What initially seemed to be calm on a patch, turned out to be the Great Day of lats, especially for users of Excel. Announced six packages removes the total 15 security vulnerabilities in Microsoft Office and Windows. Many of them are classified as a critical indicator of usage and marked 1, which means that the appearance of exploits for these vulnerabilities is highly unlikely.

Issues

Already the mere note MS09-067 security 8 describes security problems in Excel. For the three gaps experts consider the emergence of a stable exploits as possible. The problems relate to Office XP, 2003, 2007 and the Office's for Macs. Before their occurrence does not protect the use of Excel Viewer, because he is also prone to errors. The same goes for the Word vulnerability (MS09-068), where the reader is exposed to the viewer's presence. As usual, Microsoft did not include the gaps in the Office to the highest category of threat, because that attack to be successful a user must first open a file with crafted document.

Of the three vulnerabilities in drivers operating in the Windows kernel mode, which describes the bulletin MS09-065, particularly hours remarks is manifested as an error when processing malformed properly embedded OpenType fonts (Embedded OpenType EOT). In Windows XP and Server 2003, attacker through documents or Web pages that contain this type of font can smuggle and execute arbitrary code. Through the two remaining gaps can only provide the only power.

Kindred only Vista and Server 2008 with her vulnerability concerns in the minutes designed to communicate with devices such as printers, cameras and PDAs (MS09-063). Listens on TCP port numbers 5357 and 5358 Web Services on Devices API (WSDAPI) does not handle correctly headers Seminary. Is active in all sets of the Windows firewall settings, except by policies intended for the public network. Therefore, a potential attacker must be within the corporate network or home, to be able to carry out the attack. Additionally, this vulnerability can also be used by the response to the outgoing calls from the system.

MS09-066 inform the next wrong LSASS through which attackers can discredit the Windows XP and Server 2000/2003/2008 versions. Updated bulletin MS09-064 removes a critical error in the security logging license server Windows 2000 Server.

Solution

Installing updates eliminates the problems described.

It is worth noting that this time all the vulnerabilities found by the external experts were first reported it to Microsoft. In addition, the latest version of Windows is not in any way affected by these vulnerabilities, which is obviously open to different interpretations. Users should install the updates as soon as possible - preferably via Microsoft's automatic update service, which for some time also supports the Office's users.