Microsoft’s February Patch Tuesday: four updates

In two critical and two important security bulletins, Microsoft has described holes in Internet Explorer, Exchange, SQL Server and MS Office Visio.

Microsoft released a cumulative update For Internet Explorer to fix two critical holes in the Microsoft browser. Both vulnerabilities are caused by memory management flaws which, according to the vendor, can easily be exploited to inject code and execute it at the authorised user’s privilege level. (MS09-002)

Two holes were also discovered in the Exchange mail and groupware server, although only the hole that involves the handling of messages in the Transport Neutral Encapsulation Format (TNEF) was rated critical. The processing of specially crafted MAPI commands can only cause a denial of service of the Exchange server (MS09-003).

While the security hole in Microsoft’s SQL Server was reported in December, it has only been rated important, although it can also be exploited to inject and execute code. However, an attacker either needs to be able to log into the database or inject commands via an SQL injection hole. Microsoft was originally informed about this problem in April 2008. (MS09-004)

The fourth update fixes a total of three memory management flaws in the Visio component of Office. Microsoft only rated this vulnerability as important because it requires users to manually open Visio documents. (MS09-005)

At the very least, the holes in Internet Explorer are very dangerous and likely to be exploited for infecting the computers of users visiting specially crafted web pages in the near future. This update should, therefore, be given top priority. As the rest of the updates potentially also allow the injection of code, they should also be installed as soon as possible.

See also:

• Microsoft Security Bulletin Summary for February 2009, advisory from Microsoft

(djwm)