Microsoft’s Security bulletin for April brought a total of 8 advisories covering 23 (21 distinct, 2 are covered in multiple advisories) vulnerabilities in Windows and Office. The most interesting part of the bulletin is the elevated number of vulnerabilities that have known exploits. 6 vulnerabilities have already been used by attackers and 4 have a proof of concept or attack plan published. For IT administrators this means that their window to patch is rapidly shrinking, when before weeks were an acceptable timeframe, now days seems more adequate.
The most urgent patches to apply are the advisories that have working exploits – MS09-009 for Office/Excel, MS09-010 for Windows/Office and MS09-012 for Windows. Microsoft’s Internet Explorer cumulative patch MS09-014 has proof of concept code available for at least one its covered vulnerabilities and thus has a high exploitability index of 1 (consistent exploit code likely). All, but MS09-012 are rated as critical on all of Microsoft’s operating systems, meaning that the attacker can gain complete control over the affected systems and apply even to Microsoft newer OS versions such as Vista and Server 2008.
Users who have updated already to Internet Explorer 8 are not affected by MS09-014, another indicator of the significant amount of work Microsoft has invested into this new browser and an incentive to move towards that version of IE as quickly as possible.
The vulnerability addressed by MS09-016 is the only one that is remotely exploitable. It affects Microsoft’s ISA product used in securing and proxying companies' internet connections. As it is limited to a denial of service condition it was rated as Important. Further its exploitability index has the lowest value of 3 (Functioning exploit code unlikely), meaning that it is difficult to write a successful and consistent exploit