Microsoft Security Bulletins for the Month of April

Number: AV09-018
Date: 14 April 2009

Purpose

The purpose of this advisory is to bring attention to the following critical vulnerabilities in various Microsoft products.

Assessment

Microsoft has released the following eight security bulletin:

MS09-009 Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)
--------
Details: This security update resolves a privately reported and a publicly disclosed vulnerability. The vulnerabilities could allow remote code execution if the user opens a specially crafted Excel file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Office
CVE reference: CVE-2009-0100 and 2009-0238
http://www.microsoft.com/technet/security/bulletin/MS09-009.mspx

MS09-010 Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
--------
Details: This security update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office text converters. The vulnerabilities could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Office Word.

Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Windows and Microsoft Office
CVE reference: CVE-2009-0087, CVE-2008-4841, CVE-2009-0088 and CVE-2009-0235
http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx

MS09-011 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
--------
Details: This security update resolves a privately reported vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted MJPEG file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: 2 - Inconsistent exploit code likely
Affected Products: Microsoft Windows
CVE reference: CVE-2009-0084
http://www.microsoft.com/technet/security/Bulletin/ms09-011.mspx

MS09-012 Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
--------
Details: This security update resolves four publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploited any of these vulnerabilities could take complete control over the affected system.

Impact of Vulnerability: Elevation of Privilege
Maximum Severity Rating: Important
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Windows
CVE reference: CVE-2008-1436, CVE-2009-0078, CVE-2009-0079 and CVE-2009-0080
http://www.microsoft.com/technet/security/Bulletin/ms09-012.mspx

MS09-013 Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
--------
Details: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Windows HTTP Services (WinHTTP). The most severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Windows
CVE reference: CVE-2009-0086, CVE-2009-0089 and CVE-2009-0550
http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx

MS09-014 Cumulative Security Update for Internet Explorer (963027)
--------
Details: This security update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol.

Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: 1 - Consistent exploit code likely
Affected Products: Microsoft Windows and Internet Explorer
CVE reference: CVE-2008-2540, CVE-2009-0550, CVE-2009-0551, CVE-2009-0552, CVE-2009-0553 and CVE-2009-0554
http://www.microsoft.com/technet/security/Bulletin/MS09-014.mspx

MS09-015 Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
--------
Details: This security update resolves a publicly disclosed vulnerability in the Windows SearchPath function that could allow elevation of privilege if a user downloaded a specially crafted file to a specific location, then opened an application that could load the file under certain circumstances.

Impact of Vulnerability: Elevation of Privilege
Maximum Severity Rating: Moderate
Maximum Exploitability Index: 2 - Inconsistent exploit code likely
Affected Products: Microsoft Windows
CVE reference: CVE-2008-2540
http://www.microsoft.com/technet/security/Bulletin/MS09-015.mspx

MS09-016 Vulnerabilities in Microsoft ISA Server and Forefront Threat
--------
Details: This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE). These vulnerabilities could allow denial of service if an attacker sends specially crafted network packages to the affected system, or information disclosure if a user clicks on a malicious URL or visits a Web site that contains content controlled by the attacker.

Impact of Vulnerability: Denial of Service
Maximum Severity Rating: Important
Maximum Exploitability Index: 3 - Functioning exploit code unlikely
Affected Products: Microsoft Forefront Edge Security
CVE reference: CVE-2009-0077 and CVE-2009-0237
http://www.microsoft.com/technet/security/bulletin/MS09-016.mspx

Note: Microsoft also released an updated version of the Microsoft Windows Malicious Software Removal Tool (MSRT). http://support.microsoft.com/kb/890830/

Suggested action

CCIRC recommends that administrators test and install this update at the earliest opportunity.

References:
http://www.microsoft.com/technet/security/bulletin/MS09-Apr.mspx

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: