ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Patch Tuesday heads-up: 8 bulletins, 5 critical

By | April 9, 2009, 11:06am PDT

Summary: Microsoft plans to ship 8 security bulletins next Tuesday (April 14, 2009) to fix remote code execution and denial of service vulnerabilities affecting Windows, Office and Internet Explorer. According to the company’s Patch Tuesday advance notice, five of the bulletins will be rated “critical,” meaning they can be exploited by hackers to take complete control of [...]

Microsoft plans to ship 8 security bulletins next Tuesday (April 14, 2009) to fix remote code execution and denial of service vulnerabilities affecting Windows, Office and Internet Explorer.

According to the company’s Patch Tuesday advance notice, five of the bulletins will be rated “critical,” meaning they can be exploited by hackers to take complete control of Windows machines.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

I’ve been given a heads-up that one of the Internet Explorer vulnerabilities being fixed is the musty old Safari-to-IE carpet bombing blended threat that combined flaws in two browsers into a code execution attack.

The IE flaw was originally discovered and reported by Aviv Raff back in November 2006 (more than two years ago!) but was ignored by Microsoft until the Safari carpet-bombing bug emerged to show how a combo-attack could lead to complete PC takeover.

[ SEE: Why Apple must fix Safari 'carpet bombing' flaw immediately ]

I’m told Microsoft will actually issue two separate bulletins on this issue — one with a patch that changes several calls to LoadLibrary and SearchPath in Internet Explorer to stop the browser from attempting to load libraries directly from the desktop.

Microsoft will also push out additional defense-in-depth protections and a new API to further limit the damage from hacker attacks but because of application compatibility issues, the protections will NOT be enabled by default.

In addition to the high-priority IE bulletin, next Tuesday’s patch batch will include five different Windows bulletins (four rated critical), a solitary Microsoft Excel update (critical), and an ISA denial-of-service issue that Microsoft rates as “important.”

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Denial Of Service, Flaw, Microsoft Internet Explorer, Microsoft Corp., Bulletin, Web Browsers, Security, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
35
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Patch Tuesday heads-up: 8 bulletins, 5 critical
birumut Updated - 3rd May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat
View in thread
0 Votes
+ -
Patch Tuesday
Shuelin 9th Apr 2009
Good ol' patch Tuesday. We definitely need a
Google Operating system.
http://googlescloud.blogspot.com
0 Votes
+ -
Yeah, based on Linux
honeymonster 9th Apr 2009
so that we'd have to put up with more than 2 or
even 3 times the vulnerabilities:

http://www-
935.ibm.com/services/us/iss/xforce/trendreports
/xforce-2008-annual-report.pdf

Windows is the mainstream operating systems
which needs the fewest patches.

So how is a Linux based Google OS going to beat
that?
0 Votes
+ -
RE: Yeah, based on Linux
gparsons 10th Apr 2009
You can selectively install minimal and maximal installations based upon packages you want/need in Linux.

If I could install Windows like that, I would install without Internet Explorer which links your entire File System to the Internet through .dll's. Find me a Linux browser that hooks code through the Linux kernel!

The number of Linux updates should not be numerically comparative to Windows updates because:
A) Your system may not have all the packages installed that require such updates
B) Many of the updates are bug fixes or related to local user security, which is in many cases moot on a Linux server.
0 Votes
+ -
A little education...
honeymonster 10th Apr 2009
If I could install Windows like that, I
would install without Internet Explorer which
links your entire File System to the Internet
through .dll's. Find me a Linux browser that
hooks code through the Linux kernel!

Do you have any idea what you are talking
about? Something residing in a .dll does not
automatically make it part of the kernel.

DLLs are sharable libraries of code. Just that!
They can be loaded by a process, but they don't
magically open some portal through to the
kernel. Your comment illustrates how clueless
you are on this topic.

And IE like all other apps uses DLLs. Some of
the shared code is a HTML renderer. A browser
uses a HTML renderer. Some other components of
Windows also uses a HTML renderer. So,
they share the code. This does not mean that
somehow the execution path can jump from
Internet Explorer to the kernel . Get a grip
will you? Modularization is known in the *Nix
world as well, and its the same concept.

So, IE does not "hook code through the kernel".
It uses shared libraries just like FF uses
shared libraries. Where on earth did you get
that idea? Are you just spewing out myths you
read somewhere on a Linux forum?

The number of Linux updates should not be
numerically comparative to Windows updates
because:
A) Your system may not have all the packages
installed that require such updates


Oh no. Read the IBM X-Force report. I provided
the link above. They compared vulnerabilities
in Windows, Linux kernel , OS X
and a host of other operating systems. No
distro, no packages; just the raw operating
system. Result: Linux kernel contains 2x
the number of vulns of Vista. Apple OSX even
worse: 3x the vulnerabilities and presiding
swiss cheese OS.

B) Many of the updates are bug fixes or
related to local user security, which is in
many cases moot on a Linux server.

Oh yeah? Do you have any data or are you just
making this up? Yeah, I though so.

Anyway, "local" vulnerabilities are just one
minor remote vulnerability away from pwning
your box. Combined with a flaw in a browser
(and FF has plenty with practically no
mitigation from Linux), a "locally exploitable"
or privilege escalation bug is suddenly the
hole which is exploited by an attacker.

BTW, the IBM report already filtered away the
"minor" vulnerabilities and only counted the
"moderately critical" and above. It's solid
research by an independent and highly reputable
company (IBM). You just have to suck it up.

I agree that you should be able to uninstall
IE. At least so that it is not in any way
active any more. I hear that that's finally
coming in Windows 7.
0 Votes
+ -
2 or even 3 times the vulnerabilities:
1djk1 10th Apr 2009
Microsoft FINALLY patching a 3 year old problem? At least the Linux community is responsive to problems and has patches much faster than Microsoft! One can't simply go by the numbers, unless you're brainwashed by the Redmond people. Try thinking for yourself and looking behind the FUD.
0 Votes
+ -
Rounding up, are we?
honeymonster 10th Apr 2009
Even though it's not 3 years as you claim it is
still way too long to have a problem linger.

It was presumably ignored because it was
initially assumed to be minor. The issue was
that explorer would "trust" files on the
desktop which were marked as "local" - i.e. not
received from the Internet. Windows has this
feature where it uses metadata to "taint" files
received from the Internet. However, the Apple
Safari "carpet bombing attack" allowed any
website to 1) download files to your computer
without your consent, 2) by default
downloaded the files to the desktop and
finally 3) did not taint the files as
having been received from the Internet. Go
figure.

That problem was indeed a path to place
executable, untainted content on the desktop.
So, the "minor" IE flaw suddenly became serious
because it could be used in a blended attack
when the attacker could combin Safari and IE.
That Apple sneaked in their Safari on Windows
through despicable social engineering tricks
only made matters worse. (The tricks involved
new software masquerading as "updates", sneaky
defaults and deliberately intricate "ignore"
procedures).

There's no way to apologize taking almost 2?
years to patch a vulnerability which can have
critical consequences. While it initially may
have looked like it would be hard to exploit
without first pwning the box anyway, the
history showed that the software ecosystem is
much too complicated to assume any such thing.

Regardless, I'm sure that wrong severities will
be assigned to bugs again. Both in *nix land
and in Windows.

0 Votes
+ -
Will you stop with the FUD
hasta la Vista, bah-bie 10th Apr 2009
http://www-
935.ibm.com/services/us/iss/xforce/trendreports
/xforce-2008-annual-report.pdf

You keep bringing out this tired, useless report that doesn't mean squat. Out of 106 pages, I only see it mentioned once on pg.44

No footnotes to substantiate it. No related documentation to back up your FUD claim.

However, pg. 43 has a list of new Active-X vulnerabilities and we know Linux doesn't use Active-X. Guess which OS uses Active-X.

Try again, pal... Otherwise quit spinning your wheels.
0 Votes
+ -
Plus, the list is based on *disclosed* vulns
Third of Five 11th Apr 2009
Underneath the fabled table of doom it says "Operating systems with the most vulnerability disclosures." A product whose code is available for anyone with the time and the inclination to look at it will probably have more vulnerabilities discovered than a program whose code is locked away in a vault right between the Ark of the Covenant and the Colonel's secret supply of 11 herbs and spices.

As much as some might want to spin this as a negative, this works to the advantage of open source. Knowing that a vulnerability exists enables the developers to do something about it. As a development model, open source perhaps has its roots in the words of Louis Brandeis: "Sunlight is the best disinfectant."
0 Votes
+ -
To the blind with screen readers, this image contains a table.
Grayson Peddie Updated - 9th Apr 2009
This table has 9 rows and 2 columns.
Heading Row 1
Heading Column 1: Bulletin ID
Heading Column 2: Maximum Severity Rating and Vulnerability Impact
Row 2
Column 1: Windows 1
Column 2: Critical - Remote Code Execution
Row 3
Column 1: Windows 2
Column 2: Critical - Remote Code Execution
Row 4
Column 1: Windows 3
Column 2: Critical - Remote Code Execution
Row 5
Column 1: IE
Column 2: Critical - Remote Code Execution
Row 6
Column 1: Excel
Column 2: Critical - Remote Code Execution
Row 7
Column 1: Windows 4
Column 2: Important - Elevation of Privilege
Row 8
Column 1: ISA
Column 2: Important - Denial of Service
Row 9
Column 1: Windows 5
Column 2: Moderate - Elevation of Privilege

Note that the words marked "Moderate," "Important," and "Critical" looks like they are links to another website -- probably Microsoft's but I'm not sure.

I hope this can be very useful for blind users who surfs for news and blogs using their screen reader. Also note that this Talkback system does not support embedding a URL within a text (by creating a hyperlink). If you see this: ZDNet, that means this Talkback does not parse the URL tag.

To those who've never heard of a screen reader, a screen reader doesn't read text within an image; thus, making it very difficult for those who cannot see images in the website. About the link I've mentioned in the previous paragraph, I could leave a string of text like http://www.zdnet.com, while this is okay, if there's a very long string of text (even for a TinyURL), this can be quite meaningless for those who quickly tab between links. But that's unless a blind user knows how to use flat-review cursors in their number pads (7, 8, and 9 for reading a line; 4, 5, and 6 for reading a word, and 1, 2, and 3 for reading a letter within a word), including up and down arrow keys just to navigate through series of text.

OH, and I have a question! What is that "Windows 1," "Windows 2," "Windows 3," "Windows 4," and "Windows 5" in the table (as an addition to the image)?

----------------------------------------------------

If anyone is interested in how I navigate through a website using a screen reader. I have posted a video in YouTube. Here's the link:

http://www.youtube.com/watch?v=x081s6wTsbE

While I've captured the video under Windows Vista, Ubuntu 8.10 is running in my virtual machine and it's running as a guest under VirtualBox. Orca is my screen reader of choice for Ubuntu and I enjoyed it a lot. I didn't include my voice for narration (I didn't explain what I am doing in the video), but I thought anyone might be interested in my video. Have fun!

Sorry Ryan for going too far off-topic, but I just had to type what's in the image and provided reasons why I did this. happy
0 Votes
+ -
Honestly...
QueenMama 10th Apr 2009
...I just don't understand why ANYONE would put up with this cr@p...I DO understand that Windows is the gamers only choice. But, if you work at home or in an office (both of which I do) where there are Macs, you're not gaming. At least I HOPE you're not. So tell me again WHY you would put yourself through Tuesday Hell over and over again? Look, I don't know enough about Windows to understand why Patch Tuesday has to happen at all. Again, if you're using a computer for work, and said computer runs MS-Office, why in the world do you have to do this EVERY Tuesday???

It just seems this OS keeps on going for gamers. Is that enough to put up with Patch Tuesday (not to mention all the viruses, trojans, and worms)? Yes I know that no OS is invulnerable but this kind of sounds like trying to keep patching a leaky balloon with Elmer's Glue!

I guess if I were Microsoft, I would just trash every OS I've created up to now and hire a bunch of smart, savvy, programmers to do a completely NEW operating system without trying to build on something that is so obviously flawed.

OMHO.
0 Votes
+ -
It isn't every Tuesday.
Erroneous 10th Apr 2009
It is a Tuesday once a month.

Yes I know that no OS is invulnerable but this kind of sounds like trying to keep patching a leaky balloon with Elmer's Glue!

Name a modern OS that doesn't require patching.
0 Votes
+ -
Well there's patching...
hasta la Vista, bah-bie 11th Apr 2009
...for bugs and there's patching for vulnerabilities. Try to distinguish between the two.
0 Votes
+ -
If you think...
Erroneous 11th Apr 2009
it really makes a difference in the question asked then there is something wrong with your thought processes.
0 Votes
+ -
I think the fact...
hasta la Vista, bah-bie 12th Apr 2009
...that you confuse the two means that there is something wrong with your thought processes.
0 Votes
+ -
RE: Well there's patching...
dougbeer 13th Apr 2009
I just got a patch this morning on this machine which is running SUSE 11.1. It had a Vulnerability.
0 Votes
+ -
For what? (nt)
hasta la Vista, bah-bie 13th Apr 2009
--
0 Votes
+ -
Secunia
honeymonster 14th Apr 2009
Try going to secunia and search for
vulnerabilities - both patched and unpatched.

http://secunia.com/advisories/product/10611/

Ubuntu since 6.06 (Vista timeframe) clocks in
at 1124 publicly disclosed
vulnerabilities.

All of these are security issues.
0 Votes
+ -
These are the security issues
hasta la Vista, bah-bie Updated - 14th Apr 2009
https://help.ubuntu.com/community/Linuxvirus

Now unless Ubuntu is lying to it's users and there are large-scale exploits out there that no one is aware of, or people aren't talking about, then honeymonster should do his duty and let them all know about this.

They're right here...

http://www.ubuntu.com/community

They are awaiting your enlightenment, honeymonster. Please advise them.

wink
0 Votes
+ -
And by the way...
hasta la Vista, bah-bie 14th Apr 2009
At your same website, Micro$haft currently has 569 pieces of software monitored by Secunia, each containing hundreds of vulnerabilities leading into the thousands.

http://secunia.com/advisories/vendor/1/

Care to count? Over 10,000 yet?

wink
0 Votes
+ -
1124 vulnerabilities
balaknair 14th Apr 2009
Including those for Firefox, Thunderbird, Open Office and every third party app in the Ubuntu universe repositories, including third party apps.

Not a fair comparison unless you want to count all the vulnerabilities for Vista, IE, MS Office, .NET, SQL, antivirus suites and so on.

"Try going to secunia and search for
vulnerabilities - both patched and unpatched."
Patched- 1124
Unpatched- 0

The problem I have with MS' security practices is that all too often, they don't disclose vulnerabilities and issue patches only when the exploits are already out in the wild. This is in sharp contrast to the folks at Canonical, where every vulnerability is reported and published, and nearly all are patched(vulnerabilities rated not critical may be left unpatched). So just going by the number of published vulnerablities is misleading. Vista still has 5 unpatched vulnerabilities, the oldest reported in Feb 2007.

Compare how severe the vulnerabilities were, how long it took to patch them, and how many of them were exploited in the wild and what impact that had in the real world.
That in my opinion is a better metric to measure how secure an OS(or other software) is.
0 Votes
+ -
Correct.
phatkat 13th Apr 2009
To human is err.
We make the operating system so we will make mistakes and we will need to fix them with patches.
We learn from our mistakes and learn not to make these mistakes again and that is lesson of life.
0 Votes
+ -
RE: Honestly...
dougbeer 13th Apr 2009
My wife and thousands of others at her company use MS and have no issues. In 12 years she has had one worm because she opened an attachment with an exe. She likes windows. Judging by your comment you have never used windows. I use MS for most everything and Linux for experimenting and messing around. I do understand the hatred portrayed by the Linux users on these forums. Every linux site portrays Windows as evil, pathetic or useless and linux as the savior. You are being used people! poor horses
0 Votes
+ -
Honestly? ALL Linux sites pan Windows?
james@... 13th Apr 2009
Every linux site portrays Windows as evil, pathetic or useless and
linux as the savior.

Whoa! Go easy on the hyperbole there chief. Not every Linux
site pans Windows. In fact the majority of professional people I meet
in my role as a senior engineer in the IT field, are very operating
system agnostic. We don't care if the solution is Windows, Linux, OSX,
or some commercial Unix - as long as it's the RIGHT solution.

The problem when you only have a hammer in your toolbox is that
everything starts looking like a nail. Not all problems can be solved
with a single operating system. Patch Tuesday is what it is. Other
operating systems have their own annoyances and quirks. happy

Peace,

James
0 Votes
+ -
Hilarious...
hasta la Vista, bah-bie 13th Apr 2009
Every linux site portrays Windows as evil, pathetic or useless and linux as the savior.

With an ignorant statement like that, I wonder if he really does use SUSE.

lol...
0 Votes
+ -
I agree - who gets viruses etc?
jonc2011 Updated - 13th Apr 2009
In our little company we have used Fprot then F-Secure for maybe 20 years. Only time one of our Windows machines got a virus was when someone accidentally opened a downloaded file by resting on it using his touchpad and which executed rather than letting him delete it! But only took 5 minutes to get rid of it. Dangerous things touch pads unless you turn off execution.
0 Votes
+ -
Well...
914four 14th Apr 2009
"Every linux site portrays Windows as evil, pathetic or useless and linux as the savior."

I suspect the reason for that is that Linux doesn't keep asking to check that you aren't a thief. And some people like to know what's under the hood, which Windows doesn't allow.
0 Votes
+ -
Tuesday Hell ?
YeaiBetYouDo 14th Apr 2009
How is it Tuesday hell ? My machine downloads the updates in the background and installs them the next time I reboot most times I dont even notice it untill the message appears asking me if I want to reboot now or later

Windows is also the OS of choice if you want access to the widest range of apps on the planet and the widest range of free apps on the net, and the only reason windows needs so many security patches is because Windows has the most users and therefore is the most attractive target to people who write malicious programs.
Virus writers just arnt interested in you Mac users, I understand this makes you feel like your always in that shadows while Windows takes center stage in the fight against malware, like your the understudy that never gets to play the lead role, like the wallflower at the prom who doesnt get asked to dance, always the bridesmaid never the bride, please dont let this make you become a bitter and spiteful Windows basher. wink
0 Votes
+ -
RE: Patch Tuesday heads-up: 8 bulletins, 5 critical
bohatesus 13th Apr 2009
I continue to wonder how many Cnet/ZDnet employees, upon reaching retirement age someday, will realize that they spent their entire careers bashing Microsoft. Boy, there's a "bragging point" for your grandchildren.
0 Votes
+ -
I Agree with your statement entirely
Richard Turpin 13th Apr 2009
I agree with your statement I am starting to think that the whole process at Cnet and ZDnet is run by Linux fans? Its not dissimilar to a newspaper which try to be politically "centre" and suffers from having employed journalists with"left" tendencies the newspaper can never reflect a true centre view on politics.

I agree also with another statement that as a IT Pro it does not matter what operating system is in use as long as it does the job. It is after all only a means of fulfilling a purpose.

We also have to remember that some of the bloggers that use the blog are in no way of a professional capacity,,they unfortunately buzz around belligerently in a permanent cloud of ********.
0 Votes
+ -
I don't find any (unjustified) bashing
honeymonster 14th Apr 2009
in the original blog entry. Seems pretty
straight to me. Although it points out one
particular vulnerability it is relevant because
it was part of a larger controversy at the time
.

The annoying part is when the Linux and OSX
fanbois comes crawling out of the woodwork once
a month in an attempt to keep the myth alive
that Windows is more vulnerable.
0 Votes
+ -
Winbloze is more vunerable
hasta la Vista, bah-bie 14th Apr 2009
And you should retire that lame IBM report that documents nothing.
0 Votes
+ -
MS bashing
balaknair 14th Apr 2009
Could you just point out where in this article the author 'bashes' Microsoft?

Ryan's is one of the few tech blogs I read regularly, and though I don't always agree with his views, I feel he is one of the most impartial tech journos out there, and his posts are usually very relevant. The content of the article might not be too flattering to MS, but that is not Ryan's fault. He merely reports the facts, and nowhere in this article does he pass judgment on *anyone*.

Attacking the author here because the facts make MS look bad(in your opinion) is just childish. Windows has vulnerabilities, so does every other OS out there. Patch the OS, and don't shoot the messenger.
0 Votes
+ -
Nobody Bashed Ryan?
Richard Turpin 14th Apr 2009
The statement named no one.... it was reference to ZDnet and Cnet.
I admire your allegiance sir but this was a generality to the thread that is at times prevalent in the abstract generalisation that are preponderant in the blogs ...colourful though they are times.
0 Votes
+ -
I didn't get any critical updates!
jonc2011 Updated - 14th Apr 2009
I just installed my Patch Tuesday patches and none was listed as "critical". I had 9 important and 2 recommended. On checking my update history, for Vista Business, I see that not a single update (out of 500 odd) since I bought the machine 2 years ago has a critical rating. So I am not sure what is the difference between Ryan's system and mine, that his patches should be critical and mine only important.

This is important to me as some of my coworkers in Central Asia have not registered their MS O/Ss and I need to advise them what to install. Presumably installing an important patch will trigger Microsoft's wrath. So should I advise them to forget about updating at all? ADVICE PLEASE!
0 Votes
+ -
RE: Patch Tuesday heads-up: 8 bulletins, 5 critical
birumut Updated - 3rd May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix