RealTime IT News

Microsoft Fixes IE in February Patch Update

Microsoft Internet Explorer IE patches

Microsoft today released its monthly Patch Tuesday update, targeting eight vulnerabilities spread across Microsoft's Internet Explorer Web browser, Exchange mail server, SQL database server and Office applications.

At the top of the patch list is Internet Explorer, which is receiving an update rated "Critical" by the company, designed to close a pair of vulnerabilities.

Microsoft identifies the first of the two flaws as an "Uninitialized Memory Corruption Vulnerability." The issue stems from how IE deals with objects that have been deleted. According to the company's advisory, "an attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution."

The second IE issue deals with a memory corruption vulnerability in how the browser handles Cascading Style Sheets, or CSS -- a common layout technology on modern Web sites. Microsoft noted in its advisory that certain types of CSS styles, when loaded by IE, could trigger memory corruption. That corruption could, in turn, potentially enable an attacker to execute arbitrary code.

Microsoft's latest IE updates arrive as the company is coming off a recent spate of trouble with the browser, during which IE exploits grew beyond Microsoft's usual Patch Tuesday updates. In December, Microsoft revealed that it evidently missed a few IE updates, which ended up becoming zero-day exploits. Microsoft released an out-of-cycle patch for IE a few weeks later.

The two newest IE issues are specific to IE 7, and do not affect IE 6 or 5, according to Microsoft. Both also have not been targeted in exploits found in the wild -- yet.

"Although there is no known exploit code available today, we expect it to be available soon," Paul Zimski, vice president of market strategy for security patch vendor Lumension, told InternetNews.com.

"This update addresses two separate vulnerabilities that are rated a '1' on Microsoft's exploitability index and are noted as 'Consistent' -- exploit code can be crafted easily," he added, referring to Microsoft's recently unveiled, three-level ranking of vulnerabilities' potential danger.

According to Microsoft, exploits that rank "2" or "3" on the index, respectively, are likely to result in "Inconsistent" results, or aren't likely to function at all.

SQL Server and Exchange

Microsoft's latest monthly roundup of updates also deals with Exchange Server, which gets two Critical fixes. One of the fixes deals with a remote code execution vulnerability that could be triggered by a malicious e-mail attachment in Microsoft's Transport-Neutral Encapsulation Format (TNEF) format.

If the vulnerability were to be exploited, an attacker could do whatever they wanted to the database, including changing or deleting data. The update addresses the problem by validating input parameters passed to the procedure, according to Microsoft.

[cob:Special_Report]The second issue is triggered by a malicious Messaging Application Programming Interface, or MAPI , command that could lead to a denial-of-service attack on a vulnerable Exchange server.

SQL Server also gets a fix -- rated "Important" -- in the February update, addressing an issue that could potentially lead to unintended remote code execution. The company's advisory on the issue pointed the finger at a parameter checking problem with the "sp_replwritetovarbin" extended stored procedure.

In addition to the application fixes, Microsoft is updating its Malicious Software Removal Tool (MSRT) to identify and remove Win32/Srizbi -- the malware responsible for taking over PCs and using them in the widespread Srizbi botnet.

"Historically, Win32/Srizbi has been accused of being responsible for a huge chunk of spam e-mail messages sent in the years after its discovery," Microsoft Threat Research and Response blogger Vincent Tiu wrote. "We hope to make a positive impact with the addition of Win32/Srizbi into MSRT."

As it turns out, that update may address a botnet that's now fading from relevance. Recent reports indicate that Srizbi may have petered out after its main host, McColo, was cut off by its ISPs last year.