Microsoft pushes out eight fixes for 23 bugs
By Dan Kaplan
Microsoft on Tuesday released eight security bulletins -- five addressing at least one vulnerability rated "critical" -- to correct a total of 23 flaws, a number of which are being publicly exploited.
The largest patch batch of the year comes loaded with pressing fixes. Wolfgang Kandek, CTO of vulnerability management firm Qualys, said six of the vulnerabilities already have been used by attackers and four have publicly available exploit code.
Perhaps the highest profile of that lot is a zero-day Excel flaw that was announced in February and is being exploited in limited attacks, according to Microsoft. It was plugged Tuesday by bulletin MS09-009.
With Conficker dominating headlines of late, prompting continued calls for organizations to patch for a server-side vulnerability -- fixed by MS08-067 -- that enables the pesky worm to spread, Tuesday's update was dominated by client-side issues.
Aside from the Office fix, administrators also will need to patch for four bugs in Internet Explorer (IE). One of the IE flaws simply requires an attacker wanting to take control of someone's system to persuade him or her to view a malicious website, said Ben Greenbaum, senior research manager at Symantec Security Response, in a statement.
"This collection of Internet Explorer patches...is a positive step since the web has become the primary conduit for attacks against end-users," he said. "You can imagine how dangerous this can be, especially if the user has administrator rights."
Tuesday's update also addresses critical client-side flaws in WordPad and in the DirectShow component of DirectX, a collection of application programming interfaces (API) for handling multimedia tasks, such as game programming.
"Essentially, the vulnerability allows an attacker to create a malicious movie that, when viewed, would give the attacker complete control of the computer," Holly Stewart, IBM Internet Security Systems' X-Force researcher, said in a statement. "Although there are no public details about this vulnerability yet, attackers have favored this type of exploitation method heavily in the past year."
The final critical fix takes care of three vulnerabilities in Windows HTTP Services, which provides developers with an HTTP client API.
The update also contained two fixes rated "important" -- one to address four vulnerabilities in Windows that could enable privilege escalation and so-called "token kidnapping." The other patch plugs two flaws, one that could permit cross-site scripting, in Internet Security and Acceleration Server and Forefront Threat Management Gateway.
The last of eight patches addresses a vulnerability in the SearchPath function, which could be used to escalate privileges. It was graded "moderate" but corrects a highly publicized issue dating back to last May in which an attacker could orchestrate a blended attack using the Apple Safari browser on the Windows platform.