Today’s monthly patch batch from Microsoft fixes a critical flaw in Internet Explorer 7 that could allow a malicious Web site to install malware on a vulnerable PC, along with a patch for the Visio diagramming software. And businesses that run a Microsoft Exchange or SQL server will want to apply essential fixes right away.
Microsoft’s bulletin says attack code that targets the MS09-002 IE7 flaw “can be crafted easily,” so be sure you get this one via Windows Update. The Internet Storm Center posts that there aren’t yet any known attacks, but it affects both XP and Vista. But only IE7, interestingly, and not earlier versions of the browser.
You’ll also find a fix for the Visio software which can allow an attacker to run any command if you open a hacked Visio file. The program is popular among network and server administrators who typically have far-reaching permissions on their networks, so I wouldn’t be at all surprised to see a targeted attack come along that goes after this flaw. Get more info and the patch from the MS09-005 bulletin.
The other two fixes are for servers – Exchange and SQL server. There has been exploit code out there for the SQL server flaw since December, according to the ISC, so if you have a publicly accessible SQL server at your company (via a Web site) schedule an emergency fix to prevent a SQL injection or other attack. Get details at the MS09-004 page.
Do the same for your company Exchange server, which could be taken over by a specially crafted TNEF message sent to it by an attacker. No known attacks against this one just yet, according to the ISC, but don’t wait for one to show up. This one’s MS09-003.
Update: Regarding the MS09-004 SQL server vulnerability, Microsoft says that while the flaw can be targeted after a successful SQL injection attack, the MS09-004 flaw isn’t itself a SQL injection vulnerability.