Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

April Black Tuesday Overview

Published: 2009-04-14
Last Updated: 2009-04-15 02:14:16 UTC
by Swa Frantzen (Version: 2)
1 comment(s)

Overview of the April 2009 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS09-009 Multiple memory corruption vulnerabilities allow random code execution. Also affect Excel viewer and Mac OS X versions of Microsoft Office.
Replaces MS08-074.
Excel

CVE-2009-0100
CVE-2009-0238
KB 968557

Actively exploited

Severity:Critical
Exploitability:2,1
PATCH NOW Important
MS09-010 Multiple vulnerabilities allow random code execution
Replaces MS04-027.
Wordpad & office converters

CVE-2008-4841
CVE-2009-0087
CVE-2009-0088
CVE-2009-0235
KB 960477 Actively exploited.

CVE-2008-4841 was SA960906
Severity:Critical
Exploitability:1,2,1,1
PATCH NOW Important
MS09-011 MJPEG (don't confuse with mpeg) input validation error allows random code execution
Replaces MS08-033.
DirectX

CVE-2009-0084
KB 961373 No publicly known exploits Severity:Critical
Exploitability:2
Critical Important
MS09-012 Multiple vulnerabilities allow privilege escalation and random code execution. Affects servers with IIS and SQLserver installed and more.
Replaces MS07-022, MS08-002 and MS08-064.
Windows

CVE-2008-1436
CVE-2009-0078
CVE-2009-0079
CVE-2009-0080
KB 959454 Actively exploited, exploit code publicly available. Severity:Important
Exploitability:1,1,1,1
Important Critical
(**)
MS09-013 Multiple vulnerabilities allow random code execution, spoofing of https certificates and NTLM credential reflection.
Related to MS09-014 (below).
HTTP services

CVE-2009-0086
CVE-2009-0089
CVE-2009-0550
KB 960803 Exploit is publicly known. Severity:Critical
Exploitability:1,1,1
Critical Important
MS09-014 Cumulative MSIE patch.
Replaces MS08-073, MS08-078 and MS09-002.
Related to MS09-10, MS09-013 (above) and MS09-15 (below).
IE

CVE-2008-2540
CVE-2009-0550
CVE-2009-0551
CVE-2009-0552
CVE-2009-0553
CVE-2009-0554
KB 963027 Exploit code publicly available Severity:Critical
Exploitability:3,1,2,3,3,1
PATCH NOW Important
MS09-015 Update to make the system search for libraries first in the system directory by default and an API to change the order.
Replaces MS07-035.
Related to MS09-014 (above).
SearchPath

CVE-2008-2540
KB 959426 Attack method publicly known

SA953818

 

Severity:Moderate
Exploitability:2
Imporant Important
MS09-016 Multiple input validation vulnerabilities allow a DoS and XSS.
ISA server

CVE-2009-0077
CVE-2009-0237
KB 961759

CVE-2009-0077 is publicly known.

Severity:Important
Exploitability:3,3
N/A Critical
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

(**): For shared IIS installations: upgrade this rating to PATCH NOW

--
Swa Frantzen -- Section 66

1 comment(s)
Diary Archives