Security update for Internet Explorer, DirectX and Excel
Eight updates from Microsoft aim to patch a total of 23 security vulnerabilities in various components and applications. Microsoft classifies a number of them as critical, because they enable code to be remotely infiltrated and run.
On its own, the cumulative update (MS09-014) for Internet Explorer eliminates six vulnerabilities in versions 5, 6 and 7, although not each of them can be found in every version. Some expose users to an attack when they merely visit a crafted web site, though Microsoft reckons that, because of the complexity of these vulnerabilities, it's very unlikely that practical exploits exist. At least no vulnerability have yet been found in Internet Explorer 8.
The MS09-009 and MS09-010 updates eliminate two vulnerabilities in Excel and four in the Wordpad and Office text converters. One of the vulnerabilities in Excel had been known for at least six weeks, and had already been exploited for targeted attacks. There is still no patch for the vulnerability in PowerPoint that came to light last week. Update MS09-011 is intended to correct an error in DirectX 8.1 and 9.0 (a, b, c). This caused a problem in DirectShow when manipulated MJPEG streams were being played back, enabling code to be smuggled in and run.
Microsoft's WinHTTP programming interface features three vulnerabilities that the MS09-013 update is supposed to rectify. Among other things, attackers could use malicious servers to provoke an integer underflow, which could then be exploited to compromise a system. WinHTTP is used by Microsoft Windows components (including UPnP) and by third-party software. Because of an error while processing certificates, applications based on WinHTTP can be fooled into thinking that certificates are valid. The update also irons out the long known SMB reflection vulnerability that now also affects WinHTTP.
Windows update MS09-012 is meant to prevent the upgrading of access rights for users with limited rights because of errors in the Microsoft Distribution Transaction Coordinator (MSDTC), the WMI provider and the RPCSS service. The update also ensures that Windows access control lists (ACLs) will, in future, be correctly enforced. Microsoft says attacks are already being made against all four vulnerabilities. "This security vulnerability is currently being exploited in the internet environment". That isn't an overwhelming surprise, given that the vulnerabilities became known a year ago. Cesar Cerrudo discussed the problems at the HITBSecConf2008 security conference as long ago as April 2008.
Microsoft has eliminated a less threatening vulnerability in the SearchPath function (MS09-015), although for a successful attack the victim must download a certain file and open it on the desktop. The MS09-016 update makes the Microsoft ISA Server and the Forefront Threat Management Gateway (Medium Business Edition) less susceptible to attacks via two denial-of-service vulnerabilities. One of these allowed the web listener to be halted by certain TCP packets.
Users shouldn't hesitate to install the updates as quickly as possible. This wouldn't be the first time that, in spite of Microsoft's evaluation, exploits appeared relatively quickly to take advantage of vulnerabilities in Internet Explorer.