Microsoft Patch Tuesday whopper: Eight bulletins fix 23 holes in Windows, Office, IE and more

Analysis
Apr 14, 20093 mins

Today is Patch Tuesday and it’s a whopper! Not only does it fix 23 vulnerabilities in eight updates (five rated critical), but experts say that the critical holes are already being exploited in the wild. The eight security bulletins fix vulnerabilities in Windows, Microsoft Office, Internet Explorer and Microsoft Internet Security and Acceleration Server. Experts say zero-day exploits exist for vulnerabilities addressed in MS09-009 (Excel), MS09-010 (WordPad, Office), MS09-012 (DirectX), MS09-013 (Windows HTTP Services) and MS09-014 (Internet Explorer), plus attack code has been seen for the hole in MS09-015 (the Windows SearchPath function), which is rated “moderate.” Here is the summary of today’s patches from Christopher Budd, security response communications lead for Microsoft, including links to all of the updates.

Microsoft’s April Bulletin Release
  • MS09-009 (Maximum severity of Critical): This update resolves a newly discovered, privately reported and a publicly disclosed vulnerability in Microsoft Excel. This update received a 1 – Consistent Exploit Code Likely rating from Microsoft’s Exploitability Index.
  • MS09-010 (Maximum severity of Critical): This update resolves two publicly disclosed vulnerabilities and two privately reported vulnerabilities in Microsoft WordPad and Microsoft Office Text Converters.  This update received a 1 – Consistent Exploit Code Likely rating from Microsoft’s Exploitability Index.
  • MS09-011 (Maximum severity of Critical): This update resolves a newly discovered and privately reported vulnerability in Microsoft DirectX. This update received a 2 – Inconsistent Exploit Code Likely rating from Microsoft’s Exploitability Index.
  • MS09-012 (Maximum severity of Important): This update resolves four publicly disclosed vulnerabilities in Microsoft Windows. This update received a 1 – Consistent Exploit Code Likely rating from Microsoft’s Exploitability Index.
  • MS09-013 (Maximum severity of Critical): This update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Windows HTTP Services (WinHTTP). This update received a 1 – Consistent Exploit Code Likely rating from Microsoft’s Exploitability Index.
  • MS09-014 (Maximum severity of Critical): This update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. This update received a 1 – Consistent Exploit Code Likely rating from Microsoft’s Exploitability Index.
  • MS09-015 (Maximum severity of Moderate): This update resolves one publicly disclosed vulnerability in the Windows SearchPath function. This update received a 2 – Inconsistent Exploit Code Likely rating from Microsoft’s Exploitability Index.
  • MS09-016 (Maximum severity of Important): This update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE). This update received a 3 – Functioning Exploit Code Unlikely rating from Microsoft’s Exploitability Index.

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Adding Some Zoom to Office PowerPoint 2007Fear and Loathing in Windows 75 Tactics Microsoft Is Using To Battle Linux for Cloud DominanceCloud computing explained in easy to understand termsFontList Fills Another Windows GapApril giveaways galore: Microsoft UC and Office 2007 books, free training from Global Knowledge Follow Microsoft Subnet on Twitter