Microsoft today released seven patches - all critical - addressing 19 vulnerabilities, including a promised fix for the well-publicised but sparsely exploited zero-day DNS server flaw.While that bug drew the majority of headlines over recent weeks, researchers today said the most significant patch appears to be MS-0726, which provides a fix for a critical Microsoft Exchange vulnerability that could result in remote code execution should a user open a malformed email attachment.
"Considering the level of privilege an attacker can gain through this vulnerability, I would not be surprised to see public exploitation very soon," said Tom Cross, an X-Force researcher at IBM Internet Security Systems.
Other patches of note include a bulletin addressing five flaws in Internet Explorer (IE), some of which affect IE 7 on the Vista operating system, and a file-overwrite vulnerability in a Windows Media Server ActiveX control.
The DNS vulnerability may allow an attacker to launch a stack-based buffer overflow that grants privileged access, according to researchers.
"By sending a malicious RPC (remote procedure call) request, a hacker can take remote control of the DNS server," Amol Sarwate, manager of vulnerability research at Qualys, told SCMagazine.com.
His collaegue, Jonathan Bitle, manager of technical account management at Qualys, told SCMagazine.com that administrators must pay particular attention to the DNS and Exchange Server flaws because if they get exploited, the entire organisation could be crippled.
"The devices that are potentially under attack are devices that can affect an entire organisation," he said. "It's not like an end-user's workstation. When you bring done an Exchange Server, it can bring down the entire organisations’ mail server. The same thing with DNS - that can affect all the traffic on someone’s network. (These patches) should be given an especially high priority."
Microsoft additionally patched seven vulnerabilities in Office, spanning three bulletins, including fixes for a number of Word and Excel bugs. This exemplifies a continued trend toward client-side vulnerabilities, experts said.
"These applications are the most frequently targeted by malware writers so we recommend that all customers evaluate their security coverage and policies to ensure they have adequate protection in place," said Dave Marcus, security research and communications manager at McAfee Avert Labs.
Redmond additionally fixed a vulnerability in CAPICOM and BizTalk server. CAPICOM is an ActiveX security technology that enables programmers using Visual Basic, Visual Basic Script, ASP and C++ to include digital signing and encryption in their application, according to Microsoft.