Microsoft patches serious Excel zero-day, Windows flaws

By Robert Westervelt, News Editor 14 Apr 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Microsoft issued an update to Excel, blocking two serious remote code execution vulnerabilities, including a zero-day flaw being actively exploited by attackers.

Since February, a Trojan called Trojan.Mdropper.AC, has been used in targeted attacks, according to several research firms, including Symantec, which first discovered the attacks in Japan. It spreads through a malicious Excel file attachment that makes Excel access an invalid object causing a memory corruption error. From there, an attacker executes arbitrary code with the privileges of the user running the application or can crash Excel. The MS09-009 update is rated critical for users of Microsoft Office Excel 2000. Microsoft rates it as important for other supported editions of Excel.

The update was one of eight security bulletins Microsoft issued Tuesday as part of is regularly scheduled monthly patching schedule. The software giant warned that five of the eight bulletins could be exploited remotely and were rated critical.

Microsoft updates: March - Microsoft patches critical Windows kernel flaw: A critical flaw in the Windows graphics rendering component could be exploited by an attacker to gain access to sensitive data and take control of a machine. Feb. - Microsoft fixes critical IE 7, Exchange flaws: Memory corruption errors in IE 7 and a message processing error in Exchange leave systems vulnerable to attack, Microsoft said. Jan. - Microsoft updates critical SMB server flaws: The latest Microsoft security update addresses two critical remote code execution vulnerabilities and a denial-of-service flaw in the Server Message Block.

A zero-day vulnerability in WordPad was also addressed in MS09-010. The flaw in the Wordpad Converter for Word 97 files affects Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP1 and SP2.

Internet Explorer was also updated, repairing six vulnerabilities that could be exploited to gain user rights on a system. MS09-014 corrects a blended threat remote code execution vulnerability, a credential flaw and several memory corruption errors. The flaws can be exploited by tricking a user to view a malicious webpage. The update is rated critical for versions of IE 5.01-7. IE 8 is not affected by the update.

Patching experts said Tuesday that Microsoft tied together several patches in its bulletins this month, including flaws addressed in IE, which corrects the Apple Safari carpet bombing attack Discovered last year by researcher Nitesh Dhanjani, the attack makes it possible for a malicious website to litter a Windows user's desktop with malicious executable files.

"Microsoft's fix removed the desktop as part of the search path for loading system files," said Eric Schultze, chief technology officer of patch management vendor Shavlik Technologies Inc.

A DirectX vulnerability in Microsoft DirectShow multimedia framework was also corrected Tuesday. The MS09-011 update is rated critical. The flaw can be exploited by tricking a user to open a MJPEG file. The update affects DirectX 8.1 and 9 on Microsoft Windows 2000, Windows XP and Windows Server 2003.

MS09-013repairs three flaws in Microsoft Windows HTTP Services (WinHTTP). The service contains a remote code execution vulnerability when handling specific credential values that are returned by a remote Web server. A spoofing vulnerability could also be exploited as a result of incomplete validation. The update is rated critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

SearchSecurity radio:

Microsoft also repaired a year-old token kidnapping vulnerability. MS09-012, rated important, was being exploited in the wild after security researcher Cesar Cerrudo released proof-of-concept code to exploit the vulnerability. Cerrudo, founder and CEO of Argeniss Information Security warned Microsoft last year about the flaw. The flaw allows accounts commonly used by Windows to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system. Microsoft followed up with an advisory offering customers workaround recommendations.

"There's been so much talk around Web application vulnerabilities and SQL Server vulnerabilities that I'm surprised it hasn't been taken advantage of," said Andrew Storms, director of security operations at security and compliance auditing vendor nCircle Network Security Inc."It's an exploit where you could elevate the privilege of code being written in IIS and once elevated you can run an application on the server side as well."

Microsoft said most customers will have the security update automatically downloaded and installed.

Two vulnerabilities in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG) were also repaired. The update was rated important, but could allow a denial-of-service condition if an attacker sends specially crafted network packages to an affected system. The software giant also fixed a flaw rated moderate in the Windows SearchPath function.

Tags: Windows Security: Alerts, Updates and Best Practices,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary