April 14, 2009, 8:28 PM — Microsoft's Patch Tuesday arrived with a nasty twist, as six of the 23 vulnerabilities spread among the eight patches are already being threatened by exploit code in the wild.
Experts say zero-day exploits exist for vulnerabilities addressed in MS09-009, MS09-010 and MS09-012. Only the MS09-012 patch is not rated as critical. All three patches contain the fixes to thwart the exploits. (Check the list of affected software by patch number).
Patches MS09-013 and MS09-014, both rated critical, address three vulnerabilities for which exploit tools are publicly available. Both protect against a credential reflection attack that has been a lingering problem.
And attack details are available for vulnerabilities fixed by MS09-015, which is rated moderate and affects Windows and Windows Server versions.
"That window where you had the luxury of not patching, that is shrinking fast," says Wolfgang Kandek, CTO of Qualys. "Here the window is zero for some of these vulnerabilities, and where the exploit code is public it will not take hackers long to get code out there."
Kandek says Qualys is seeing people getting more "professional" with their attacks. "It is not the hobbyists anymore, there are some real research teams spending resources on this, analyzing code and putting out exploits."
His forecast is for the attacks to get worse and faster. He says hackers are creating code designed to avoid detection, as evidenced with Conficker.
"We see Conficker as the new standard," Kandek says. "As hacking becomes more professional these intrusions or exploits will become more silent, they will not call too much attention to themselves so they can steal identities, send out some spam or launch a [denail of service] attack." In Conficker's case, it also tricks the user into thinking their system is patched.
MS09-009 addresses vulnerabilities in Excel that were identified two months ago by Microsoft. MS09-010 addresses vulnerabilities in WordPad and Office Text Converters, and MS09-012 addresses issues in Windows.
The MS09-013 critical patch fixes problems with the Windows HTTP Service and MS09-014 is a cumulative security update for Internet Explorer.
The other patches released Tuesday were MS09-011, which was rated critical and fixes an issue with DirectX. MS09-016 is rated important and addresses DoS issues in Microsoft ISA Server and Forefront Threat Management Gateway, Medium Business Edition.
Despite the zero-day issues, some experts say there is a positive spin on Tuesday's patch release in that Microsoft has gone back and addressed lingering issues.
"Twelve, 13, 14 and 15 are addressing some outstanding issues Microsoft has had for years," says Eric Schultze, CTO at Shavlik Technologies. "It is kind of like they are doing spring cleaning, fixing lots of open issues. They got the Excel and Wordpad issues knocked off."
Follow John on Twitter: twitter:com/johnfontana
