Patch Tuesday: Microsoft has critical fixes for Exchange Server

Network World – Businesses will want to jump on patches that fix vulnerabilities to the gamut of Microsoft Exchange Server versions that are   flagged in next week’s Patch Tuesday alerts.

“This month’s remediation is all about the Exchange servers,” says Tommy Chin, a technical support engineer at CORE Security.   The critical alert affects all supported versions of Exchange Server – Exchange Server 2007 Service Pack 3, Exchange Server   2010 SP 2 and 3, and Exchange Server 2013, cumulative updates 1 and 2.

Chin says Exchange’s reliability is generally taken for granted. “However, what if all e-mail communications suddenly became   compromised?” he says. “For most organizations, this scenario is simply unacceptable due to the sensitive information contained   within today’s e-mail conversations.”

Ross Barrett, senior manager of security engineering at Rapid7, agrees. “If this is truly a remotely exploitable issue that   does not require user interaction, then it’s a potentially wormable issue and definitely should be put at the top of the patching   priority list,” Barrett says. Another critical alert, Bulletin 1, affects current versions of operating systems Windows 8 (and Windows RT) and Windows Server   2012, as well as earlier versions back through Windows XP and Windows Server 2003.

There are no details on what the exact vulnerabilities are but being ranked critical means they could allow code execution   even if the user doesn’t interact with the attack. Self-propagating malware and code execution without warnings or prompts   are exploits that fit this category. Examples include browsing an infected Web page or opening a malicious email.

“To me, Bulletin 1 is most critical,” says Ken Pickering, the director of engineering at CORE Security. “The last time I saw   an IE Remote Code execution of this caliber, I saw live malware exploiting it not too long after. People are getting good   at turning these IE vulnerabilities into web-based attacks.”

Bulletin 1 affects Internet Explorer from Version 6 to Version 10 as deployed on all Windows client operating systems from   Windows XP to Windows 8 including its ARM version, Windows RT. It also affects Windows Server 2003, 2008, 2008 RR2 and 2012.

Three out of eight bulletins this month are critical, possibly facilitating remote code execution on victim machines. The   rest of the bulletins are ranked important, two allowing elevation of privileges by attackers, two threatening denial of service   and one that could allow disclosure of information on the attacked machine.

Paul Henry, a security and forensics analyst at Lumension, notes that the bulleting count for this year so far is up seven   over last year at this time, but this year so far there are 10 fewer critical ones.

Barry Hesk
Intrinsic Network Solutions

Leave a Reply