Februrary 2009 Microsoft Security Bulletins

Despite the lack of high profile vulnerabilities in Microsoft products discovered out-of-band in January, February batch of Microsoft Security bulletins brings patches for vulnerabilities that are bound to raise some interest with malware writers, which also means that SophosLabs are very interested to discover how to prevent potential attacks.

Probably the most interesting bulletin is MS09-002 which fixes a couple of vulnerabilities in Internet Explorer 7, both with potential to launch code remotely. Since infections through visiting malicious web pages are common, it is safe to expect that malware writers will invest time to find out how to exploit these issues. We have not seen any successful attempts to exploit these vulnerabilities in the wild yet, but we will keep our eyes wide open and make sure we update you if we discover any.

MS09-003 is also quite interesting as it has a potential to compromise Microsoft Exchange mail stores. As you know, Microsoft Exchange is the most commonly used SMTP server product in Windows environment and the number of exposed hosts affected by this vulnerability is high. Furthermore, exchange servers often store many other confidential data and it is very important that the security patch for this issues is applied as soon as possible. Again, we have not seen any samples actively exploiting this issue.

fixes a problem in Microsoft SQL Server product. This vulnerability could potentially be exploited through SQL injection and the administrators are advised to apply the security patch as soon as possible, especially for servers exposed to various web applications accessible from external networks.

As usual in SophosLabs, we have written our analysis of patched vulnerabilities and assigned them SophosLabs threat level:

MS09-002. Critical Cumulative Security Update for Internet Explorer (961260)
MS09-003. Critical Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
MS09-004. Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution