Microsoft pushes monthly update while experts doubt Exploitability rankings
On Tuesday, Microsoft released four updates that addressed eight vulnerabilities in Microsoft Office and Internet Explorer. One update, 09-003 for Microsoft Exchange, has earned the ire of one security expert based on the Exploitability Index (EI) rating assigned to the critical patch.
The Internet Explorer patch addressed problems that allow attackers to run code at will on an exploited system. Paul Zimski, VP of market strategy for Lumension, calls the critical IE patch the most important.
“The remote-code-execution vulnerabilities exist in IE 7 on both Windows XP and Windows Vista – probably the most prevalent Windows configurations in use today. This update addresses two separate vulnerabilities that are rated a “1” on Microsoft’s Exploitability Index (consistent exploit code can be crafted easily),”Zimski explained.
“Although there is no known exploit code available today, we expect it to be available soon. Browser vulnerabilities are especially popular with the [criminal] community to deliver blended attacks where a compromised browser is used to introduce additional Malware onto the computer.”
Discussing the Exchange Server patch, Zimski added, “The Exchange bulletin is a remote code executive, and as far as sensitive information and critical data are concerned, this has proven to be the easiest target for hackers to infiltrate. If the bad guys are able to compromise an organization’s Exchange Server, then they will be able to intercept every email coming and going, essentially making it open to every corporation across the globe. Given the proximity of the Exchange Server to external data entering the network, organizations will want to deploy this update immediately.”
Some businesses will place less of a priority on the Exchange patch because of the ranking assigned to it on the Exploitability Index. Both problems, the denial-of-service due to a specially crafted MAPI command sent to an Exchange Server, and the total compromise of an Exchange Server thanks to a specially crafted TNEF message, are listed as a “2” on the Exploitability Index.
(more…)