The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete ownership of a vulnerable machine. This month's fixes cover several code execution bugs that are currently being actively exploited (Microsoft Excel and Microsoft WordPad) and two issues that have been publicly known for at least a year (token kidnapping and Safari-to-Internet Explorer blended threat).
At first glance, Windows users should treat the cumulative Internet Explorer update (MS09-014) as a high-priority fix because of the increased threat from Web-borne attacks. It covers:
- Four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The raw details, via Microsoft's SWI team:
|Bulletin||Highest bulletin severity||Highest Exploitability Index Rating||Any vulns known to be public-known?||Attack vector for code execution / Notes|
|MS09-009||Critical||High (1)||Yes, CVE-2009-0238 known to be exploited already.||XLS file attached to email or posted on a website. These vulnerabilities are critical only on Office 2000. Other versions of Office force user to click through a prompt, reducing severity to Important.|
|MS09-010||Critical||High (1)||Yes, CVE-2009-0235 known to be being exploited already.||RTF, WRI, or DOC file attached to email or posted on a website. Blog entry with more details about Converter Attack Surface here.|
|MS09-013||Critical||High (1)||Yes, exploit tools are publicly available for CVE-2009-0550 (SMBRelay). However, this CVE is Important, not Critical.||The attack vector for the Critical CVE is a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution in the context of the user running the application. Internet Explorer does not use WinHTTP.|
|MS09-014||Critical||High (1)||Yes, CVE-2008-2540 is known externally. However, it is rated “Moderate”. This bulletin also addresses a portion of CVE-2009-0550, mentioned above.||The attack vector for the Critical CVEs would be Internet Explorer connecting to a malicious website.
You can read more about how we fixed the public CVE-2008-2540 (Safari Carpet Bombing) here.
|MS09-011||Critical||Medium (2)||No.||AVI file attached to email or webpage pointing you at an AVI file.|
|MS09-012||Important||High (1)||Yes, exploit tool publicly available.||After an attacker compromises an IIS-hosted web application, they could use these vulnerabilities to escalate to SYSTEM. You can read more about how we fixed this vulnerability here.|
|MS09-016||Important||Low (3)||Yes, limited details of this vulnerability are known externally||No threat of code execution.|
|MS09-015||Moderate||High (1)||Yes.||No known attack vector.|