Microsoft patches serious Excel zero-day, Windows flaws

By Robert Westervelt, News Editor 15 Apr 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Microsoft issued an update to Excel, blocking two serious remote code execution vulnerabilities, including a zero-day flaw being actively exploited by attackers.

Since February, a Trojan called Trojan.Mdropper.AC, has been used in targeted attacks, according to several research firms, including Symantec, which first discovered the attacks in Japan. It spreads through a malicious Excel file attachment that makes Excel access an invalid object causing a memory corruption error. From there, an attacker executes arbitrary code with the privileges of the user running the application or can crash Excel. The MS09-009 update is rated critical for users of Microsoft Office Excel 2000. Microsoft rates it as important for other supported editions of Excel.

The update was one of eight security bulletins Microsoft issued Tuesday as part of is regularly scheduled monthly patching schedule. The software giant warned that five of the eight bulletins could be exploited remotely and were rated critical.

A zero-day vulnerability in WordPad was also addressed in MS09-010. The flaw in the Wordpad Converter for Word 97 files affects Windows 2000 SP4, Windows XP SP2 and Windows Server 2003 SP1 and SP2.

Internet Explorer was also updated, repairing six vulnerabilities that could be exploited to gain user rights on a system. MS09-014 corrects a blended threat remote code execution vulnerability, a credential flaw and several memory corruption errors. The flaws can be exploited by tricking a user to view a malicious webpage. The update is rated critical for versions of IE 5.01-7. IE 8 is not affected by the update.

Patching experts said Tuesday that Microsoft tied together several patches in its bulletins this month, including flaws addressed in IE, which corrects the Apple Safari carpet bombing attack Discovered last year by researcher Nitesh Dhanjani, the attack makes it possible for a malicious website to litter a Windows user's desktop with malicious executable files.

"Microsoft's fix removed the desktop as part of the search path for loading system files," said Eric Schultze, chief technology officer of patch management vendor Shavlik Technologies Inc.

A DirectX vulnerability in Microsoft DirectShow multimedia framework was also corrected Tuesday. The MS09-011 update is rated critical. The flaw can be exploited by tricking a user to open a MJPEG file. The update affects DirectX 8.1 and 9 on Microsoft Windows 2000, Windows XP and Windows Server 2003.

MS09-013 repairs three flaws in Microsoft Windows HTTP Services (WinHTTP). The service contains a remote code execution vulnerability when handling specific credential values that are returned by a remote Web server. A spoofing vulnerability could also be exploited as a result of incomplete validation. The update is rated critical for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

Microsoft also repaired a year-old token kidnapping vulnerability. MS09-012, rated important, was being exploited in the wild after security researcher Cesar Cerrudo released proof-of-concept code to exploit the vulnerability. Cerrudo, founder and CEO of Argeniss Information Security warned Microsoft last year about the flaw. The flaw allows accounts commonly used by Windows to bypass new Windows services protection mechanisms and elevate privileges to achieve complete control over the operating system. Microsoft followed up with an advisory offering customers workaround recommendations.

"There's been so much talk around Web application vulnerabilities and SQL Server vulnerabilities that I'm surprised it hasn't been taken advantage of," said Andrew Storms, director of security operations at security and compliance auditing vendor nCircle Network Security Inc."It's an exploit where you could elevate the privilege of code being written in IIS and once elevated you can run an application on the server side as well."

Microsoft said most customers will have the security update automatically downloaded and installed.

Two vulnerabilities in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG) were also repaired. The update was rated important, but could allow a denial-of-service condition if an attacker sends specially crafted network packages to an affected system. The software giant also fixed a flaw rated moderate in the Windows SearchPath function.

Tags: Platform and OS Security Management,  Secure Coding and Application Programming,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform and OS Security Management Microsoft issues advisory on new IE security vulnerability Microsoft patches SMB flaws, Hyper-V problem in big update Microsoft blue screen affecting few corporate PCs Microsoft to fix 26 flaws in Windows, Office Thin-client technologies surge thanks to easier security, says Deloitte Microsoft issues critical security update, blocks IE 6 attacks How to use Windows XP Mode in Windows 7 Microsoft to patch single Windows 2000 vulnerability How to prevent memory dump attacks Microsoft gives Internet Explorer a major security overhaul Secure Coding and Application Programming Open source software security tops commercial apps, study finds Improving software with the Building Security in Maturity Model (BSIMM) How to prevent Adobe hacks from affecting your organisation SANS Institute, MITRE release new top 25 dangerous coding errors list Code complexity analysis: How to keep it simple Active PDF attacks target Reader, Acrobat zero-day vulnerability Software piracy group offers cash to whistleblowers SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks H.D. Moore speaks about Metasploit Project deal, Release 3.3 Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Annual security reports offer some hope Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Serious Organized Crime Agency  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary