Prioritizing the deployment of the April security bulletins

We just released eight security bulletins, five of which are rated Critical on at least one platform. We built a reference table of bulletin severity rating, exploitability index rating, and attack vectors. This table is sorted first by bulletin severity, next by exploitability index rating, and then by bulletin number. We hope it helps you choose an order of bulletins to start your prioritization and testing if you can’t deploy them all out immediately.

Bulletin Highest bulletin severity Highest Exploitability Index Rating Any vulns known to be public-known? Attack vector for code execution / Notes
MS09-009 Critical High (1) Yes, CVE-2009-0238 known to be exploited already. XLS file attached to email or posted on a website. These vulnerabilities are critical only on Office 2000. Other versions of Office force user to click through a prompt, reducing severity to Important.
MS09-010 Critical High (1) Yes, CVE-2009-0235 known to be being exploited already. RTF, WRI, or DOC file attached to email or posted on a website. Blog entry with more details about Converter Attack Surface here.
MS09-013 Critical High (1) Yes, exploit tools are publicly available for CVE-2009-0550 (SMBRelay). However, this CVE is Important, not Critical. The attack vector for the Critical CVE is a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution in the context of the user running the application. Internet Explorer does not use WinHTTP.
MS09-014 Critical High (1) Yes, CVE-2008-2540 is known externally. However, it is rated “Moderate”. This bulletin also addresses a portion of CVE-2009-0550, mentioned above.

The attack vector for the Critical CVEs would be Internet Explorer connecting to a malicious website.

You can read more about how we fixed the public CVE-2008-2540 (Safari Carpet Bombing) here.

MS09-011 Critical Medium (2) No. AVI file attached to email or webpage pointing you at an AVI file.
MS09-012 Important High (1) Yes, exploit tool publicly available. After an attacker compromises an IIS-hosted web application, they could use these vulnerabilities to escalate to SYSTEM.  You can read more about how we fixed this vulnerability here.
MS09-016 Important Low (3) Yes, limited details of this vulnerability are known externally No threat of code execution.
MS09-015 Moderate Medium (2) Yes. No known attack vector.

We would be happy to answer any questions you have about these bulletins. You can contact us at switech _AT_ We will also be on the monthly MSRC webcast that describes the bulletins and answers questions live “on air”. You can find instructions to attend that webcast on the MSRC blog.

Update April 15: Revised MS09-015 max exploitability index rating to “2”.  Thanks reader Wandile for pointing out the inconsistency.

– Jonathan Ness, SRD blogger

*Postings are provided “AS IS” with no warranties, and confers no rights.*