On TV.com: BEST and WORST New Fall Shows
BNET Business Network:
BNET
TechRepublic
ZDNet

April 9th, 2009

Patch Tuesday heads-up: 8 bulletins, 5 critical

Posted by Ryan Naraine @ 11:06 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Hackers, Malware, Microsoft, Passwords, Patch Watch, Research, Responsible disclosure, Spyware and Adware, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Denial Of Service, Flaw, Microsoft Internet Explorer, Microsoft Corp., Bulletin, Web Browsers, Security, Internet, Ryan Naraine

Microsoft plans to ship 8 security bulletins next Tuesday (April 14, 2009) to fix remote code execution and denial of service vulnerabilities affecting Windows, Office and Internet Explorer.

According to the company’s Patch Tuesday advance notice, five of the bulletins will be rated “critical,” meaning they can be exploited by hackers to take complete control of Windows machines.

[ SEE: Microsoft issues Safari-to-IE blended threat warning ]

I’ve been given a heads-up that one of the Internet Explorer vulnerabilities being fixed is the musty old Safari-to-IE carpet bombing blended threat that combined flaws in two browsers into a code execution attack.

The IE flaw was originally discovered and reported by Aviv Raff back in November 2006 (more than two years ago!) but was ignored by Microsoft until the Safari carpet-bombing bug emerged to show how a combo-attack could lead to complete PC takeover.

[ SEE: Why Apple must fix Safari 'carpet bombing' flaw immediately ]

I’m told Microsoft will actually issue two separate bulletins on this issue — one with a patch that changes several calls to LoadLibrary and SearchPath in Internet Explorer to stop the browser from attempting to load libraries directly from the desktop.

Microsoft will also push out additional defense-in-depth protections and a new API to further limit the damage from hacker attacks but because of application compatibility issues, the protections will NOT be enabled by default.

In addition to the high-priority IE bulletin, next Tuesday’s patch batch will include five different Windows bulletins (four rated critical), a solitary Microsoft Excel update (critical), and an ISA denial-of-service issue that Microsoft rates as “important.”

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 34 Talkback(s)
I didn't get any critical updates!
I just installed my Patch Tuesday patches and none was listed as "critical". I had 9 important and 2 recommended. On checking my update history, for Vista Business, I see that not a single update (out... (Read the rest)
Posted by: jonrichco Posted on: 04/14/09  (Edited: 04/14/09 @ 02:24) You are currently: a Guest | | Terms of Use
Patch Tuesday  Shuelin | 04/09/09
Yeah, based on Linux  honeymonster | 04/09/09
RE: Yeah, based on Linux  gparsons | 04/10/09
A little education...  honeymonster | 04/10/09
2 or even 3 times the vulnerabilities:  1djk1 | 04/10/09
Rounding up, are we?  honeymonster | 04/10/09
Will you stop with the FUD  hasta la Vista, bah-bie | 04/10/09
Plus, the list is based on *disclosed* vulns  jbroche18 | 04/11/09
To the blind with screen readers, this image contains a table.  Grayson Peddie | 04/09/09
Honestly...  QueenMama | 04/10/09
It isn't every Tuesday.  Erroneous | 04/10/09
Well there's patching...  hasta la Vista, bah-bie | 04/11/09
If you think...  Erroneous | 04/11/09
I think the fact...  hasta la Vista, bah-bie | 04/12/09
RE: Well there's patching...  dougbeer | 04/13/09
For what? (nt)  hasta la Vista, bah-bie | 04/13/09
Secunia  honeymonster | 04/14/09
These are the security issues  hasta la Vista, bah-bie | 04/14/09
And by the way...  hasta la Vista, bah-bie | 04/14/09
1124 vulnerabilities  balaknair | 04/14/09
Correct.  phatkat | 04/13/09
RE: Honestly...  dougbeer | 04/13/09
Honestly? ALL Linux sites pan Windows?  james@... | 04/13/09
Hilarious...  hasta la Vista, bah-bie | 04/13/09
I agree - who gets viruses etc?  jonrichco | 04/13/09
Well...  914four | 04/14/09
Tuesday Hell ?  YeaiBetYouDo | 04/14/09
RE: Patch Tuesday heads-up: 8 bulletins, 5 critical  cbripley | 04/13/09
I Agree with your statement entirely  An Old Man | 04/13/09
I don't find any (unjustified) bashing  honeymonster | 04/14/09
Winbloze is more vunerable  hasta la Vista, bah-bie | 04/14/09
MS bashing  balaknair | 04/14/09
Nobody Bashed Ryan?  An Old Man | 04/14/09
I didn't get any critical updates!  jonrichco | 04/14/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here