Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 14th, 2009

Microsoft Patches At Least 20 Vulnerabilities In April 2009 Update

Microsoft’s April batch of security patches fixes at least 20 documented vulnerabilities listed in 8 bulletins. This month’s fixes cover several code execution bugs that are currently being actively exploited (Microsoft Excel and Microsoft WordPad) and two issues that have been publicly known for at least a year (token kidnapping and Safari-to-Internet Explorer blended threat).

The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete control over a vulnerable machine. Cumulative Internet Explorer update (MS09-014) covers 4 privately reported and two publicly disclosed vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker’s server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft’s April updates details:

MS09-009 (Excel) – Multiple memory corruption vulnerabilities allow random code execution. Also affect Excel viewer and Mac OS X versions of Microsoft Office. Replaces MS08-074. Actively exploited.

MS09-010 (Wordpad & Office converters) Multiple vulnerabilities allow random code execution. Replaces MS04-027. Actively exploited.

MS09-011 (DirectX) MJPEG input validation error allows random code execution. Replaces MS08-033. No publicly known exploits.

MS09-012 (Windows) Multiple vulnerabilites allow privilege escalation and random code execution. Affects servers with IIS and SQLserver installed and more. Replaces MS07-022, MS08-022 and MS08-064. Actively exploited, exploit code publicly available.

MS09-013 (HTTP services) Multiple vulnerabilities allow random code execution, spoofing of https certificates and NTLM credential reflection. Related to MS09-014 (below). Exploit is publicly known.

MS09-014 (IE) Cumulative MSIE patch. Replaces MS08-073, MS08-078 and MS09-002. Related to MS09-10, MS09-013 (above) and MS09-15 (below). Exploit code publicly available.

MS09-015 (SearchPath) Update to make the system search for libraries first in the system directory by default and an API to change the order. Replaces MS07-035. Related to MS09-014 (above). Attack method publicly known.

MS09-016 (ISA server) Multiple input validation vulnerabilities allow a DoS and XSS. One of the attack methods publicly known.

Users are advised to install vendor patches as soon as they are available and avoid following links or handling files from unknown or questionable sources.

Microsoft’s summary of the April releases can be found here.

Share this item with others:

More on CyberInsecure:
  • Microsoft Patch 14 PowerPoint Vulnerabilities, Adobe Patch Reader And Acrobar 0-day Vulnerability
  • Microsoft Patches Windows Worm And Drive-by Download Vulnerabilities
  • Mac OS X And Safari Vulnerabilities Patched By Apple In Security Update 2009-001
  • Oracle Patches Critical Database Vulnerabilities
  • Monthly Microsoft Patch Fixes Critical Windows Kernel, WINS Vulnerabilities

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Microsoft Patches At Least 20 Vulnerabilities In April 2009 Update

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.