Microsoft fixes 28 vulnerabilities in its products
Microsoft have released ten patches to fix a total of 28 security vulnerabilities. Microsoft regards many of the vulnerabilities as critical, because they enable malicious code to be injected and executed. The most dramatic affects Internet Explorer in particular: just one cumulative update alone closes eight vulnerabilities in versions 5.01 to 8, six of which can cause infection of the system if a crafted web site is visited
The success of an attack however also depends on the operating system being used. Under Windows Server 2003 and 2008, Internet Explorer runs in a special "restricted mode" that makes attacks difficult. Microsoft moreover considers it likely that only one of the eight bugs will spawn a functioning exploit.
An update to Active Directory eliminates a DoS vulnerability, and another prevents the compromise of a system – though as a rule only by attackers from the local network or those that have gained access to the LAN from the internet.
A patch has also been dedicated to the printer spooler to prevent two privilege-escalation vulnerabilities and the remote provocation and exploitation of a buffer overflow. Word, Excel and Works Converter are given further updates. The Excel update kills seven entry routes for specific attacks using infected documents.
The collection of updates also includes patches to close the WebDAV vulnerabilities in Internet Information Server (IIS) 5.0, 5.1 and 6.0. Microsoft has also eliminated a further error existing in the kernel from Windows 2000 to Server 2008 that can be misused by users with restricted rights to access the system they are logged in to.
One of the published updates stops the Marshalling Engine RPC allowing the execution of arbitrary code. Microsoft only classifies the update to solve the problem as "important", because the error should not occur in the default configuration. However, RPC applications from other sources could be affected.
The tenth update prevents Windows Search giving certain information away to unauthorised parties. As expected, there is still no patch for the DirectShow vulnerability. The Microsoft Security Response Center says people are working feverishly on a patch. Until one is ready, users are recommended to download and run the workaround as an installer file (.msi). This deletes a certain key from the registry, preventing the parsing of QuickTime movies by the vulnerable Quartz.dll library.
- 2009, Microsoft Security Bulletin Summary for June 2009