Microsoft Corp. has patched bugs in its SQL Server, Exchange and Windows software that could let hackers mess with Internet Domain Name Systems and act as phishing attacks.
The company released four sets of patches Tuesday, all rated “important.” They address a total of nine bugs in Microsoft’s products.
Although Microsoft has not rated any of its patches as critical, they will still keep corporate system administrators busy this week, said Andrew Storms, director of security operations with security vendor nCircle. “Not only will the IT admins have their hands full with the normal client-side updates, but they also need to go patch two of the most important enterprise services in an organization — e-mail and databases,” he said via instant message.
Security experts say that the DNS (Domain Name System) bug, is particularly worrisome. That’s because the bug is due to a design flaw in the DNS protocol that affects all DNS servers on the Internet.
By sending certain types of queries to DNS servers, the attacker could then redirect victims away from a legitimate Web site — say, Bofa.com — to a malicious Web site without the victim realizing it. This type of attack, known as DNS cache poisoning, doesn’t affect only the Web. It could be used to redirect all Internet traffic to the hacker’s servers.
The bug could be exploited “like a phishing attack without sending you e-mail,” said Wolfgang Kandek, chief technical officer with Qualys. Other DNS software providers, including the Internet Software Consortium, Cisco and Sun Microsystems are also patching this vulnerability.
Although this flaw does affect some home routers and client DNS software, it is mostly an issue for corporate users and ISPs (Internet service providers) that run the DNS servers used by PCs to find their way around the Internet, said Dan Kaminsky, the IOActive security researcher who discovered the problem. “Home users should not panic,” he said in a Tuesday conference call.
One of the bugs that Microsoft patched on Tuesday had previously been disclosed, making it a priority fix. That flaw, which lies in the version of Windows Explorer used by Vista and Windows Server 2008, could give criminals a way of running unauthorized software on a Windows PC. For that to happen, the attacker would first have to convince the user to open and save a specially crafted saved-search file using Windows Explorer.
Exchange shops that read e-mail via the Web should give the Exchange patch a top priority, Qualys’ Kandek said. That’s because it can be exploited to attack users of Outlook Web Access (OWA) for Microsoft Exchange Server with a cross-scripting attack. By sending maliciously encoded e-mails to OWA users, attackers could theoretically steal e-mail credentials and install malicious software on a victim’s system, he said. Finally, the SQL Server patch fixes four bugs that affect all supported versions of SQL Server.
