Endpoint Protection

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly heavy month—the vendor is releasing eight bulletins covering a total of 21 vulnerabilities. Two of these issues are covered in more than one bulletin: CVE-2008-2540 in MS09-015 and MS09-014, and CVE-2009-0550 in MS09-013 and MS09-014.

Ten of the issues, rated “Critical,” are remote code-execution vulnerabilities affecting WordPad, Word, DirectX, Windows HTTP services, Internet Explorer, and Excel. The remaining issues, rated “Important” and “Moderate,” affect Windows, Internet Explorer, ISA Server, WordPad, and Windows HTTP services. Nearly all of the bulletins this month address issues that were previously disclosed or are variants of those issues.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Block external access at the network perimeter to all but specific sites and computers only.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid following links or handling files from unknown or questionable sources.
- Permit local access to known and trusted individuals only.

Microsoft’s summary of the April releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx

The following is a breakdown of the “Critical” issues being addressed this month:

1. MS09-010 Vulnerabilities in WordPad and Office Text Converters could allow Remote Code Execution (960477)

CVE-2009-0087 (BID 29769) Microsoft Word Bulleted List Handling Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)

A previously disclosed (June 17, 2008) remote code-execution vulnerability affects the WordPad and Office text converters. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Microsoft Office Word 2000 SP3, and Microsoft Office Word 2002 SP3

CVE-2009-0088 (BID 34469) Microsoft Word 2000 WordPerfect Converter Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects the WordPerfect 6.x converter of Microsoft Word 2000. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious WordPerfect file with Word. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office Word 2000 SP3 and Microsoft Office Converter Pack

2. MS09-014 Cumulative Security Update for Internet Explorer (963027)

CVE-2009-0551 (BID 34438) Microsoft Internet Explorer Page Transition Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when handling transitions between web pages. An attacker can exploit this issue by tricking a victim into viewing a web page containing malicious content. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Internet Explorer 6, 6 SP1, and 7

CVE-2009-0552 (BID 34423) Uninitialized Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when handling an object that has not been properly initialized or deleted. An attacker can exploit this issue by tricking a victim into viewing a web page containing malicious content. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Internet Explorer 5.01 SP4, 6, and 6 SP1

CVE-2009-0553 (BID 34424) Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when handling an object that has not been properly initialized or deleted. An attacker can exploit this issue by tricking a victim into viewing a web page containing malicious content. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Internet Explorer 6, 6 SP1, and 7

CVE-2009-0554 (BID 34426) Uninitialized Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Internet Explorer when handling an object that has not been properly initialized or deleted. An attacker can exploit this issue by tricking a victim into viewing a web page containing malicious content. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Internet Explorer 5.01 SP4, 6, 6 SP1, and 7

3. MS09-009 Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)

CVE-2009-0100 (BID 34413) Microsoft Excel Malformed Object Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Excel when handling a specially crafted Excel file. An attacker can exploit this issue by tricking a victim into opening a malicious file with an affected application. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office Excel 2000 SP3, Microsoft Office Excel 2002 SP3, Microsoft Office Excel 2003 SP3, Microsoft Office Excel 2007 SP1, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Microsoft Office Excel Viewer 2003 SP3, Microsoft Office Excel Viewer and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1

CVE-2009-0238 (BID 33870) Microsoft Excel Invalid Object Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.9/10)

A previously disclosed (Feb. 23, 2009), a remote code-execution vulnerability affects Excel when handling an invalid object in a specially crafted Excel file. An attacker can exploit this issue by tricking a victim into opening a malicious file with an affected application. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Office Excel 2000 SP3, Microsoft Office Excel 2002 SP3, Microsoft Office Excel 2003 SP3, Microsoft Office Excel 2007 SP1, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, Microsoft Office Excel Viewer 2003 SP3, Microsoft Office Excel Viewer and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1

4. MS09-013 Vulnerabilities in Windows HTTP services could allow Remote Code Execution (960803)

CVE-2009-0086 (BID 34435) Microsoft WinHTTP Integer Underflow Memory Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.3/10)

A remote code execution vulnerability affects Windows HTTP services (WinHTTP API) due to how it handles certain parameters returned from a remote Web server. An attacker must get an application using the affected API to connect to an attacker-controlled server to exploit this issue. This may be accomplished through social engineering, or through other attacks. Successful exploits will result in the execution of attacker-supplied code in the context of the application using the API.

Affects: Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP1 and SP2, Windows Server 2003 x64 Edition, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP1 and SP2 for Itanium-based Systems, Windows Vista, Windows Vista SP1, Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Server 2008 for 32-bit Systems, x64-based Systems, and Itanium-based Systems

5. MS09-011 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)

CVE-2009-0084 (BID 34460) Microsoft DirectX DirectShow MJPEG Video Decompression Remote Code Execution Vulnerability
(MS rating: Critical / Symantec Urgency Rating 8.3/10)

A remote code execution vulnerability affects DirectShow when handling a specially crafted compressed ‘MJPEG’ file. An attacker can exploit this issue by tricking a victim into viewing a specially crafted streaming video file. Successful exploits will result in the execution of arbitrary code in the context of the currently logged-in user.

Affects: DirectX 8.1 and 9.0

More information on this and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.