Microsoft’s batch of security patches for March 2009 has been released released with fixes for 8 vulnerabilities in the Windows operating system.
In all, the Redmond, Wash. software maker shipped three bulletins, one rated “critical,” the company’s highest severity rating. Here are the raw details:
MS09-006: (CRITICAL) Provides cover for three newly discovered and privately reported vulnerabilities in Windows, which could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system. These vulnerabilities affect all versions of Windows, including Vista and Windows Server 2008. Microsoft expects to see exploit code for these flaws but reckons the reliability will be “inconsistent.”
MS09-007: (IMPORTANT): This bulletin includes a patch for a solitary vulnerability in Windows, which could allow spoofing if an attacker gains access to the certificate used by the end user for authentication. Again, Microsoft says “inconsistent exploit code” is likely. The bulletin is available for all versions of Windows — Windows 2000 through Windows Server 2008.
MS09-008 (IMPORTANT): This update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Windows , which could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s own systems. Microsoft says the patches correct the way that Windows DNS servers cache and validate queries, and by modifying the way that Windows DNS servers and Windows WINS servers handle WPAD and ISATAP registration. For these issues, Microsoft warns that “consistent exploit code” is likely.
On Microsoft’s TechNet, Windows users can find all the information on affected operating systems, vulnerability details and workarounds/mitigations.
More coverage at Techmeme.