TECHNICAL BULLETIN

T-250: Microsoft Patch Tuesday Reminder

[MS09-050 Thru MS09-062]

[***** Start MS09-050 Thru MS09-062 *****]
Discussion:
MS09-050 - Vulnerabilities in SMBv2 Could Allow Remote Code Execution
(CVE-2009-2526, CVE-2009-2532, and CVE 2009-3103)
SMBv2 Infinite Loop Vulnerability - A denial of service vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB version 2 (SMBv2) packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service. An attacker who successfully exploited this vulnerability could cause the computer to stop responding until restarted. (CVE-2009-2526)

SMBv2 Command Value & NegotiationVulnerability - An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the Server service. An attacker who successfully exploited this vulnerability could take complete control of the system. (CVE-2009-2532 & CVE-2009-3103)

Vulnerable:  Windows Vista SP1 and SP2 including x64 edition, Windows Server 2008 SP2 including x64 edition.

MS09-051 - Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution
(CVE-2009-0555 & CVE-2009-2525)
Windows Media Runtime Voice Sample Rate Vulnerability - A remote code execution vulnerability exists in Windows Media Player due to the improper processing of specially crafted Advanced Systems Format (ASF) files. An attacker could exploit the vulnerability by constructing a specially crafted audio file that could allow remote code execution when played using an affected version of Windows Media Player. An attacker who successfully exploited this vulnerability could take complete control of an affected system.  (CVE-2009-0555)

Windows Media Runtime Heap Corruption Vulnerability - A remote code execution vulnerability exists in the way that Microsoft Windows Media Runtime handles certain functions in compressed audio files. This vulnerability could allow remote code execution if a user opened a specially crafted file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2009-2525)

Vulnerable:  Windows 2000, Windows XP including x64 edition, Windows Server 2003 including x64 edition, Windows Vista including x64 edition, Windows Server 2008 including x64 edition.

MS09-052 - Vulnerability in Windows Media Player Could Allow Remote Code Execution
(CVE-2009-2527)
WMP Head Overflow Vulnerability - A remote code execution vulnerability exists in Windows Media Player 6.4. An attacker could exploit the vulnerability by constructing a specially crafted ASF file that could allow remote code execution when played using Windows Media Player 6.4. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Vulnerable: Windows 2000, Windows XP including x64 edition, Windows Server 2003 including x64 edition.

MS09-053 - Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution
(CVE-2009-2521 & CVE-2009-3023)
IIS FTP Service DoS Vulnerability - A vulnerability exists in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. The vulnerability could allow denial of service (DoS). (CVE-2009-2521)

IIS FTP Service RCE and DoS Vulnerability - A Vulnerability exists in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, and Microsoft Internet Information Services (IIS) 6.0. The vulnerability could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.1, IIS 6.0. (CVE-2009-3023)

Vulnerable:  All Windows Operating Systems that run IIS 5.0, 5.1, 6.0 or 7.0.

MS09-054 - Cumulative Security Update for Internet Explorer
(CVE-2009-1547, CVE-2009-2529, CVE-2009-2530, & CVE-2009-2531)
Data Stream Header Corruption Vulnerability - A remote code execution vulnerability exists in the way that Internet Explorer processes data stream headers in specific situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2009-1547)

HTML Component Handling Vulnerability - A remote code execution vulnerability exists in the way that Internet Explorer handles argument validation of a variable in specific situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2009-2529)

Uninitialized Memory Corruption Vulnerability - A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2009-2530 & CVE-2009-2531)

Vulnerable: All Microsoft operating systems running Windows Internet Explorer 8 and below.

MS09-055 - Cumulative Security Update of ActiveX Kill Bits
(CVE-2009-2493)
ATL COM Initialization Vulnerability - A remote code execution vulnerability exists in the Microsoft ActiveX controls listed in the FAQ section of this vulnerability, which were compiled using the vulnerable Microsoft Active Template Library described in Microsoft Security Bulletin MS09-035. An attacker could exploit the vulnerability in these controls by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user. (CVE-2009-2493)

Vulnerable: All Microsoft operating systems.

MS09-056 - Vulnerabilities in Windows CryptoAPI Could Allow Spoofing
(CVE-2009-2510 & CVE-2009-2511)
Null Truncation in X.509 Common Name Vulnerability & Object Identifiers Vulnerability - A spoofing vulnerability exists in the Microsoft Windows CryptoAPI component when parsing ASN.1 information from X.509 certificates. An attacker who successfully exploited this vulnerability could impersonate another user or system. (CVE-2009-2510 & CVE-2009-2511)

Vulnerable: All Microsoft operating systems.

MS09-057 - Vulnerability in Indexing Service Could Allow Remote Code Execution
(CVE-2009-2507)
Memory Corruption in Indexing Service Vulnerability - A remote code execution vulnerability exists in the Indexing Service on Windows systems. The vulnerability is due to an ActiveX control included with the service not properly handling specifically crafted Web content. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-2507)

Vulnerable: Microsoft Windows 2000, Microsoft Windows XP including x64 edition, Microsoft Windows Server 2003 including x64 edition and for Itanium-based systems.

MS09-058 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
(CVE-2009-2515 thru CVE-2009-2517)
Windows Kernel Integer Underflow Vulnerability - An elevation of privilege vulnerability exists in the Windows kernel due to the incorrect truncation of a 64-bit value to a 32-bit value. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2009-2515)

Windows Kernel NULL Pointer Dereference Vulnerability - An elevation of privilege vulnerability exists in the Windows kernel due to the insufficient validation of certain data passed from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2009-2516)

Windows Kernel Exception Handler Vulnerability - A denial of service vulnerability exists in the Windows kernel because of the way the kernel handles certain exceptions. An attacker could exploit the vulnerability by running a specially crafted application causing the system to restart. (CVE-2009-2517)

Vulnerable: All Microsoft operating systems.

MS09-059 - Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service
(CVE-2009-2524)
A denial of service vulnerability exists in the Microsoft Windows Local Security Authority Subsystem Service (LSASS) due to its improper handling of malformed packets during NTLM authentication. An attacker could create specially crafted anonymous NTLM authentication requests that would cause a crash in the LSASS service and subsequently would restart the computer. (CVE-2009-2524)

Vulnerable: Windows XP including x64 edition, Windows Server 2003 including x64 edition, Windows Vista including x64 edition, Windows Server 2008 including x64 edition and Itanium-based systems, Windows 7 including x64 edition.

MS-09-060 - Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution
(CVE-2009-0901, CVE-2009-2493, & CVE-2009-2495)
ATL Uninitialized Object Vulnerability - A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to an issue in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. Because of this, the attacker can control what happens when VariantClear is called during handling of an error by supplying a corrupt stream. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. (CVE-2009-0901)

ATL COM Initialization Vulnerability - A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to issues in the ATL headers that handle instantiation of an object from data streams. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass related security policy, such as kill bits within Internet Explorer. This issue could allow a remote, unauthenticated user to perform remote code execution on an affected system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. (CVE-2009-2493)

ATL Null String Vulnerability - An information disclosure vulnerability exists in the Microsoft Active Template Library (ATL) that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory. This vulnerability only directly affects systems with components and controls installed that were built using Visual Studio ATL. An attacker who successfully exploited this vulnerability could run a malicious component or control that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. (CVE-2009-2495)

Vulnerable: Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2007, Microsoft Visio Viewer 2002, 2003, & 2007.







MS09-061 - Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution
(CVE-2009-0090, CVE-2009-0091, & CVE-2009-2497)
Microsoft .NET Framework Pointer Verification Vulnerability - A remote code execution vulnerability exists in the Microsoft .NET Framework that could allow a malicious Microsoft .NET application to obtain a managed pointer to stack memory that is no longer used. The malicious Microsoft .NET application could then use this pointer to modify legitimate values placed at that stack location later, leading to arbitrary unmanaged code execution. Microsoft .NET applications that are not malicious are not at risk for being compromised because of this vulnerability. (CVE-2009-0090)

Microsoft .NET Framework Type Verification Vulnerability - A remote code execution vulnerability exists in the Microsoft .NET Framework that could allow a malicious Microsoft .NET application to bypass a type equality check. The malicious Microsoft .NET application could exploit this vulnerability by casting an object of one type into another type, leading to arbitrary unmanaged code execution. Microsoft .NET applications that are not malicious are not at risk for being compromised because of this vulnerability. (CVE-2009-0091)

Microsoft Silverlight and Microsoft .NET Framework CLR Vulnerability - A remote code execution vulnerability exists in the Microsoft .NET Framework that can allow a malicious Microsoft .NET application or a malicious Silverlight application to modify memory of the attacker's choice, leading to arbitrary unmanaged code execution. Microsoft .NET applications and Silverlight applications that are not malicious are not at risk for being compromised because of this vulnerability. (CVE-2009-2497)

Vulnerable: All Windows operating systems running .NET Framework 2.0 and below, & Microsoft Silverlight 2.

MS09-062 - Vulnerabilities in GDI+ Could Allow Remote Code Execution
(CVE-2009-2500 thru CVE-2009-2504, CVE-2009-3126, CVE-2009-2528, & CVE-2009-2518)
GDI+ WMF Integer Overflow Vulnerability - A remote code execution vulnerability exists in the way that GDI+ allocates buffer size when handling WMF image files. The vulnerability could allow remote code execution if a user opens a specially crafted WMF image file or browses to a Web site that contains specially crafted content. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2009-2500)

GDI+ PNG Heap Overflow & Integer Overflow Vulnerability - A remote code execution vulnerability exists in the way that GDI+ allocates memory. The vulnerability could allow remote code execution if a user opens a specially crafted PNG image file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2009-2501 & CVE-2009-3126)

GDI+ TIFF Buffer Overflow  & Memory Corruption Vulnerability - A remote code execution vulnerability exists in the way that GDI+ allocates memory. The vulnerability could allow remote code execution if a user opens a specially crafted TIFF file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2009-2502 & CVE-2009-2503)

GDI+ .NET API Vulnerability - A remote code execution vulnerability exists in GDI+ that can allow a malicious Microsoft .NET application to gain unmanaged code execution privileges.. Microsoft .NET applications that are not malicious are not at risk for being compromised because of this vulnerability. (CVE-2009-2504)

Memory Corruption Vulnerability - A remote code execution vulnerability exists in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2009-2528)

Office BMP Integer Overflow Vulnerability - A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted Office Documents containing BMP images. The vulnerability could allow remote code execution if an Outlook user opens a specially crafted e-mail or opens an Office Document with a malformed Bitmap file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2009-2518)

Vulnerable: Windows XP including x64 edition, Windows Server 2003 including x64 edition, Windows Vista including x64 edition, Windows Server 2008 including x64 edition and Itanium-based systems,  Microsoft Internet Explorer 6, Microsoft .NET Framework 2.0 and below, Microsoft Office XP, 2003, & 2007, SQL Server 2005 all versions, Microsoft Visual Studio 2008 and below, Microsoft Report Viewer 2008 and below,  Microsoft Visual FoxPro 9.0 and below, Microsoft Platform SDK Redistributable GDI+, and Microsoft Forefront Client Security 1.0.

[***** End MS09-050 Thru MS09-062 *****]

    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov