Microsoft patches security bugs in products
Microsoft has patched bugs in its Exchange, SQL Server and Windows software that could give hackers new ways to break into computers.
The company released four sets of patches Tuesday, all rated "important." They address a total of nine bugs in Microsoft's products.
Although Microsoft has not rated any of its patches as critical, they will still keep corporate system administrators busy this week, said Andrew Storms, director of security operations with security vendor nCircle. "Not only will the IT admins have their hands full with the normal client-side updates, but they also need to go patch two of the most important enterprise services in an organization -- e-mail and databases," he said via instant message.
Security experts say that the DNS (Domain Name System) bug, is particularly worrisome. That's because the bug is due to a design flaw in the DNS protocol that affects all DNS servers on the Internet.
By sending certain types of queries to DNS servers, the attacker could then redirect victims away from a legitimate Web site -- say, Bofa.com -- to a malicious Web site without the victim realizing it. This type of attack, known as DNS cache poisoning, doesn't affect only the Web. It could be used to redirect all Internet traffic to the hacker's servers.
The bug could be exploited "like a phishing attack without sending you e-mail," said Wolfgang Kandek, chief technical officer with Qualys.
Other DNS software providers, including the Internet Software Consortium, Cisco and Sun Microsystems are also patching this vulnerability.
Although this flaw does affect some home routers and client DNS software, it is mostly an issue for corporate users and ISPs (Internet service providers) that run the DNS servers used by PCs to find their way around the Internet, said Dan Kaminsky, the IOActive security researcher who discovered the problem. "Home users should not panic," he said in a Tuesday conference call.
One of the bugs that Microsoft patched on Tuesday had previously been disclosed, making it a priority fix. That flaw, which lies in the version of Windows Explorer used by Vista and Windows Server 2008, could give criminals a way of running unauthorized software on a Windows PC. For that to happen, the attacker would first have to convince the user to open and save a specially crafted saved-search file using Windows Explorer.
Exchange shops that read e-mail via the Web should give the Exchange patch a top priority, Qualys' Kandek said. That's because it can be exploited to attack users of Outlook Web Access (OWA) for Microsoft Exchange Server with a cross-scripting attack. By sending maliciously encoded e-mails to OWA users, attackers could theoretically steal e-mail credentials and install malicious software on a victim's system, he said.
Finally, the SQL Server patch fixes four bugs that affect all supported versions of SQL Server.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
patches
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
