To get security news and tips delivered to your inbox, click here to
Microsoft issued an update to Excel, blocking two serious remote code execution vulnerabilities, including a zero-day flaw being actively exploited by attackers.
Since February, a Trojan called Trojan.Mdropper.AC, has been used in targeted attacks, according to several research firms, including Symantec, which first discovered the attacks in Japan. It spreads through a malicious Excel file attachment that makes Excel access an invalid object causing a memory corruption error. From there, an attacker executes arbitrary code with the privileges of the user running the application or can crash Excel. The MS09-009 update is rated critical for users of Microsoft Office Excel 2000. Microsoft rates it as important for other supported editions of Excel.
The update was one of eight security bulletins Microsoft issued Tuesday as part of is regularly scheduled monthly patching schedule. The software giant warned that five of the eight bulletins could be exploited remotely and were rated critical.
Feb. - Microsoft fixes critical IE 7, Exchange flaws: Memory corruption errors in IE 7 and a message processing error in Exchange leave systems vulnerable to attack, Microsoft said.
Jan. - Microsoft updates critical SMB server flaws: The latest Microsoft security update addresses two critical remote code execution vulnerabilities and a denial-of-service flaw in the Server Message Block.
A zero-day vulnerability in WordPad was also addressed in MS09-010. The flaw in the Wordpad Converter for Word 97 files affects Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP1 and SP2.
Internet Explorer was also updated, repairing six vulnerabilities that could be exploited to gain user rights on a system. MS09-014 corrects a blended threat remote code execution vulnerability, a credential flaw and several memory corruption errors. The flaws can be exploited by tricking a user to view a malicious webpage. The update is rated critical for versions of IE 5.01-7. IE 8 is not affected by the update.
Patching experts said Tuesday that Microsoft tied together several patches in its bulletins this month, including flaws addressed in IE, which corrects the Apple Safari carpet bombing attack Discovered last year by researcher Nitesh Dhanjani, the attack makes it possible for a malicious website to litter a Windows user's desktop with malicious executable files.
"Microsoft's fix removed the desktop as part of the search path for loading system files," said Eric Schultze, chief technology officer of patch management vendor Shavlik Technologies Inc.
A DirectX vulnerability in Microsoft DirectShow multimedia framework was also corrected Tuesday. The MS09-011 update is rated critical. The flaw can be exploited by tricking a user to open a MJPEG file. The update affects DirectX 8.1 and 9 on Microsoft Windows 2000, Windows XP and Windows Server 2003.
MS09-013repairs three flaws in Microsoft Windows HTTP Services (WinHTTP). The service contains a remote code execution vulnerability when handling specific credential values that are returned by a remote Web server. A spoofing vulnerability could also be exploited as a result of incomplete validation. The update is rated critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
Microsoft also repaired a year-old token kidnapping vulnerability. MS09-012, rated important, was being exploited in the wild after security researcher Cesar Cerrudo released proof-of-concept code to exploit the vulnerability. Cerrudo, founder and CEO of Argeniss Information Security warned Microsoft last year about the flaw. The flaw allows accounts commonly used by Windows to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system. Microsoft followed up with an advisory offering customers workaround recommendations.
"There's been so much talk around Web application vulnerabilities and SQL Server vulnerabilities that I'm surprised it hasn't been taken advantage of," said Andrew Storms, director of security operations at security and compliance auditing vendor nCircle Network Security Inc."It's an exploit where you could elevate the privilege of code being written in IIS and once elevated you can run an application on the server side as well."
Microsoft said most customers will have the security update automatically downloaded and installed.
Two vulnerabilities in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG) were also repaired. The update was rated important, but could allow a denial-of-service condition if an attacker sends specially crafted network packages to an affected system. The software giant also fixed a flaw rated moderate in the Windows SearchPath function.