Microsoft plugged 31 vulnerabilities June 9 in a hefty Patch Tuesday update.
In all, Microsoft released 10 security bulletins. Six of them are critical and address problems in Microsoft Word, Excel, Windows, Internet Explorer and Microsoft Works converters.
One of the most serious of the bulletins fixes eight Internet Explorer vulnerabilities, including one affecting IE 8 that was exploited at the CanSecWest conference. The most severe of the eight bugs can be exploited to allow remote code execution if a user visits a malicious Web page. In addition to being rated critical, the bulletin also received a “1” on Microsoft’s exploitability index, meaning that reliable exploit code is likely.
“If you’re running IE 8 on Windows XP or are concerned about intranet-based attacks, I would highly recommend putting this update on your high-priority ‘to do’ list,” Terri Forslof, TippingPoint’s manager of security response, said in a statement.
Two of the bulletins swat critical bugs in Microsoft Windows. MS09-18 fixes two vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003 and ADAM (Active Directory Application Mode) when installed on Windows XP Professional and Windows Server 2003. The other critical Windows bulletin affects Windows Print Spooler and addresses three bugs. The most serious of the vulnerabilities could allow a hacker to execute code remotely via a specially crafted RPC (remote procedure call) request.
The Microsoft Word and Excel bulletins each resolve a number of remote code execution vulnerabilities, while MS08-024 deals with a single issue in the Microsoft Works converters. The four noncritical vulnerabilities include fixes for escalation of privilege issues in the Windows kernel, the WebDAV vulnerabilities Microsoft warned users about in May, a vulnerability in Windows Search and a bug in the Windows RPC facility.
Microsoft also released an update for Office for Mac and Microsoft Works to cover a PowerPoint vulnerability. Qualys CTO Wolfgang Kandek said the Active Directory vulnerabilities patched in MS09-018 are the most urgent on the server side, while administrators will have their hands full with a number of critical bugs affecting everything from Windows to Excel.
“June’s Patch Tuesday is generating a major workload for IT administrators,” Kandek said.