OK, so yesterday’s Patch Tuesday does the deed for June. It’s a monster: 10 security bulletins, 31 vulnerabilities addressed, and involving most versions of Windows itself, IE, and various MS Office and related elements (Works, Word, and Excel). Even the Windows Print Spooler and OS Kernel get in on the act!
Of the 10 bulletins issues, half (5) are critical, and fill some gaping widely-known holes in MS security. Chief among these: the dual WebDAV gothas for IIS publicized in May (explained in this Ryan Naraine blog from 5/19) and the infamous Pwn2Own vulnerability discovered in March at the CanSecWest conference in Vancouver.
|MS09-018||Critical||Active Directory, Server 2000/203||2 remote code execution items|
|MS09-019||Critical||IE version 5-8||8 vulnerabilities, including remote code execution items|
|MS09-020||Important||IIS||2 vulnerabiliites allowing elevation of privilege|
|MS09-021||Critical||MS Excel||7 vulnerabilities including remote code execution|
|MS09-022||Critical||Windows Print Spooler||3 vulnerabilities, including remote code execution (Windows|
|MS09-023||Moderate||Windows Search||Single vulnerability could allow info disclosure|
|MS09-024||Critical||Microsoft Works converter||Could allow remote code execution|
|MS09-025||Important||Windows kernel||4 vulnerabilities that could allow elevation of privilege|
|MS09-026||Important||RPC||Could allow execution of arbitrary code or takeover|
|MS09-027||Critical||MS Word||2 vulnerabiltiies could allow remote code execution|