A hole allowing hackers to take control of Microsoft Exchange was just one "critical" issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server.

Three of the eight vulnerabilities patched yesterday were marked "critical". The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF).

A "blatant" vulnerability

Andrew Storms, nCircle Network Security Inc.'s security operations director, was baffled by the hack's potential. "What we're seeing here is that you can send a message and take control of an Exchange server," he said. "I don't remember an Exchange vulnerability that's quite so blatant. The functionality that the server provides is the way that you attack the system." (Source: computerworld.com)

Because even just the preview offers hackers the chance to control a corporate mail server -- a rewarding conquest, indeed -- the problem should take first priority amongst companies hoping to prevent a security disaster.

"This seems to be a pretty bad one," remarked Wolfgang Kandek, security firm Qualys Inc.'s chief technology officer.

"This should be patched immediately..."

The second significant vulnerability Microsoft has patched concerns its popular Internet Explorer 7 browser. Two flaws include a problem in handling Cascading Style Sheets (CSS) and a memory corruption issue. Although they might not sound it, Kandek assures that the holes are significant. "This should be patched immediately," he noted.

Other issues reportedly patched include a remote code execution vulnerability Microsoft says it first discovered late last year. Similar holes filled in Microsoft's Office software also prevent remote code execution, this time if exploited by a hacker employing a malicious Visio file. (Source: cnet.com)