Microsoft fixes 'critical' Exchange server security hole

Problems with Oracle's Outside In technology could be the culprit
Tools

Microsoft (Nasdaq: MSFT) is fixing a large number of security holes across most of its products this Tuesday as part of its monthly patch schedule, including "critical" vulnerabilities in Exchange server, Windows and Internet Explorer (IE).

Overall, Microsoft is plugging 57 security holes in 12 security bulletins, five of them classified as "critical" and seven classified as "important."

Exchange is an important business application for many enterprises. It is a mail server, calendar software and contact manager that runs on Windows Server, and it provides mobile sync for iPhones, Androids, Windows Phone and other mobile devices.

Andrew Storms, director of security operations for security firm nCircle, related that Microsoft has released a number of fixes over the last couple of months for Oracle's Outside In technology, which is used by the Exchange server. "Exchange server bugs make a lot of people nervous; let's hope this month's Exchange patch is as dull as ditch water," he wrote, according to comments emailed to FierceEnterpriseCommunications.

Microsoft is issuing two bulletins to fix security flaws in IE. "That's unusual because generally, when Microsoft patches IE, the patch is delivered as a single bulletin. The planned delivery of two separate IE bulletins has my 'Spidey' senses on alert. I'm sure other IT security teams are wondering exactly what kind of IE valentine we're going to get," Storms opined.

The broad range of products being fixed by Microsoft this Tuesday is surprising, noted Paul Henry, security and forensic analyst with security firm Lumension.

"It's disturbing to note how many different Microsoft platforms are critically affected this month. Everything from Windows XP to the new Windows RT is critically impacted. It's never a good sign when your current code base is impacted," Henry wrote in comments emailed to FierceEnterpriseCommunications.

Henry judged that the two IE bulletins contain fixes for Oracle's Java software, which has been plagued by ongoing security problems. Earlier this month, Oracle issued patches for over 50 Java vulnerabilities ahead of schedule because of the "active exploitation 'in the wild' of one of the vulnerabilities affecting the Java Runtime Environment in desktop browsers."

In response to the Java vulnerabilities, Apple (Nasdaq: AAPL) blocked Java from operating on Macs following a warning from the Department of Homeland Security about security flaws in Java coding, according to a report by AP.

The constant stream of reports about security vulnerabilities in major software products should keep IT administrators on their toes about patching their systems. Otherwise, they risk having their companies become the latest breach headline.

For more:
- see Microsoft's security bulletin advanced notice
- read Microsoft's Security Response Center team blog
- check out the Oracle patch advisory for Java
- read the AP report

Related articles:
Report: Microsoft scrambling to maintain Gmail support on Windows Phone
Heavy Patch Tuesday for February
Privacy groups call on Skype to issue regular transparency reports