Microsoft Security Bulletins for June 2009

Contrary to speculations in the security community, last month's single security bulletin appears to have been an aberration rather than a sign that the patch burden for Microsoft products is diminishing. The 10 bulletins released in June are more in line with the historical number of monthly vulnerabilities. Six of them describe vulnerabilities affecting core Windows components, one affecting Internet Explorer and three affecting Microsoft Office.

It is notable that four of the ten security bulletins address publicly disclosed vulnerabilities: one in Internet Explorer, one in RPC, two in the Windows kernel and one in IIS. Microsoft's response time for last month's zero-day IIS vulnerability was faster than expected, but the DirectShow QuickTime parser vulnerability that became public on May 28 remains unpatched.

Tas Giakouminakis from Rapid7 said that "We've seen the patch window for Microsoft vulnerabilities shrink to the point where vulnerabilities are being exploited on the day the patches are released or even prior to that."

The active directory vulnerability (MS09-018) had the potential to be devastating for enterprise environments because it affects domain controllers, but fortunately it is ranked critical only for Windows 2000 systems. On Windows Server 2003 the vulnerability leads only to a denial of service.

Of more concern are the print spooler vulnerabilities in MS09-022. One of these is a critical remote code execution on Windows 2000, while the other two allow authenticated users to elevate their privileges on all versions of Windows.

Tas Giakouminakis from Rapid7 said that "The large number of vulnerabilities to be patched in June shows that attackers are not slowing down and the opportunities for them to infiltrate customer networks are increasing. The never-ending stream of Microsoft security bulletins highlights the need for proper patch cycle management and intrusion detection policies in all enterprises."