The latest monthly patches from Microsoft have been welcomed, though experts admit that more could be done.
Eric Schultze, CTO at Shavlik Technologies, claimed that the monthly update offered a ‘seemingly light batch of patches' that trailed an even lighter, single patch release in January.
Schultze said: “I recommend a two pronged approach to patching this month. Two patches are for server issues (09-003 and 09-004 - Exchange and SQL) and two are for client side applications (09-002 and 09-005 - IE7 and Visio).
“Give the two server patches to the server maintenance team and ask that they install these two as soon as possible - given what I believe is the severity of these issues. Give the two client side patches to the desktop team and have them install these patches in the next update cycle or as they see fit - but no need to burn the weekend candle for these.”
He claimed that MS09-002 is a typical IE patch, but claimed that it was unusual that the vulnerability is only present in Internet Explorer 7. He asked ‘what did Microsoft put in IE7 that they didn't put in earlier versions that leads to this exploit, and why didn't their new security testing program catch this vulnerability?'
Schultze also described MS09-004 as ‘probably the most interesting patch this month'. It addresses the zero-day SQL Server flaw reported by Sec-Consult on 9th December that enables attackers to execute code of their choice on the affected SQL Server.
Schultze said: “The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull off this exploit. However, unauthenticated attackers (since when do you authenticate your attacker anyway?) can still leverage this flaw if they can plant their code using SQL Server injection techniques via poorly coded websites.
“Proof of concept code has been published on the internet; however, Microsoft says they have not seen proof of exploitation. I'd probably rate this patch as critical - given the end result capable. I'm guessing Microsoft has downgraded this severity because of the ‘authentication' requirement, although they give this a '1' in the exploitability index - saying that consistent exploit code is likely.”
Speaking on the MS09-004 patch, Alan Bentley, regional VP EMEA of Lumension, said: “Although Microsoft identifies multiple mitigating factors that make external exploitation of this vulnerability unlikely, it could still be used by someone mounting an internal attack to execute a SQL injection exploit.
“Microsoft notes that functional exploit code has been published, so organisations should definitely look at this update, especially from an insider attack standpoint.”