Microsoft ships fixes for Excel, WordPad malware attacks

Microsoft ships fixes for Excel, WordPad malware attacks

Summary: Microsoft's April batch of security patches are out:  8 bulletins with patches for at least 20 documented vulnerabilities.The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete ownership of a vulnerable machine.

SHARE:
45

Microsoft's April batch of security patches are out:  8 bulletins with patches for at least 20 documented vulnerabilities.

The most serious of the flaws could lead to remote code execution attacks that give a malicious hacker complete ownership of a vulnerable machine.  This month's fixes cover several code execution bugs that are currently being actively exploited (Microsoft Excel and Microsoft WordPad) and two issues that have been publicly known for at least a year (token kidnapping and Safari-to-Internet Explorer blended threat).

[ SEE: One-year-old (unpatched) Windows 'token kidnapping' under attack ]

At first glance, Windows users should treat the cumulative Internet Explorer update (MS09-014) as a high-priority fix because of the increased threat from Web-borne attacks. It covers:

  • Four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The raw details, via Microsoft's SWI team:

Bulletin Highest bulletin severity Highest Exploitability Index Rating Any vulns known to be public-known? Attack vector for code execution / Notes
MS09-009 Critical High (1) Yes, CVE-2009-0238 known to be exploited already. XLS file attached to email or posted on a website. These vulnerabilities are critical only on Office 2000. Other versions of Office force user to click through a prompt, reducing severity to Important.
MS09-010 Critical High (1) Yes, CVE-2009-0235 known to be being exploited already. RTF, WRI, or DOC file attached to email or posted on a website. Blog entry with more details about Converter Attack Surface here.
MS09-013 Critical High (1) Yes, exploit tools are publicly available for CVE-2009-0550 (SMBRelay). However, this CVE is Important, not Critical. The attack vector for the Critical CVE is a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution in the context of the user running the application. Internet Explorer does not use WinHTTP.
MS09-014 Critical High (1) Yes, CVE-2008-2540 is known externally. However, it is rated “Moderate”. This bulletin also addresses a portion of CVE-2009-0550, mentioned above. The attack vector for the Critical CVEs would be Internet Explorer connecting to a malicious website.

You can read more about how we fixed the public CVE-2008-2540 (Safari Carpet Bombing) here.

MS09-011 Critical Medium (2) No. AVI file attached to email or webpage pointing you at an AVI file.
MS09-012 Important High (1) Yes, exploit tool publicly available. After an attacker compromises an IIS-hosted web application, they could use these vulnerabilities to escalate to SYSTEM.  You can read more about how we fixed this vulnerability here.
MS09-016 Important Low (3) Yes, limited details of this vulnerability are known externally No threat of code execution.
MS09-015 Moderate High (1) Yes. No known attack vector.
More to come...

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • yet another reason to use Vista

    "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights"
    ==> In Vista all users have limited privileges by default thanks to UAC: yet another reason to use Vista!
    qmlscycrajg
  • Yet another reason to use Linux...

    ...Open Office, and FireFox. To each his own, just don't expect equal results.
    Techboy_z
    • Open Office and Firefox don't work in Windows?

      News to me. It is especially odd considering that I thought I was using Firefox on Windows right now but I guess I'm just imagining things. :)
      NonZealot
      • The individual programs are....

        only partially to blame. If the underlying OS is insecure, then those programs are more suseptible to attack. Those same programs on Linux are more secure because the underlying OS's is more secure.
        todbran@...
    • Linux?

      Linux has even <b>more vulnerabilities</b>. Two times more on the latest count by IBM. Just in the kernel, no distros or apps involved.

      More vulnerabilities, more patching.

      honeymonster
      • But less exploits

        (nt)
        914four
      • Using 1 metric to measure security is silly

        http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/

        A kind human being posted a link to this forgotten article. If you care to read it, you might find it interesting. It is from 10/04, but what was true then is just as true today. Prophetic, even.

        "The remaining popular myths regarding the relative security of Windows vs. Linux are flawed by the fact that they are based only on a single metric -- a single aspect of measuring security. This is true whether the data comes from actual research, anecdotal information or even urban myth.

        One popular claim is that, ?there are more security alerts for Linux than for Windows, and therefore Linux is less secure than Windows?...."
        SpikeyMike
        • Story is an opinion piece from 2004

          which repeats a lot of baloney. Read the IBM report on "exploitation economics" and then we'll talk. Or maybe not.

          Oh, and how many vulnerabilities in IIS7 vs. Apache?

          Guess what, which server is THE most hacked? (hint: It is not IIS). In fairness the attackers don't get in neither through Apache nor through IIS. It is much easier to exploit the application layer. Like PHP. Which typically runs on Apache.

          The IBM report can tell you about how popular open source vendors like WordPress, Drupal and Typo3 <i>make the top 10 list</i> of <b>vendors with most vulnerabilities</b>. By virtue of a single, swiss-cheese product they manage to make the top ten list among vendors like Microsoft and Oracle with their VAST (esp. MS) product portfolios.
          honeymonster
  • RE: MS Patch Tuesday: 8 bulletins, 20 vulnerabilities

    Good for Microsoft! The vulnerabilities are found and fixed. And the best part is that because its on a scheduled release you can plan to install them at your leisure.
    Loverock Davidson
    • Applauding Microsoft?

      To you it's better to have gaping insecurities fixed AFTER rather than never have those holes in the first place?

      It's like trying to plug the holes in swiss cheese with oatmeal. It's messy and no one deep down likes it.
      sombertattoo
      • Show me ...

        "To you it's better to have gaping insecurities fixed AFTER rather than never have those holes in the first place?"
        Show me any other piece of software that has absolutely no flaws.

        Vista has FAR fewer vulnerabilities than any other OS out there. The vast majority of infected machines are old, unpatched, un-service packed XP machines that (because of the fact that they're unpatched and un-service-packed) are not well maintained by their users. Is it any wonder therefore that they're going to be wide open to abuse?

        Fact is that the VAST majority of Windows users don't know one end of a USB cable from the mouse it's attached to. Not because they're stupid, but because they use their computers as a tool and don't have the time/interest/inclination to learn how to best use and operate their computer.

        Had *N*X become the dominant desktop OS, the hackers would all be focussing their efforts on penetrating *N*X and bringing about disruption or stealing data. Whilst I agree that perhaps they wouldn't have had such easy pickin's as they have had with unpatched XP, but if my Mom & Dad were using a *N*X PC, they'd be just as clueless about how to safely operate it.

        But then, perhaps that's *N*X's primary motivation for NOT standardizing, consolidating effort and fixing its many ills, thus driving its usage numbers higher - perhaps they are happier with greater obscurity?
        de-void-21165590650301806002836337787023
        • Show me....

          Just as many PC users seem to have little, or no, knowledge of what is going on under the bonnet (hood) so many millions of drivers have scant, or no, knowledge of how their vehicle works and thus how to drive it to preserve its' life expectancy and 'crash' worthiness. Thankfully, therefore, enlightened countries/governments require that vehicles are assessed at least once per annum. Perhaps the time has come for PC's, as with vehicles, to be both licenced and unrepairable/uninterferable with by their owners and for them to be subject to a manadatory annual check for virus prevention etc.? And perhaps the users themselves should have to submit to an assessment of their ability before even being allowed to operate a PC?

          Contentious? Moi?
          njnb
          • Show me...

            Safety first? Freedom last? Read my middle finger.
            nikacat
        • Well said

          99.99% of Windows XP users run with
          administrative rights. Vista changes that game.
          Unfortunately for all the people who have
          elected to go with XP on account of Microsoft's
          botched release of Vista and its subsequent
          tainting, they have no idea the risks of the
          status quo. That is, continuing to operate on
          XP with admin rights.

          Sadly Microsoft never released a tool to
          mitigate the risks, which is entirely possible:

          http://www.download.com/RemoveAdmin/3000-
          2381_4-10824971.html?tag=mncol

          RemoveAdmin remove administrative rights when
          launching your web browser (IE or Firefox).
          It's actually a general tool and you can setup
          shortcuts to strip administrative rights on
          anything.

          RemoveAdmin 0.1 has issues with AD networks but
          people in AD networks shouldn't have admin
          rights to begin with.

          The release is focused on all the unenlightened
          masses running Windows XP "as is" (the way it
          came out of the box) at home.

          -M
          betelgeuse68
          • LOL!

            You just said they're 'unenlightened'. Therefore, they would never seek out a solution to a problem that they didn't know they had!
            eMJayy
          • Corrected download link

            Try this corrected link:

            <link http://www.download.com/RemoveAdmin/3000-2381_4-10824971.html?tag=mncol />
            dgust@...
        • nice wee fiction...

          Except for the fact that people have been and are very very active in trying to hack *nix systems.
          zkiwi
          • No

            No, they are not. Linux or Unix are not magically secure. They are even more vulnerable than Windows Vista and XP.

            Linux has more vulnerabilities (more opportunities) and fewer mitigations and protection mechanisms (easier to make an exploit work).

            The bare naked truth is that simple economics lead the attackers to go after Windows almost exclusively.

            Very good insigths on "exploitation economics" in this report by IBM:

            http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf

            honeymonster
          • Your position is debunked soundly here:

            http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux/

            Read and learn if you care to. There is the water, now drink! ;)
            SpikeyMike
          • An opinion piece from 2004

            Why would I trust a Linux zealot writing an
            opinion piece for the reg over a thorough
            report from a reputable company (IBM) with no
            stakes in the conclusions???

            Besides, that piece dives directly into a
            number of myths itself and is easily debunked.

            I won't bother because he offers nothing but
            opinions on the very subject which is covered
            by the IBM report on "exploitation economics".
            And basically all of his "conclusions" are blow
            out of the water.

            Now YOU go read. I read both, wanna play?
            honeymonster