Microsoft, who was annoying IT administrators by dragging its feet after flaws were found in Exchange 2007 and Exchange 2010 systems, has announced that the issues will be resolved tomorrow, August 14th, the day they call “Patch Tuesday.” On Patch Tuesday, Microsoft (News - Alert) will release nine security fixes, five of which are considered critical.
Although Microsoft’s announcement comes as a relief to some administrators who were worried after the company seemed to downplay the event, people familiar with Microsoft’s routine to issue monthly updates were exasperated over the knowledge that they could be left in the dark until the next scheduled appointment. But since Microsoft now has a fix for the vulnerabilities, it has been forthcoming in stating that five of the flaws were indeed critical.
After the public was first aware of these flaws last month, Microsoft was careful to mention that it was “unaware of any active, in-the-wild exploits,” – a statement that suggested that it would be no immediate fix since there was no immediate threat. Additionally, Microsoft was clear in identifying Oracle (News - Alert) Outside In libraries as the “third-party” source responsible for the errors.
Andrew Storms of nCircle Security told Computerworld in an interview, “You need to evaluate the risk and determine if it's necessary to implement the mitigations. Meanwhile, the security guys sit and watch attack telemetry and hope Microsoft releases a fix soon.”
The flaws in Oracle Outside In libraries, which Microsoft’s FAST (News - Alert) Search Server 2010 for Sharepoint uses as well as Exchange 2007 and 2010, presented attackers with opportunities within the parsing process. Instead of opening an attachment in a local Word application, Oracle Outside In allows attachments to open in the browser. The vulnerabilities were exposed during the time that users believed their documents were being schematized.
While users were under the impression that the documents they wanted to open were being parsed, hackers could, “install programs; view, change, or delete data; or take any other action that the server process has access to do,” according to Microsoft.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO West 2012, taking place Oct. 2-5, in Austin, TX. Stay in touch with everything happening at ITEXPO (News - Alert). Follow us on Twitter.
Edited by Brooke Neuman