Quite a big Patch Day
Par Sylvain SARMEJEANNE, vendredi 17 avril 2009 à 09:31 :: General :: #303 :: rss
No less than 21 vulnerabilities have been published during the April Microsoft Patch Day, spread among eight bulletins. Five of them are rated critical because a remote attacker can exploit them to execute arbitrary code:
MS09-009: two vulnerabilities in Excel 
(Ref Lexsi 11548 and 11344), including the 0-day vulnerability dating back to February.
MS09-010: four vulnerabilities in WordPad and Office text converters (Ref Lexsi 11549, 11034 and 10724), including the already known vulnerability used in targeted attacks. In the FAQ, the following text: "Exploit code is publicly available of a variant of this issue that may cause a Denial of Service condition in WordPad" seems to refer to an exploitation code published on Milw0rm in September 2008.
MS09-011: a vulnerability in the DirectShow component of DirectX (Ref Lexsi 11550).
MS09-013: three vulnerabilities in Windows HTTP Services (Ref Lexsi 11552), an API used by, for example, UPnP.
MS09-014: six vulnerabilities in Internet Explorer (Ref Lexsi 11553).
Two bulletins are rated important:
MS09-012: four vulnerabilities in Windows (Ref Lexsi 10015 and 11551). This privilege escalation had been presented by Cesar Cerrudo in his Token Kidnapping conference during HITB 2008.
MS09-016: two vulnerabilities in Microsoft ISA server and Forefront Threat Management Gateway (successor of ISA) (Ref Lexsi 11555), one of them allowing an attacker to cause a denial of service.
Finally, one bulletin is rated moderate:
MS09-015: one vulnerability in the SearchPath component of Windows (Ref Lexsi 8970), fixing a known vulnerability allowing an attacker to execute arbitrary code with Internet Explorer if he is able to drop a malicious file with the same name as a system library on the victim's desktop. By default, Apple Safari before 3.1.2 downloaded every file on the desktop, thus allowing this vulnerability to be easily exploited.
It is worth noticing that the 0-day in PowerPoint that became public at the beginning of the month has not been fixed.
NB: two CVE belong to two different bulletins, explaining why there are only 21 vulnerabilities and not 23 
The MSRT has also been updated to delete the Waledac malware family, whose main goal is to search the infected system for email addresses to send spam to, as well as retrieve sensitive information such as passwords.
It must be remembered that a part of the Conficker.C payload that was spread by P2P tried to connect to a Waledac domain. Moreover, Waledac authors have just launched a new campaign, promoting a piece of software allowing you to retrieve SMS messages from your neighbour's phone...
Oracle has also released its April 2009 Critical Patch (Ref Lexsi 11556), fixing 43 vulnerabilities in different products (Database, Application Server, WebLogic, etc).