Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)A remote code-execution vulnerability affects Internet Explorer because of the way it handles an object that has been deleted. An attacker can exploit this issue by tricking a victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.Affects: Internet Explorer 7.CVE-2009-0076 (BID 33628) Microsoft Internet Explorer CSS Memory Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)A remote code-execution vulnerability affects Internet Explorer because of the way it handles certain styles in a cascading style sheet (CSS). An attacker can exploit this issue by tricking a victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.Affects: Internet Explorer 7.3. MS09-004 Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)CVE-2008-5416 (BID 32710) Microsoft SQL Server 'sp_replwritetovarbin' Remote Memory Corruption Vulnerability (MS Rating: Important / Symantec Urgency Rating 8.9/10)This is a previously public (Dec. 9, 2008) remote code-execution vulnerability affecting Microsoft SQL Server. The issue occurs when the server handles the 'sp_replwritetovarbin' extended stored procedure call. By supplying several uninitialized variables as parameters to the call, an attacker can write to a controlled memory location. An attacker needs the ability to execute arbitrary SQL on an affected server to exploit this issue. This could occur through legitimate means or through the exploit of other latent SQL injection vulnerabilities. Successful exploits will result in the execution of attacker-supplied code in the context of the affected service.Affects: SQL Server 2000 SP4, SQL Server 2000 Itanium-based Edition SP4, SQL Server 2005 SP2, SQL Server 2005 x64 Edition SP2, SQL Server 2005 with SP2 for Itanium-based Systems, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) SP4, Microsoft SQL Server 2005 Express Edition SP2, Microsoft SQL Server 2005 Express Edition with Advanced Services SP2, Microsoft SQL Server 2000 Desktop Engine (WMSDE), Windows Internal Database (WYukon) SP2 x64, and Windows Internal Database (WYukon) SP2.4. MS09-005 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (957634)CVE-2009-0095 (BID 33659) Microsoft Visio Object Validation Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating 7.1/10)A remote code-execution vulnerability affects Microsoft Visio because it does not properly validate object data when opening a Visio file. An attacker can exploit this issue by tricking a victim into opening a malicious file. Successful attacks will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user. Affects: Microsoft Office Visio 2002 SP2, Microsoft Office Visio 2003 SP3, and Microsoft Office Visio 2007 SP1.CVE-2009-0096 (BID 33660) Microsoft Visio Object Copy Memory Corruption Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating 7.1/10)A remote code-execution vulnerability affects Microsoft Visio because of how it copies object data in memory. An attacker can exploit this issue by tricking a victim into opening a malicious file. Successful attacks will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.Affects: Microsoft Office Visio 2002 SP2, Microsoft Office Visio 2003 SP3, and Microsoft Office Visio 2007 SP1.CVE-2009-0097 (BID 33661) Microsoft Visio Memory Corruption Remote Code Execution Vulnerability (MS Rating: Important / Symantec Urgency Rating 7.1/10)A remote code-execution vulnerability affects Microsoft Visio because of a memory-handling error when opening a Visio file. An attacker can exploit this issue by tricking a victim into opening a malicious file. Successful attacks will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.Affects: Microsoft Office Visio 2002 SP2, and Microsoft Office Visio 2003 SP3.
More information on this and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.