MS patches flaw that could compromise, cripple Exchange

Tuesday released a critical patch designed to thwart hackers who could take over or shut them down with denial-of-service attacks.

Microsoft also issued a critical patch for Internet Explorer 7 and patches rated "important" for both SQL Server and Visio. In total, Microsoft issued four patches on Patch Tuesday that address eight vulnerabilities.

The Exchange patch -- MS09-003 -- is likely the most pressing issue for corporations, which host hundreds of millions of Exchange seats. There are two vulnerabilities addressed in MS09-003. Both hacks can be carried out without the need for interaction from end users.

With the first vulnerability, hackers would use a specially designed Transport Neutral Encapsulation Format (TNEF) message to attack the server. TNEF is a proprietary format used by the Exchange Server and Outlook clients to send messages in Rich Text Format.

Hackers simply have to address the TNEF message to any e-mail address tagged to a company's domain name to gain access to the server where they could execute code.

The second Exchange vulnerability is exploited using a specially formatted Messaging Application Programming Interface (MAPI) message and can lead to a denial-of-service attack.