14 DAY TRIAL // On June 9th, as an integral part of its monthly patch cycle, Microsoft made available no less than 10 security bulletins resolving 31 vulnerabilities across a range of products. Out of the 10 patch packages no less than six impact releases of Windows client and server operating systems. Microsoft also issued a cumulative security bulletin for Internet Explorer, and updates for Office Word, Office Excel and Works Converters. Two of the bulletins for Windows are rated as Critical, three have been deemed Important and the remaining one just Moderate. The rest of security update packages all received the maximum severity rating of Critical.
What is indeed critical to note is the fact that Microsoft considers that exploit code is highly likely to be written by attackers in the next 30 days for 15 of the vulnerabilities patched with the June 2009 security updates. As a direct consequence, all the 15 security flaws have received the maximum Exploitability Index score of 1. Among the group of vulnerabilities that received the top Exploitability Index rating are holes that have already been disclosed to the public. Details on no less than five vulnerabilities are available in the wild, making it easier for potential attackers to produce exploit code.
Users should not hesitate to deploy the security updates released by Microsoft on June 9th as soon as possible. With this month's security bulletins, the software giant is delivering new updates for MS09-017, patching Office for Mac (2004 and 2008) and Microsoft Works 8.5 and 9.0. In addition, the company has fixed the WebDAV vulnerability in Internet Information Services detailed in Security Advisory 971492, with MS09-020. Microsoft also patched the first vulnerability in Internet Explorer 8 with MS09-019. A Critical security flaw affecting Windows 2000 domain controllers and LDAP server was dealt with MS09-018.
Christopher Budd, security response communications lead for Microsoft, enumerated all the security bulletins issued on June 9th:
MS09-018 (Maximum severity of Critical): This update resolves two newly discovered and privately reported vulnerabilities in Windows, which could allow remote code execution. This update received an aggregated rating of 1 from Microsoft’s Exploitability Index. MS09-019 (Maximum severity of Critical): This update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer, which could allow remote code execution. This update received an aggregated rating of 1 from Microsoft’s Exploitability Index. MS09-020 (Maximum severity of Important): This update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS), which could allow an elevation of privilege. This update received an aggregated rating of 1 from Microsoft’s Exploitability Index. MS09-021 (Maximum severity of Critical): This update resolves seven privately reported vulnerabilities in Microsoft Office Excel, which could allow remote code execution. This bulletin is rated Critical for Microsoft Office 2000 only and Important for all subsequent versions. This update received an aggregated rating of 1 from Microsoft’s Exploitability Index. MS09-022 (Maximum severity of Critical): This update resolves three privately reported vulnerabilities in Windows Print Spooler, which could allow remote code execution. This update received an aggregated rating of 1 from Microsoft’s Exploitability Index. MS09-023 (Maximum severity of Moderate): This update resolves a privately reported vulnerability in Windows Search, which could allow information disclosure. This update received a rating of 3 from Microsoft’s Exploitability Index. MS09-024 (Maximum severity of Critical): This update resolves a privately reported vulnerability in the Microsoft Works converters, which could allow remote code execution. This bulletin is rated Critical for Microsoft Office 2000 only and Important for all subsequent versions. This update received a rating of 1 from Microsoft’s Exploitability Index. MS09-025 (Maximum severity of Important): This update resolves two publicly disclosed and two privately reported vulnerabilities in the Windows kernel, which could allow remote code execution. This update received an aggregated rating of 1 from Microsoft’s Exploitability Index. MS09-026 (Maximum severity of Important): This update resolves a publicly disclosed vulnerability in remote procedure call (RPC) facility, which could allow an attacker to execute arbitrary code and take complete control of an affected system. This update received a rating of 2 from Microsoft’s Exploitability Index. MS09-027 (Maximum severity of Critical): This update resolves two privately reported vulnerabilities in Microsoft Office Word, which could allow remote code execution. This bulletin is rated Critical for Microsoft Office 2000 only and Important for all subsequent versions. This update received an aggregated rating of 1 from Microsoft’s Exploitability Index.