June 2009 Bulletin Release

Summary of Microsoft’s monthly security bulletin release for June 2009.

Today we released 10 new security bulletins. 6 of those affect Windows with two rated as critical, three rated as important and one as moderate. The remaining four all have an aggregate rating of critical and affect Internet Explorer, Microsoft Office Word, Microsoft Office Excel and Microsoft Works Converters.

In addition to these new bulletins, we are releasing the remaining updates for MS09-017 which now includes updates for Microsoft Office for Mac (versions 2004 and 2008) and Microsoft Works 8.5 and 9.0. You may recall that we released this bulletin last month with updates only for versions of PowerPoint that run on Windows. Please refer to last month’s bulletin blog post for more information.

This month we are also releasing two security advisories. The first advisory, 969898, is for a new set of ActiveX kill bits. The list of kill bits in this rollup includes an update for Microsoft Visual Basic 6.0 SP6, and ActiveX controls developed by Microgaming, eBay, and HP (click the company names to view their security release for these kill bits).

The second advisory, 971888, is providing a non-security update for DNS devolution. While this is a non-security update, it changes the security configuration of systems it is applied to and that is why we are releasing it with an advisory. This advisory is also related to the WPAD issue for which we originally released Security Advisory 945731 and subsequently Security Bulletin MS09-008. With the release of this new advisory, we are closing out Security Advisory 945731. Security Advisory 971888 and the associated KB article go in to detail on DNS devolution and how the update changes the configuration. If you have any follow up questions, our live webcast tomorrow would be a great place to ask them.

Concerning open advisories going in to this month, with the release of MS09-020, Security Advisory 971492, which discusses an issue with Internet Information Services, specifically in WebDAV, is now closed. And, as we noted in our Advance Notification (ANS) blog post last week, we do not yet have an update ready for the DirectShow vulnerability discussed in Security Advisory 971778. Our security teams are working hard on this issue but the update has to meet the right quality bar before we can release it. We continue to monitor the threat landscape through our Software Security Incident Response Process (SSIRP), and will provide updates to the advisory if needed. We continue to encourage customers to review the mitigations and workarounds in the advisory and check out the “Fix It For Me” solution in Knowledgebase Article 971778. Additionally, please refer to these blog posts for more information on this issue:

On the Anti-Malware front, the Microsoft Malware Protection Center (MMPC) has added one new malware family: Win32/InternetAntivirus which is a fake online scanner that leads to a rogue downloader. For details, please refer to the MMPC Blog.

In the video below, Adrian Stone from the Microsoft Security Response Center (MSRC) and I go in to a little more detail on issues customers should be thinking about when considering the deployment of this month’s updates.

Get Microsoft Silverlight More viewing and listening options:

This month’s release addresses 31 total vulnerabilities with 15 rated as “1” on our Exploitability Index, meaning there is a high likelihood that reliable exploit code may be developed in the next 30 days.

Some of these vulnerabilities are already publicly known. For example, CVE-2009-1532 addresses the first IE 8 vulnerability. This vulnerability in a pre-release version of IE 8 was first revealed in March 2009 at CanSecWest in the Pwn2Own contest. In the final release, a mitigation was put in to place to protect against ASLR+DEP .NET bypass used in the contest, so right now, there is no known way to attack this issue in the default configuration of IE 8 on Windows Vista (see the write up in our Security Research & Defense blog for details). Regardless, MS09-019 addresses the underlying vulnerability which is rated as Critical on Windows XP and Windows Vista but due to IE 8’s built in mitigations, it only rates as a “3” for Windows Vista on the Exploitability Index while Windows XP is rated as “1”.

The IE 8 vulnerability does not affect Windows 7 RC (build 7100) but does affect Windows 7 Beta. Updates for beta versions of Windows 7 will be available via KB969897.

Customers running Windows 2000 domains should pay particular attention to MS09-018 as CVE-2009-1138 affects Windows 2000 domain controllers and LDAP server. This is a remote code execution vulnerability that is reachable over the network. While this vulnerability was privately disclosed, we give it a “1” on the Exploitability Index.Finally, the three Office related updates (Excel, Word and Works Converters) all have an aggregate severity rating of Critical due to the Office 2000 platform. All other affected platforms are rated as Important. If you are still on the Office 2000 platform, please note that it reaches the end of its product lifecycle on July 14, 2009. That is the last day we would release security updates for Office 2000 if there are any to release at that time.

As always, check the Security Research and Defense blog for additional technical information on these updates.  If you have questions or would like more information about this month’s release, please plan to attend our regularly scheduled security bulletin webcast tomorrow, Wednesday, June 10, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register


Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*

May 10, 2009: Updated to correct third party ActiveX control company names.