Microsoft Patch Tuesday Brings Four Fixes For Eight FlawsMicrosoft Patch Tuesday Brings Four Fixes For Eight Flaws

The updates address vulnerabilities in Internet Explorer, Microsoft Exchange, SQL Server, and Visio.

Thomas Claburn, Editor at Large, Enterprise Mobility

February 10, 2009

2 Min Read
information logo in a gray background | information

As part of its February patch cycle, Microsoft on Tuesday released four security bulletins addressing eight vulnerabilities in its software.

Two of the bulletins are designated "critical" and two are designated "important." They aim to fix vulnerabilities in Internet Explorer, Microsoft Exchange, SQL Server, and Visio.

  • MS09-002 (maximum severity of critical): This update resolves two newly discovered and privately reported vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

  • MS09-003 (maximum severity of critical): This update resolves two newly discovered and privately reported vulnerabilities in Microsoft Exchange. The first vulnerability could allow remote code execution and the second could allow denial of service.

    MS09-004 (maximum severity of important): This update resolves a newly discovered and privately reported vulnerability in SQL Server, which could allow remote code execution if untrusted users access an affected system or if a SQL injection attack occurs to an affected system.

    MS09-005 (maximum severity of important): This update resolves three newly discovered and privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file.

Microsoft also released Security Advisory 960715, which updates a set of previously published ActiveX kill bits. The new kill bits follow from Microsoft security bulletin MS08-070 and affect Akamai Download Manager and Research in Motion AxLoader.

Eric Schultze, CTO of Shavlik Technologies, considers MS09-004 to be the most interesting patch this month. "This patch addresses the zero-day SQL Server flaw reported by Sec-Consult" on Dec. 9, he said in a statement. "This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull off this exploit."

Because proof-of-concept exploit code for this vulnerability has been published already, Schultze suggests MS09-004 ought to be rated "critical." He advises patching MS09-003 and MS09-004 as soon as possible; MS09-002 and MS09-005, he says, can wait until a more convenient time.

Paul Zimski, VP of market strategy for Lumension, argues that MS09-002, the Internet Explorer patch, also needs to be dealt with right away. "The remote code execution vulnerabilities exist in IE7 on both Windows XP and Windows Vista -- probably the most prevalent Windows configurations in use today," he said in a statement. Microsoft, he added, gives this vulnerability a score of one on its Exploitability Index, meaning that exploit code can be created easily.

A recent report argues that Microsoft should make its operating system open source, pay more attention to cloud computing, and get out of search. Download "Overhauling Microsoft" to find out why (registration required).

Read more about:

20092009

About the Author

Thomas Claburn

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, information, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

See more from Thomas Claburn
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

A group of smiling college graduates celebrating their graduation.
IT Leadership
Why Liberal Arts Grads Could Be the Best Programmers of the AI Era
Why Liberal Arts Grads Could Be the Best Programmers of the AI Era

Jan 17, 2025

Flame front of the Eaton Fire on the first night during the January 2025 California wildfires in Altadena and Los Angeles
IT Sectors
How Tech Supports the Emergency Response to the LA County Wildfires
How Tech Supports the Emergency Response to the LA County Wildfires

Jan 16, 2025

Graphic Pop Art style Illustration of Keanu Reeves as NEO from the film, The Matrix
IT Infrastructure
Y2K and Infrastructure Resilience 25 Years Later
Y2K and Infrastructure Resilience 25 Years Later

Jan 7, 2025

Young businessman working on a virtual screen of the future and sees the inscription: Now hiring
IT Leadership
Help Wanted: IT Hiring Trends in 2025
Help Wanted: IT Hiring Trends in 2025

Nov 20, 2024

Cobol programming language software development concept on vitual screen.
IT Leadership
Untangling Enterprise Reliance on Legacy Systems
Untangling Enterprise Reliance on Legacy Systems

Jan 21, 2025

Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports