Microsoft Patches Security Flaws in Windows, SQL Server, and Exchange

Published: July 9, 2008

by Alex Woodie

Microsoft published four patches for nine security vulnerabilities in Windows and other products yesterday during its monthly Patch Tuesday event. All of the flaws carry the rating of "important," which is a step below "critical" in Microsoft's severity rating system. Nevertheless, newly disclosed flaws in Exchange Server and SQL Server could open the door to potentially harmful attacks from internal and external threats, and as such they should not be taken lightly.

Two flaws in Windows' implementation of the Domain Name System (DNS) protocol that could leave users open to spoofing attacks were patched with MS08-037. The flaws, which affect both client and server DNS components, could allow attackers to redirect Internet traffic to locations of their choosing by sending specially crafted DNS packets to an affected Windows 2000, Windows XP, or Windows Server 2003 system. Microsoft says neither of the flaws have been publicly revealed before yesterday, and neither of them are being actively exploited in the wild. Dan Kaminsky of the computer security services firm IOActive is credited with discovering one of the flaws.

A remote code execution vulnerability in Windows Vista and Windows Server 2008 was fixed with MS08-038. A flaw in the way that Windows Explorer parses Windows Search files when saving them could enable an attacker to take complete control of a user's system by tricking the user into visiting a malformed Web site or opening a malicious document.

While remote code execution vulnerabilities are usually considered critical, in this case, the new user account control security feature of Vista and Windows Server 2008, where regular users run with fewer rights than the administrator, provide some protection from exploitation. This flaw had previously been publicly disclosed back in March, but is not being actively exploited, according to Microsoft.

Two cross-site scripting flaws in Outlook Web Access (OWA) that could give an attacker full access to a victim's e-mail account has been addressed with MS08-039. The elevation of privilege vulnerabilities are present in OWA running on Exchange Server 2003 Service Pack 2, Exchange Server 2007, and Exchange Server 2007 SP1. Neither of the flaws had previously been disclosed, nor have they been exploited in the wild, according to Microsoft. Michael Jordan of Context Information Security gets credit with reporting the flaws.

The OWA flaws could open the door to greater riches for a hacker, according to Tyler Reguly, a security engineer with nCircle, a provider of network security solutions. "These vulnerabilities offer great opportunity for an attacker to snoop for additional information before attempting to breach a company’s network security," he says.

The final patch, MS08-040, addresses four elevation of pillage flaws in all recent versions of SQL Server, including SQL Server 7.0, SQL Server 2000, SQL Server 2005, the Microsoft Data Engine (MSDE) 1.0, MSDE 2000, SQL Server 2000 Desktop Engine (WMSDE), and the Windows Internal Database (WYukon).

In the case of the SQL Server vulnerabilities, attackers must be authenticated to exploit these flaws. In the case of the Memory Page Reuse vulnerability, the attacker must already have the clearances of a computer operator, or access to backups or logs, to exploit the flaw. In other cases, the attacker must have a valid Windows logon, or clearance to submit SQL statements.

Nevertheless, with three of the flaws, an attacker who successfully exploited the vulnerability would gain complete control over the database--a catastrophic event from a security point of view. However, this would be fairly unlikely to happen, considering the pains most organizations take to protect their databases from external access.

Microsoft has traditionally focused on protecting its products from unauthenticated, external attacks. But the SQL vulnerabilities could indicate it has a bigger problem with internal threats than it first appeared, according to Reguly. "I wonder if perhaps Microsoft is failing to pay close enough attention to the authenticated vulnerabilities," he says. "This could mean there is, perhaps, a larger attack surface for insider threats than there is for outside attackers."

According to Don Leatham, director of solutions and strategy at patch management vendor Lumension Security, the potential harm from the SQL Server and Exchange Server flaws should not be underestimated.

"Both of these products can be high-value targets and these vulnerabilities could be considered critical depending on the organization," he says. "Many corporations hold not only their basic business information, but also their customer/patient data and critical intellectual property in Microsoft SQL Servers databases, or transmit these types of data via Microsoft Exchange servers. Companies that depend heavily on SQL and Exchange servers to manage and store customer or patient data and intellectual property should evaluate the criticality of these updates and possibly address them as a critical level security update."