April 2009 Microsoft Security Bulletins
March seems to have been a busy month for colleagues at Microsoft Security Response Center and the hard work resulted in 8 new Security bulletins of which five have received the rating Critical. Several vulnerabilities have a potential to be exploited by malware writers, the usual suspect being Internet Explorer Javascript handling described in MS09-014 and Excel OLE2 compound document parser described in MS09-009.
Relatively uncommon target is Wordpad, covered by MS09-010 but the April bulletins fix several vulnerabilities in Wordpad and Office text converters that ship with Windows and handle various file format conversions. MS09-011 fixes a vulnerability in decoding motion JPEG file format (M-JPEG), which stores the moving images as a sequence of JPEG files. An attacker may create a malicious MJPEG file and entice the user to open it with a vulnerable version of a media player using the Microsoft DirectShow multimedia framework.
The list concludes with vulnerabilities in Windows HTTP service described in MS09-013 which may allow the attacker to remotely launch some code on the victim’s system if they manage to successfully setup a web server that uses a malicious form of Chunked response encoding.
As always, we have written our initial analyses of newly disclosed vulnerabilities and we will be updating them with new information as it becomes available.
Posted on April 14th, 2009 by Vanja Svajcer, SophosLabs, UKFiled under: Vulnerabilities
Windows 7 security - A great leap forward or business as usual?
