Microsoft on Tuesday closed security holes in Excel, Windows and Word that had been exploited in the wild, as well as other holes for which exploit code or details exist, all as part of its monthly patch update cycle.
The critical Excel hole could allow an attacker to take complete control of an unpatched system if a user opens a specially crafted Excel file. Security firm Symantec said in February that it had discovered malicious files in the wild in Japan that attempt to exploit the Excel Unspecified Remote Code Execution Vulnerability.
The patch affects Microsoft Office, 2002, 2003 and 2007, as well as Microsoft Office 2004 and 2008 for the Mac, according to the Microsoft bulletin.
Microsoft also released a patch for a critical vulnerability in WordPad and Office that could allow remote code execution if a specially crafted file is opened in WordPad or Microsoft Word. This vulnerability is currently being exploited on the internet, Microsoft said. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Server 2003, Microsoft Office Word 2000 and Word 2002.
Another patch fixes four critical vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted web page or if a user connects to an attacker's server via HTTP. Exploit code and attack details have been made public for a couple of the vulnerabilities. Affected software is IE 5, 6 and 7.
A patch for Microsoft DirectShow closes a critical vulnerability that could allow an attacker to take complete control of a system if a user opened a specially crafted MJPEG file. It affects DirectX 8 and DirectX 9.
A fifth patch addresses critical vulnerabilities in Windows HTTP services that could allow an attacker to take complete control of the system and for which exploit tools and code have been made public. Affected are Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003 and Server 2008.
Also fixed are important holes in Windows being exploited in the wild that could allow elevation of privilege if an attacker is allowed to log on to a system and run a specially crafted application. Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003 and Server 2008 are affected.
Other patches address less critical holes in Microsoft Internet Security and Acceleration Server 2004 and 2006 and the medium business edition of Forefront Threat Management Gate, as well as SearchPath. Attack details have been made public for the SearchPath blended threat vulnerability. It affects Windows 2000, Windows XP, Windows XP Professional, Windows Vista, Windows Server 2003 and 2008.
In all, Microsoft issued eight patches for about two dozen reported vulnerabilities.
"We were astonished to see how many zero-days are in that release," said Wolfgang Kandek, chief technology officer of Qualys, in reference to exploits that target software with a vulnerability that has not been patched yet.
"Ten of the vulnerabilities have either exploits out in the wild or there is proof-of-concept code available and that's a first, I think, in terms of the number of zero days in a single bulletin," he said. "For the IT guys, that means their window has just shrunk to zero to get these things fixed."
The IE vulnerability is of particular concern, Ben Greenbaum, senior research manager at Symantec Security Response, said in an email statement. The IE hole "appears to be the easiest of the bunch to take advantage of by an attacker and also happens to be the one that requires the least amount of involvement by a user to exploit. An attacker can simply lure a victim into viewing a web page that contains malicious content and that individual's computer can then be taken over", Greenbaum wrote.
Missing from the bulletin was a fix for a zero-day hole in PowerPoint that Microsoft warned on 2 April had been targeted by attackers.
In honour of Patch Tuesday, Check Point Software technologies said it was selling a full version of its ZoneAlarm Internet Security Suite for $9.95 instead of $49.95. The sale runs for 24 hours starting at 6am PDT on Tuesday. Check Point said it will donate half of the proceeds to not-for-profit organisation TechSoup Global.
Talkback
Since Microsoft started providing exploitability information last year, this is the first time we’ve seen six vulnerabilities being exploited in the wild at the time the corresponding bulletins were released. This is definitely putting pressure on IT Teams to get these patches tested in their environments and out to the endpoints in their organisations.
On top of the priority list should be: MS09-009 (“Critical” on Excel 2000 SP3), MS09-010 (“Critical” on Microsoft Word 2000 SP3) and MS09-12 (“Important” on all Microsoft OS platforms). These all have exploit code in the wild and should be quickly addressed, especially for organisations still running Office 2000.
Another key bulletin for IT teams to prioritise is MS09-13. It is not being actively exploited, but does have three separate vulnerabilities (all rating a 1 on the exploitability scale) affecting all active Microsoft OS platforms. A restart is required, so this one has the possibility of wide-scale disruption.
Comments from Microsoft about Patch 12.1.7 for Office 2008 for Mac
Greetings and Salutations
Some folks have mentioned that they have not been able to install the Office 12.1.8 update. I would like to remind folks of some of the caveats that apply to installing an Office update.
NAME
-----
The Apple Installer technology that we are using requires that the application and the folder they reside in maintain their original names. If you have renamed the applications or the folder they reside in, you'll need to revert it to the original names.
LOCATION
------------
While you drag Office anywhere after an install, the Apple Installer technology will not find a copy of Office that is not on a bootable partition. So if you have Office on a spare partition with no OS on it, you'll need to move it to a partition that has an OS on it.
LANGUAGE
-----------
The updater only works on the language it was intended for; therefore, if you installed Italian Office, the German updater will not work for it. Because we use Apple's Installer the UI will match the UI of your OS so judging which updater you got by the UI of the Installer will not work.
MULTIPLE VERSIONS OF DIFFERENT LANGUAGES
------------------------------------
If you have multiple language versions of Office on your machine, then you'll want to put the one you wish to update in your Application folder; update it; then either rename it or move it out and put the next language in the Application folder.
The Installer will search for Office, and if the first one it finds is a different language than the updater it will not keep searching for copies with the matching language.
RESTARTING YOUR MACHINE
------------------------------------
In some instances, the temporary folder used to install the last update does not get deleted. In these instances, the next Office update cannot install – you can rectify this by restarting your machine.
Please also see the Knowledge Base Article we have at
http://www.microsoft.com/mac/help.mspx?MODE=ct&CTT=PageView&clr=99-1-0&target=bee52d73-be77-4544-a5cd-402d9b56b9f41033&srcid=&ep=8&rtype=2&pos=3&quid=dc327dd2-3f60-405a-9477-b711c349ac53
For more information.
I hope this covers most everyone's issues, and if not we are watching this forum, so please describe your situation and we will do our best to help you with INSTALLATION issues.
David Pelton
Microsoft MacBU
Greetings and Salutations
Some folks have mentioned that they have not been able to install the Office 12.1.8 update. I would like to remind folks of some of the caveats that apply to installing an Office update.
NAME
-----
The Apple Installer technology that we are using requires that the application and the folder they reside in maintain their original names. If you have renamed the applications or the folder they reside in, you'll need to revert it to the original names.
LOCATION
------------
While you drag Office anywhere after an install, the Apple Installer technology will not find a copy of Office that is not on a bootable partition. So if you have Office on a spare partition with no OS on it, you'll need to move it to a partition that has an OS on it.
LANGUAGE
-----------
The updater only works on the language it was intended for; therefore, if you installed Italian Office, the German updater will not work for it. Because we use Apple's Installer the UI will match the UI of your OS so judging which updater you got by the UI of the Installer will not work.
MULTIPLE VERSIONS OF DIFFERENT LANGUAGES
------------------------------------
If you have multiple language versions of Office on your machine, then you'll want to put the one you wish to update in your Application folder; update it; then either rename it or move it out and put the next language in the Application folder.
The Installer will search for Office, and if the first one it finds is a different language than the updater it will not keep searching for copies with the matching language.
RESTARTING YOUR MACHINE
------------------------------------
In some instances, the temporary folder used to install the last update does not get deleted. In these instances, the next Office update cannot install – you can rectify this by restarting your machine.
Please also see the Knowledge Base Article we have at
http://www.microsoft.com/mac/help.mspx?MODE=ct&CTT=PageView&clr=99-1-0&target=bee52d73-be77-4544-a5cd-402d9b56b9f41033&srcid=&ep=8&rtype=2&pos=3&quid=dc327dd2-3f60-405a-9477-b711c349ac53
For more information.
I hope this covers most everyone's issues, and if not we are watching this forum, so please describe your situation and we will do our best to help you with INSTALLATION issues.
David Pelton
Microsoft MacBU