News

Microsoft Patches Security Bugs in Products

Microsoft has released patches for Exchange, SQL Server, and Windows, including a fix for a widespread flaw in DNS

By Robert McMillan, IDG News Service (San Francisco Bureau)

July 09, 2008

Microsoft has patched bugs in its Exchange, SQL Server and Windows software that could give hackers new ways to break into computers.

The company released four sets of patches Tuesday, all rated "important." They address a total of nine bugs in Microsoft's products.

Although Microsoft has not rated any of its patches as critical, they will still keep corporate system administrators busy this week, said Andrew Storms, director of security operations with security vendor nCircle. "Not only will the IT admins have their hands full with the normal client-side updates, but they also need to go patch two of the most important enterprise services in an organization -- e-mail and databases," he said via instant message.

Security experts say that the DNS (Domain Name System) bug is particularly worrisome. That's because the bug is due to a design flaw in the DNS protocol that affects all DNS servers on the Internet.

By sending certain types of queries to DNS servers, the attacker could then redirect victims away from a legitimate Web site -- say, Bofa.com -- to a malicious Web site without the victim realizing it. This type of attack, known as DNS cache poisoning, doesn't affect only the Web. It could be used to redirect all Internet traffic to the hacker's servers.

The bug could be exploited "like a phishing attack without sending you e-mail," said Wolfgang Kandek, chief technical officer with Qualys.

Other DNS software providers, including the Internet Software Consortium, Cisco and Sun Microsystems are also patching this vulnerability.

Although this flaw does affect some home routers and client DNS software, it is mostly an issue for corporate users and ISPs (Internet service providers) that run the DNS servers used by PCs to find their way around the Internet, said Dan Kaminsky, the IOActive security researcher who discovered the problem. "Home users should not panic," he said in a Tuesday conference call.

One of the bugs that Microsoft patched on Tuesday had previously been disclosed, making it a priority fix. That flaw, which lies in the version of Windows Explorer used by Vista and Windows Server 2008, could give criminals a way of running unauthorized software on a Windows PC. For that to happen, the attacker would first have to convince the user to open and save a specially crafted saved-search file using Windows Explorer.

Exchange shops that read e-mail via the Web should give the Exchange patch a top priority, Qualys' Kandek said. That's because it can be exploited to attack users of Outlook Web Access (OWA) for Microsoft Exchange Server with a cross-scripting attack. By sending maliciously encoded e-mails to OWA users, attackers could theoretically steal e-mail credentials and install malicious software on a victim's system, he said.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Taking the Botnet Threat Seriously

7 Requirements of Data Loss Prevention

Information Security: Data Drains and How to Prevent Loss

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era

E-LOAN Maintains Reputation as a Privacy Leader with Symantec

Data Loss Prevention: Keeping Sensitive Data Out of the Wrong Hands

Prudential Financial Protects its Brand with Symantec

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Using Likewise to Comply with PCI Data Security Standard

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development