April is here and is turning out to be a typical, busy month, if one can call it that. In general, when we have a large release, the number of updates ranges from 7-12. With this in mind, we released eight security updates this month: 5 rated as Critical, 2 rated as Important, and one rated as Moderate.

 

MS09-009

 

This bulletin addresses two remote code execution vulnerabilities in Microsoft Excel. An attacker could exploit the vulnerability by sending a user a malformed Microsoft Excel file. Upon opening the file code can run in the context of the logged on user. We are aware of public exploits of these vulnerabilities. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates.

 

A rating of Critical has only been assigned to Microsoft Office Excel 2000. The other applicable versions are rated as Important. If the Office Document Open Confirmation Tool has been downloaded and installed on a system with Microsoft Office Excel 2000, the user will first be prompted with a dialog box. This functionality is already built in to newer versions of Microsoft Office.

 

 

MS09-010

 

This bulletin addresses four remote code execution vulnerabilities in Microsoft WordPad and Microsoft Office text converters. An attacker could exploit the vulnerability by sending a user a malformed file. Upon opening the file code can run in the context of the logged on user. We are aware of public exploits of these vulnerabilities. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates.

 

A rating of Critical has only been assigned to Microsoft Office Word 2000 Service Pack 3. The other applicable versions are rated as Important. If the Office Document Open Confirmation Tool has been downloaded and installed on a system with Office Word 2000 Service Pack 3, the user will first be prompted with a dialog box. This functionality is built in to newer versions of Microsoft Office. There are effective mitigations noted in the bulletin that are temporary measures until you test and deploy the updates. One of the mitigations is blogged about in greater detail than the bulletin. You can find this information on the Security Defense & Research blog.

 

The last thing I will mention is the fact that the Microsoft Security Intelligence Report Volume 6  provides insights into document file formats vulnerabilities and common exploitation techniques.

 

MS09-011

 

This bulletin addresses privately reported remote code execution vulnerability in Microsoft DirectX and is rated as Critical. An attacker could exploit this vulnerability by sending a malformed MJPEG file to a user of a system. If a user opened the file, code execution of the attacker’s choice would run in the context of the logged in user. Unregistering the quartz.dll or disabling the decoding of MJPEG content in Quartz.dll is a temporary measure that can be used while testing and deploying the update. Please see the bulletin to understand impact of the workarounds as they affect functionality.

 

 

MS09-012

 

This bulletin addresses several elevation of privilege vulnerabilities in Microsoft Windows and is rated as Important. The elevation of privilege vulnerabilities are commonly known as Token Kidnapping and was first described in Microsoft Security Advisory 951306. A supplemental blog will be posted here as well as a technical deep dive on the Security and Research Defense blog. It can be found here: http://blogs.technet.com/srd/

 

 

MS09-013

 

Microsoft Windows HTTP Services (WinHTTP) contains three vulnerabilities, two of which could allow for remote code execution running in the context of the logged on user. The bulletin is rated as Critical. WinHTTP is a technology within itself. As such, Internet Explorer does not use WinHTTP services.

 

MS09-014

 

Internet Explorer contains several remote code execution vulnerabilities and is rated as Critical. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. This security update also addresses a vulnerability first described in Microsoft Security Advisory 953818. As you will see, MS09-015 also addresses this Advisory. Details as to why can be found in both bulletins.

 

MS09-015

 

This bulletin addresses a vulnerability in SearchPath which could allow for an elevation of privilege and is rated as Moderate. It’s worth mentioning here that this security update addresses the issue detailed in Advisory 953818: “Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform”.  Among other information in the bulletin I want to note that we added a new api as a defense in depth measure. It is called SetSearchPathMode. This new API allows for a per-process mode when using the SearchPath function to locate files. This allows applications to force the current directory to be searched after the application and system locations. This defense in depth measure is not enabled by default. Please see the bulletin for additional information.

 

MS09-016

 

This bulletin address vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) and is rated as Important. These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure or spoofing if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.

 

There are several mitigating factors noted in bulletin; one of which I will note here regarding the cross-site scripting (XSS) vulnerability. ISA Server 2006 and Forefront TMG MBE deployments that do not have any Web publishing rules are not vulnerable by default. If ISA Server 2006 or Forefront TMG MBE is installed in a traditional firewall role and is not publishing any internal Web sites to the Internet, the vulnerable Web Filter will not be exposed (the port will be blocked).

 

My colleague Jonathan, in the MSRC, is providing guidance as it relates to suggestions for prioritization of the security updates. This information can be found at the Security Research & Defense blog site.

 

As a postscript to this posting I want to share some thoughts with you regarding the advisories.

 

Of the eight updates, five address vulnerabilities that Microsoft has issued security advisories for:

 

 

·         Excel vulnerability: Security Advisory 968272 was released Feb. 24, 2009,

·         WordPad: Security Advisory 960906 was released Dec. 9 2008, more related information can be found at Security Research & Defense blog.

·         CarpetBombing: Security Advisory 953818 was released May 30, 2008, more related information can be found at Security Research & Defense blog

·         Token Kidnapping: Security Advisory 951306 was released April 17, 2008, more related information can be found at Security Research & Defense blog.

 

The question becomes, why does it take so long for Microsoft to release a security update?

 

When we here at Microsoft are asked this question: our answer is “we want to get this right.” Or to put it another way, we are constantly asking ourselves during any given release cycle “are we doing the right thing for our customers?” If as a result of any given investigation, we find a variant of a vulnerability we are fixing; do we dig deeper to make sure we cover all our bases, or do we just fix what we can see and ship the update because of external pressures? “Are we doing the right thing for our customers?”

 

If we find, at the 11th hour, an application compatibility issue that breaks third party software, do we ship anyway because we don’t want to get bad press? “Are we doing the right thing for our customers”?

 

Do we spread out the release of open advisories so no one notices, but not ship them when ready? “Are we doing the right thing for our customer?”

 

I will say that we will do the right thing for our customers; we will dig deeper; we will hold a low quality update; and we will release an update when it is ready for broad distribution; no sooner or no later.

 

*Postings are provided "AS IS" with no warranties, and confers no rights.*

April 14: Updated to include hyperlinks for bulletins