Microsoft Patches At Least 20 Vulnerabilities In April 2009 Update

April 14th, 2009

Microsoft Patches At Least 20 Vulnerabilities In April 2009 Update

Microsoft’s April batch of security patches fixes at least 20 documented vulnerabilities listed in 8 bulletins. This month’s fixes cover several code execution bugs that are currently being actively exploited (Microsoft Excel and Microsoft WordPad) and two issues that have been publicly known for at least a year (token kidnapping and Safari-to-Internet Explorer blended threat).

The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete control over a vulnerable machine. Cumulative Internet Explorer update (MS09-014) covers 4 privately reported and two publicly disclosed vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker’s server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft’s April updates details:

MS09-009 (Excel) – Multiple memory corruption vulnerabilities allow random code execution. Also affect Excel viewer and Mac OS X versions of Microsoft Office. Replaces MS08-074. Actively exploited.

MS09-010 (Wordpad & Office converters) Multiple vulnerabilities allow random code execution. Replaces MS04-027. Actively exploited.

MS09-011 (DirectX) MJPEG input validation error allows random code execution. Replaces MS08-033. No publicly known exploits.

MS09-012 (Windows) Multiple vulnerabilites allow privilege escalation and random code execution. Affects servers with IIS and SQLserver installed and more. Replaces MS07-022, MS08-022 and MS08-064. Actively exploited, exploit code publicly available.

MS09-013 (HTTP services) Multiple vulnerabilities allow random code execution, spoofing of https certificates and NTLM credential reflection. Related to MS09-014 (below). Exploit is publicly known.

MS09-014 (IE) Cumulative MSIE patch. Replaces MS08-073, MS08-078 and MS09-002. Related to MS09-10, MS09-013 (above) and MS09-15 (below). Exploit code publicly available.

MS09-015 (SearchPath) Update to make the system search for libraries first in the system directory by default and an API to change the order. Replaces MS07-035. Related to MS09-014 (above). Attack method publicly known.

MS09-016 (ISA server) Multiple input validation vulnerabilities allow a DoS and XSS. One of the attack methods publicly known.

Users are advised to install vendor patches as soon as they are available and avoid following links or handling files from unknown or questionable sources.

Microsoft’s summary of the April releases can be found here.

Share this item with others:

More on CyberInsecure:

Microsoft Patch 14 PowerPoint Vulnerabilities, Adobe Patch Reader And Acrobar 0-day Vulnerability

Microsoft Patches Windows Worm And Drive-by Download Vulnerabilities

Mac OS X And Safari Vulnerabilities Patched By Apple In Security Update 2009-001

Oracle Patches Critical Database Vulnerabilities

Monthly Microsoft Patch Fixes Critical Windows Kernel, WINS Vulnerabilities

Posted in Microsoft, Software, Vista, Vulnerabilities, Windows |

Print This Post

This entry was posted on Tuesday, April 14th, 2009 at 3:45 pm and is filed under Microsoft, Software, Vista, Vulnerabilities, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.