Microsoft published four patches on Tuesday to close serious vulnerabilities in its Internet Explorer browser, Exchange e-mail server and Microsoft SQL server.
The fixes, which were released on Microsoft's regular monthly schedule, close two Critical vulnerabilities in Internet Explorer 7 running on Windows XP that could allow a malicious Web site the ability to run code on a vulnerable visitor's system. The flaws are considered only Moderate for other versions of Windows.
A second patch fixes two flaws in Microsoft's Exchange e-mail server, one of which could let an attacker take control of a company's e-mail system. The company stressed that any exploit code developed to take advantage of the flaw would likely work inconsistently at best.
Not everyone agreed, however.
"While Microsoft labels the Exchange bulletin as 'Inconsistent exploit code likely,' and there are no known public exploits yet, attackers are going to latch onto this like flies to honey," Andrew Storms, director of security operations for nCircle, said in a statement. "Don't be surprised if we begin to see early exploit code within a week."
Other security experts focused on the Microsoft SQL flaw as the most serious vulnerability, even though the software giant only rated the issue Important. The issue allows an attacker to take control of the database server, but only if already authenticated to the database. That's always going to be the case with a Web server, said Eric Schultze, chief technology officer of Shavlik Technologies.
"Unauthenticated attackers — since when you do authenticate your attacker anyway? — can still leverage this flaw if they can plant their code using SQL server injection techniques via poorly coded websites," Schultze stated in an analysis of the Microsoft patches. "Proof of concept code has been published on the Internet."
The remaining patch closed three security holes in Microsoft Office's Visio component. All three issues were rated Important.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos