Microsoft ships fixes for Excel, WordPad malware attacks

Summary:Microsoft's April batch of security patches are out:  8 bulletins with patches for at least 20 documented vulnerabilities.The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete ownership of a vulnerable machine.

Microsoft's April batch of security patches are out:  8 bulletins with patches for at least 20 documented vulnerabilities.

The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete ownership of a vulnerable machine.  This month's fixes cover several code execution bugs that are currently being actively exploited (Microsoft Excel and Microsoft WordPad) and two issues that have been publicly known for at least a year (token kidnapping and Safari-to-Internet Explorer blended threat).

[ SEE: One-year-old (unpatched) Windows 'token kidnapping' under attack ]

At first glance, Windows users should treat the cumulative Internet Explorer update (MS09-014) as a high-priority fix because of the increased threat from Web-borne attacks. It covers:

  • Four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The raw details, via Microsoft's SWI team:

Bulletin Highest bulletin severity Highest Exploitability Index Rating Any vulns known to be public-known? Attack vector for code execution / Notes
MS09-009 Critical High (1) Yes, CVE-2009-0238 known to be exploited already. XLS file attached to email or posted on a website. These vulnerabilities are critical only on Office 2000. Other versions of Office force user to click through a prompt, reducing severity to Important.
MS09-010 Critical High (1) Yes, CVE-2009-0235 known to be being exploited already. RTF, WRI, or DOC file attached to email or posted on a website. Blog entry with more details about Converter Attack Surface here.
MS09-013 Critical High (1) Yes, exploit tools are publicly available for CVE-2009-0550 (SMBRelay). However, this CVE is Important, not Critical. The attack vector for the Critical CVE is a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution in the context of the user running the application. Internet Explorer does not use WinHTTP.
MS09-014 Critical High (1) Yes, CVE-2008-2540 is known externally. However, it is rated “Moderate”. This bulletin also addresses a portion of CVE-2009-0550, mentioned above. The attack vector for the Critical CVEs would be Internet Explorer connecting to a malicious website.

You can read more about how we fixed the public CVE-2008-2540 (Safari Carpet Bombing) here.

MS09-011 Critical Medium (2) No. AVI file attached to email or webpage pointing you at an AVI file.
MS09-012 Important High (1) Yes, exploit tool publicly available. After an attacker compromises an IIS-hosted web application, they could use these vulnerabilities to escalate to SYSTEM.  You can read more about how we fixed this vulnerability here.
MS09-016 Important Low (3) Yes, limited details of this vulnerability are known externally No threat of code execution.
MS09-015 Moderate High (1) Yes. No known attack vector.
More to come...

Topics: Browser, Microsoft, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.