Microsoft Patch Tuesday Bottomline – May 2009

Microsoft’s May Security Bulletin contains a single advisory for PowerPoint in Microsoft Office (MS09-017). It addresses 14 distinct vulnerabilities, including the 0-day vulnerability that was identified in the beginning of April 2009. While the vulnerabilities rank only as important on most versions of Microsoft Office, they all categorized as "remote code execution" and have a low exploitability index, meaning exploits are relatively easy to write and can be expected to be used soon in attacks.

One of the mentioned workarounds for CVE-2009-0556 , the 0-day vulnerability patched in this advisory is installing MOICE (KB937696). MOICE stands for "Microsoft Office Isolated Conversion Environment," a toolset that sanitizes Office documents when opened through browsing and email by removing potentially dangerous code. It has been available since May 2007 and is cited as a work-around in eight of Microsoft’s 78 advisories in 2008. MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file format vulnerabilities. Its limitation is that it only works with Office 2003 and 2007; Office 2000 and Office XP are not supported.

In addition to the Microsoft patches both Adobe and Apple released their equivalent of "Patch Tuesday" advisories. Adobe fixed a recent critical 0-day vulnerability in their Acrobat and Reader product lines. Compared to their February patch for a known 0-day, this time around they reacted much faster and published patches for Windows, Mac OS X and Unix simultaneously. Adobe software is widely installed and according to statistics from F-Secure PDF based file exploits are on the rise – 49% for the first 4 months of 2009 compared to 28% in 2008.

Apple’s patches address a variety of critical issues in OS X and the Safari browser. The advisory for OS X addresses over 40 vulnerabilities and the Safari advisory applies to both OS X and Windows.

References:

• Qualys Security Alert