April a big month for Microsoft security updates

Stephen Withers
Wednesday, 15 April 2009 07:57

Business IT - Technology

The other software components covered by April's bulletins are Windows HTTP Services, DirectShow (triggered by maliciously crafted MJPEG files), Internet Explorer and SearchPath.

A Microsoft official said the SearchPath bulletin finally addresses the 'carpet bombing' flaw affecting Apple's Safari browser and Windows. If a web server delivers a file that Safari can't handle or pass to another application, it saves it in whichever folder is specified to receive downloaded files. Unlike other browsers, Safari doesn't give the user an opportunity to reject the file.

Of itself, that is not a problem. It becomes a problem when a user double-clicks the malicious item (especially likely if the download destination is the Desktop), or if another vulnerability is used to trigger execution of the downloaded item.

Three other bulletins also cover issues that have previously been the subject of security advisories, some of them dating back to 2008. Microsoft's explanation for the delay is that updates are not released until they meet quality and compatibility standards.

Some bulletins are rated critical even on Vista and Server 2008. For example, the HTTP Services issue can allow remote code execution and Microsoft warns that there are multiple attack vectors and opportunities for exploitation.

The vulnerabilities in ISA and the Forefront Threat Management Gateway (Medium Business Edition) are rated 'important'. They could be used in denial of service attacks and Microsoft warns that information disclosure is possible, However it is "highly improbable" that the flaws could be used to cause the execution of remote code, according to Microsoft officials.

Microsoft has also updated the Malicious Software Removal Tool and the Windows Mail Junk E-mail Filter.