Microsoft Patches At Least 20 Vulnerabilities In April 2009 Update
Microsoft’s April batch of security patches fixes at least 20 documented vulnerabilities listed in 8 bulletins. This month’s fixes cover several code execution bugs that are currently being actively exploited (Microsoft Excel and Microsoft WordPad) and two issues that have been publicly known for at least a year (token kidnapping and Safari-to-Internet Explorer blended threat).
The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete control over a vulnerable machine. Cumulative Internet Explorer update (MS09-014) covers 4 privately reported and two publicly disclosed vulnerabilities. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker’s server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft’s April updates details:
MS09-009 (Excel) – Multiple memory corruption vulnerabilities allow random code execution. Also affect Excel viewer and Mac OS X versions of Microsoft Office. Replaces MS08-074. Actively exploited.
MS09-010 (Wordpad & Office converters) Multiple vulnerabilities allow random code execution. Replaces MS04-027. Actively exploited.
MS09-011 (DirectX) MJPEG input validation error allows random code execution. Replaces MS08-033. No publicly known exploits.
MS09-012 (Windows) Multiple vulnerabilites allow privilege escalation and random code execution. Affects servers with IIS and SQLserver installed and more. Replaces MS07-022, MS08-022 and MS08-064. Actively exploited, exploit code publicly available.
MS09-013 (HTTP services) Multiple vulnerabilities allow random code execution, spoofing of https certificates and NTLM credential reflection. Related to MS09-014 (below). Exploit is publicly known.
MS09-014 (IE) Cumulative MSIE patch. Replaces MS08-073, MS08-078 and MS09-002. Related to MS09-10, MS09-013 (above) and MS09-15 (below). Exploit code publicly available.
MS09-015 (SearchPath) Update to make the system search for libraries first in the system directory by default and an API to change the order. Replaces MS07-035. Related to MS09-014 (above). Attack method publicly known.
MS09-016 (ISA server) Multiple input validation vulnerabilities allow a DoS and XSS. One of the attack methods publicly known.
Users are advised to install vendor patches as soon as they are available and avoid following links or handling files from unknown or questionable sources.
Microsoft’s summary of the April releases can be found here.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.