MS-DEFCON 2: Eight Security Bulletins are out

April’s Black Tuesday has come and gone, and we have eight new Security Bulletins to watch.

MS09-009 / KB 968557 is the promised patch for the 0day hole in Excel that I first wrote about on February 25. The hole is considered “critical” for Excel 2000, but only “important” for other versions of Excel because in order to get zapped you have to click through a warning dialog. There’s no big rush for home users to apply the patch because attacks, to date, have been focused on a small number of companies. Besides, you’re using Office XP, 2003 or 2007, aren’t you? I’ll be watching this one closely, though, because it could spread.

MS09-010 / KB 960477 is a strange one because it covers the Office text converters (and, of all things, Wordpad). There’s a detailed explanation on the MS Security Research & Defense blog, but it all boils down to a bug in the converter that allows you to open old document formats in Word. If you get a file that was saved in Word 6 or Word 97 doc format, it could be infected. (And, no, there’s no way to tell by looking at the file name if it’s an oldie.) You could also get infected by opening a Word Perfect, RTF, HTML or Works file in Word. Note that the hole exists in the converter itself – it doesn’t matter if you have Word rigged to block macros. The fact that you can get infected by using Wordpad speaks volumes. This is an old, old known hole that Microsoft acknowledged four months ago.

MS09-011 / KB 961373 is an obscure DirectX bug that can kick in when you play a bad AVI file. No known exploits as yet.

MS09-012 / KB 959454 resolves the “Token Kidnapping” hole in Windows that Microsoft acknowledged in KB 951306 more than a year ago.

MS09-013 / KB 960803 fixes three separate bugs that are not common in a home environment. Microsoft says the problem appears when “a client-side application uses WinHTTP to generate a network-based request to a malicious server. The malicious server responds with a malformed request causing either a client-side application crash or code execution.”

MS09-014 / KB 963027 another monster Internet Explorer patch, covering at least a half dozen different security holes. You will need it eventually if you have Internet Explorer 6 or 7 installed. If you’ve already upgrade to IE 8, you’re covered.

MS09-015 / KB 959426 fixes a hole (and adds a new low-level function to Windows) that involves the sequence in which Windows searches for files. Ho-hum.

MS09-016 /KB 961759 is yet another fix for ISA, the Internet server package. If you run ISA, you already know it. Chances are good you don’t, and you can ignore this patch.

I’ll keep you posted. In the interim, we remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.