The security update addresses the vulnerabilities by modifying the way that Windows parses media files. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
- When Internet Explorer processes a specially crafted data stream header, Internet Explorer may corrupt system memory in such a way that an attacker could execute arbitrary code. (CVE-2009-1547)- Internet Explorer validates arguments incorrectly under specific circumstances. As a result, a specially crafted Web page could be displayed in such a way that an attacker could execute arbitrary code in the context of the logged on user. (CVE-2009-2529)- A remote code execution vulnerability exists when Internet Explorer attempts to access an object that has not been initialized or has been deleted. (CVE-2009-2530, CVE-2009-2531) Microsoft has released a security update that addresses these vulnerabilities by modifying the way that Internet Explorer processes data stream headers, validates arguments, and handles objects in memory.The security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB974455)ConsequenceSuccessful exploitation allows arbitrary execution of code.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 5.01 Service Pack 4)Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 Service Pack 1)Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Internet Explorer 6)Windows XP Professional x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)Windows Server 2003 Service Pack 2 (Microsoft Internet Explorer 6)Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Explorer 6)Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7)Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7)Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7)Windows Server 2003 x64 Edition Service Pack 2 (Windows Internet Explorer 7)Windows Server 2003 with SP2 for Itanium-based Systems (Windows Internet Explorer 7)Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (Windows Internet Explorer 7)Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 (Windows Internet Explorer 7)For a complete list of patch download links, including Windows 7, please refer to Microsoft Security Bulletin MS09-054.Workarounds:CVE-2009-2529, CVE-2009-2530:- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zoneImpact of the Workaround:On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.Microsoft Server Message Block (SMBv2) Remote Code Execution Vulnerability (MS09-050) and Shadow Brokers (EDUCATEDSCHOLAR)SeverityUrgent5Qualys ID90527Vendor ReferenceMS09-050CVE ReferenceCVE-2009-2526, CVE-2009-2532, CVE-2009-3103CVSS ScoresBase 10 / Temporal 8.7DescriptionThe Microsoft Server Message Block (SMBv2) Protocol is a network file sharing protocol used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It is a client-server implementation and consists of a set of data packets, each containing a request sent by the client or a response sent by the server.A remote code execution and denial of service vulnerability has been identified in the Microsoft SMB implementation because it does not appropriately parse SMB negotiation requests. An attacker can exploit this issue by sending specially crafted SMB packets.Affected Software:Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2QID Detection Logic (Unauthenticated):The sends a specially crafted non-invasive TCP request to check if the SMBv2 remote code execution vulnerability exists on the target based on the response received. ConsequenceSuccessful exploitation of this vulnerability could allow an attacker to take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2Refer to Microsoft Security Bulletin MS09-050 for further details.Workaround:Microsoft has provided a capability of enabling and disabling the workarounds automatically. Refer to Microsoft Knowledge Base Article 975497 for further details.The workarounds can also be applied manually. Details are listed below:1) Disable SMB v2. To modify the registry key, perform the following steps:- Click Start, click Run, type Regedit in the Open box, and then click OK.- Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services- Click LanmanServer.- Click Parameters.- Right-click to add a new DWORD (32 bit) Value.- Enter smb2 in the Name data field, and change the Value data field to 0.- Exit.- Restart the "Server" service. This can be done in the following two ways:1. Open up the computer management MMC, navigate to Services and Applications, click Services, right-click the Server service name and click Restart. Answer Yes in the pop-up menu.2. From a command prompt with administrator privileges, type net stop server and then net start server.Impact of the workaround: The host will not be able to communicate using SMB2. Instead, the host will communicate using SMB 1.0. This should not impact basic services such as file and printer sharing. These will continue to function as normal.Two TCP ports, 139 and 445, should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability. Impact of the workaround: Blocking the ports can cause several windows services or applications using those ports to stop functioning.Also, refer to Security Bulletin MS09-050 and Microsoft Security Advisory (975497) to obtain additional details on applying the workarounds.Microsoft Windows Media Runtime Remote Code Execution Vulnerability (MS09-051)SeverityUrgent5Qualys ID90546Vendor ReferenceMS09-051CVE ReferenceCVE-2009-0555, CVE-2009-2525CVSS ScoresBase 9.3 / Temporal 7.7DescriptionThe Microsoft Windows Media Format Runtime provides information and tools for applications that use Windows Media content.- A remote code execution vulnerability exists in Windows Media Player due to the improper processing of specially crafted Advanced Systems Format (ASF) files. (CVE-2009-0555)- A remote code execution vulnerability exists in the Microsoft Windows Media Runtime because it does not properly initialize certain functions in compressed audio files. (CVE-2009-2525)Microsoft has released a security update that addresses these vulnerabilities by changing the manner in which the Windows Media Runtime processes ASF files and initializes functions in compressed audio files.This security update is rated Critical for DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager on supported editions of Microsoft Windows 2000; Windows XP; Windows Server 2003, except for Itanium-based editions; Windows Vista; and Windows Server 2008, except for Itanium-based editions.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB975682)ConsequenceAn attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 (DirectShow WMA Voice Codec)Microsoft Windows 2000 Service Pack 4 (Windows Media Audio Voice Decoder)Microsoft Windows 2000 Service Pack 4 (Audio Compression Manager)Windows XP Service Pack 2 (DirectShow WMA Voice Codec)Windows XP Service Pack 2 (Windows Media Audio Voice Decoder)Windows XP Service Pack 2 (Audio Compression Manager)Windows XP Service Pack 3 (DirectShow WMA Voice Codec)Windows XP Service Pack 3 (Windows Media Audio Voice Decoder)Windows XP Service Pack 3 (Audio Compression Manager)Windows XP Professional x64 Edition Service Pack 2 (DirectShow WMA Voice Codec)Windows XP Professional x64 Edition Service Pack 2 (Windows Media Audio Voice Decoder)Windows XP Professional x64 Edition Service Pack 2 (Windows Media Audio Voice Decoder in Windows Media Format SDK 9.5 x64 Edition)Windows XP Professional x64 Edition Service Pack 2 (Windows Media Audio Voice Decoder in Windows Media Format SDK 11)Windows XP Professional x64 Edition Service Pack 2 (Audio Compression Manager)Windows Server 2003 Service Pack 2 (DirectShow WMA Voice Codec)Windows Server 2003 Service Pack 2 (Windows Media Audio Voice Decoder)For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-051.Workarounds:- CVE-2009-0555: Unregister wmspdmod.dll- CVE-2009-2525: Deny access to msaud32.acmRefer to Microsoft Security Bulletin MS09-051 to obtain additional details on the workarounds.Microsoft Windows Media Player Remote Code Execution Vulnerability (MS09-052)SeverityCritical4Qualys ID90544Vendor ReferenceMS09-052CVE ReferenceCVE-2009-2527CVSS ScoresBase 9.3 / Temporal 7.3DescriptionMicrosoft Windows Media Player is a multimedia application available for the Windows operating system.The application is prone to remote code execution vulnerability if a specially crafted ASF file is played using Windows Media Player 6.4. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2009-2527)Microsoft Windows Media Player 6.4 when installed on all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 are affected by this issue.Microsoft has released a security update that addresses the vulnerability by correcting the manner in which Windows Media Player 6.4 handles specially crafted ASF files.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB974112)ConsequenceSuccessful exploitation of this vulnerability may allow and attacker to take complete control of an affected system.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 (Microsoft Windows Media Player 6.4)Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Windows Media Player 6.4)Windows XP Professional x64 Edition Service Pack 2 (Microsoft Windows Media Player 6.4)Windows Server 2003 Service Pack 2 (Microsoft Windows Media Player 6.4)Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Windows Media Player 6.4)Refer to Microsoft Security Bulletin MS09-052 for further details.Workarounds:1) Modify the Access Control List (ACL) on strmdll.dllImpact of workaround #1: Windows Media Player 6.4 will not be able to play media files.2) For Windows 2000, upgrade to the latest version of Windows Media Player 93) For non-multimedia folder types, the Windows shell attack vector can be mitigated by using Windows Classic Folders.Additional details on the workarounds can be obtained at Microsoft Security Bulletin MS09-052.Microsoft FTP Service for Internet Information Services Remote Code Execution Vulnerability (MS09-053 and KB97519)SeverityUrgent5Qualys ID27302Vendor ReferenceKB975191, MS09-053CVE ReferenceCVE-2009-2521, CVE-2009-3023CVSS ScoresBase 9 / Temporal 7DescriptionInternet Information Services (IIS) is a set of Internet-based services for servers created by Microsoft for use with Microsoft Windows.The application is prone to the following vulnerabilities:- A denial of service vulnerability exists in the FTP Service in Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, and Microsoft Internet Information Services 6.0. The vulnerability could allow remote code execution on systems running FTP Service on IIS 5.0, or denial of service on systems running FTP Service on IIS 5.1, IIS 6.0. (CVE-2009-3023)- A denial of service is caused by the way that the Microsoft FTP service in IIS handles list commands. (CVE-2009-2521)Note: There is malicious code circulating that actively exploits this issue.Affected Software and Components:Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Information Services 5.0)Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Internet Information Services 5.1)Windows XP Service x64 Edition Service Pack 2 (Microsoft Internet Information Services 6.0)Windows Server 2003 Service Pack 2 (Microsoft Internet Information Services 6.0) Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Information Services 6.0)Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Information Services 6.0)Windows Vista, Windows Vista SP1, and Windows Vista SP2 (Microsoft Internet Information Services 7.0 FTP Service 6.0)Windows Vista x64 Edition, Windows Vista x64 Edition SP1, and Windows Vista x64 Edition SP2 (Microsoft Internet Information Services 7.0 FTP Service 6.0)Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems SP2 (Microsoft Internet Information Services 7.0 FTP Service 6.0)Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems SP2 (Microsoft Internet Information Services 7.0 FTP Service 6.0)Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems SP2 (Microsoft Internet Information Services 7.0 FTP Service 6.0)Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB975254)ConsequenceIf this vulnerability is successfully exploited, it will allow an unauthenticated attacker to execute arbitrary code with system-level privileges.Attacks against Microsoft Internet Information Server 6.0 targets may result in a denial of service.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4Windows XP Service Pack 2 and Windows XP Service Pack 3Windows XP Professional x64 Edition Service Pack 2Windows Server 2003 Service Pack 2Windows Server 2003 x64 Edition Service Pack 2Windows Server 2003 with SP2 for Itanium-based SystemsWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2Refer to Microsoft Security Bulletin MS09-053 for further details.Workaround:1) Modify NTFS file system permissions to disallow directory creation by FTP users. Perform the following steps with administrative privileges to remove directory creation privileges from the Users group. - Browse to the root directory of your FTP site. By default this is in %systemroot%\inetpub\ftproot.- Right-click on the directory and select Properties.- Click the Security tab and click Advanced.- Click Change Permissions.- Select the Users group and click Edit. If you have a configured FTP user or custom group to manage your FTP users, replace the Users group with the custom identities.- Deselect Create Folders/Append Data.Impact of workaround #1: FTP users will not be able to create directories through the FTP service. FTP users will still be able to upload files to existing directories through the FTP service.2) Do not allow FTP write access to untrusted anonymous users. To modify IIS permissions to prevent FTP write access, perform the following steps:- Launch IIS Manager.- Right click Default FTP Site and point to Properties.- Click the Home Directory tab.- Ensure that Write is deselected.Impact of workaround #2: Users will not be able to transfer files using FTP, but can do so using WebDAV.3) Disable the FTP service.Impact of workaround #3: Users will no longer be able to use the FTP service.Refer to the advisory to obtain detailed instructions on the workarounds.Microsoft Cumulative Security Update for ActiveX Kill Bits (MS09-055)SeverityCritical4Qualys ID90549Vendor ReferenceMS09-055CVE ReferenceCVE-2009-2493CVSS ScoresBase 9.3 / Temporal 6.9DescriptionA remote code execution vulnerability exists in a few of the Microsoft ActiveX controls, which were compiled using the vulnerable Microsoft Active Template Library described in Microsoft Security Bulletin MS09-035. The vulnerability is due to issues in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects in Internet Explorer that can bypass certain related security policies. When the Microsoft ActiveX Control is instantiated in Internet Explorer, the control may corrupt the system state in such a way that an attacker could run arbitrary code. (CVE-2009-2493)Microsoft has released a security update to address this vulnerability by setting a kill bit so that the vulnerable controls do not run in Internet Explorer.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB973525)ConsequenceSuccessful exploitation of this vulnerability allows remote code execution.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4Windows XP Service Pack 2 and Windows XP Service Pack 3Windows XP Professional x64 Edition Service Pack 2Windows Server 2003 Service Pack 2Windows Server 2003 x64 Edition Service Pack 2Windows Server 2003 with SP2 for Itanium-based SystemsWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2Windows 7 for 32-bit SystemsWindows 7 for x64-based SystemsWindows Server 2008 R2 for x64-based SystemsWindows Server 2008 R2 for Itanium-based SystemsRefer to Microsoft Security Bulletin MS09-055 for further details.Workaround:- Prevent COM objects from running in Internet Explorer. Refer to Microsoft article KB240797 for information on setting the kill bit.Impact of the workaround:There is no impact as long as the object is not intended to be used in Internet Explorer.Microsoft Windows CryptoAPI Spoofing Vulnerability (MS09-056)SeverityCritical4Qualys ID90552Vendor ReferenceMS09-056CVE ReferenceCVE-2009-2510, CVE-2009-2511CVSS ScoresBase 7.5 / Temporal 5.9DescriptionThe Windows CryptoAPI is an application programming interface that allows developers to secure applications using cryptography.The Windows CryptioAPI is vulnerable to a spoofing issue due to incorrectly parsing a null terminator at the end of any values identified by an Object Identifier (OID). (CVE-2009-2510,CVE-2009-2511)Microsoft rated this issue as Important for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7.Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB974571)Updates for Windows Embedded Standard 7 Are Now Available (KB974571)ConsequenceAn attacker who successfully exploits this vulnerability could spoof a digital certificate of a Web Site or any application that uses the CryptoAPI.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4Windows XP Service Pack 2 and Windows XP Service Pack 3Windows XP Professional x64 Edition Service Pack 2Windows Server 2003 Service Pack 2Windows Server 2003 x64 Edition Service Pack 2Windows Server 2003 with SP2 for Itanium-based SystemsWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2Windows 7 for 32-bit SystemsWindows 7 for x64-based SystemsWindows Server 2008 R2 for x64-based SystemsWindows Server 2008 R2 for Itanium-based SystemsRefer to Microsoft Security Bulletin MS09-056 for further details.Microsoft Windows Indexing Service Remote Code Execution Vulnerability (MS09-057)SeverityCritical4Qualys ID90554Vendor ReferenceMS09-057CVE ReferenceCVE-2009-2507CVSS ScoresBase 9.3 / Temporal 6.9DescriptionThe Indexing Service catalogs data to facilitate efficient and rapid searching.It is vulnerable to a remote code execution due to the ActiveX component that is included with the Indexing service which fails to properly handle Web content. (CVE-2009-2507)Microsoft has released a security update that addresses the vulnerability by modifying the way that the Indexing Service ActiveX control processes URLs. Microsoft rated this issue as Important for Windows 2000, Windows XP, Windows Server 2003.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB969059)ConsequenceAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4Windows XP Service Pack 2 and Windows XP Service Pack 3Windows XP Professional x64 Edition Service Pack 2Windows Server 2003 Service Pack 2Windows Server 2003 x64 Edition Service Pack 2Windows Server 2003 with SP2 for Itanium-based SystemsRefer to Microsoft Security Bulletin MS09-057 for further details.Workarounds:1) Unregister ixsso.dll as follows: - Click Start, click Run, type "%SystemRoot%\System32\regsvr32.exe" /u ixsso.dll, and then click OK. - A dialog box appears to confirm that the unregistration process has succeeded. Click OK to close the dialog box.Impact of workaround #1: The Windows Indexing Service will not be able to construct an indexed catalog to facilitate efficient and rapid searching. Searches may take longer to complete.2) Prevent the Indexing Service ActiveX control COM object from running in Internet Explorer. Refer to Microsoft article KB240797 for information on setting the kill bit.Impact of workaround #2: Internet Explorer will no longer be able to invoke the Indexing Service ActiveX control.3) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting4) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zoneImpact of workarounds #3 and #4: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.Microsoft Windows Kernel Privilege Escalation Vulnerability (MS09-058)SeverityCritical4Qualys ID90550Vendor ReferenceMS09-058CVE ReferenceCVE-2009-2515, CVE-2009-2516, CVE-2009-2517CVSS ScoresBase 7.2 / Temporal 5.6DescriptionThe Windows kernel is the core of the operating system that handles device management and memory management, allocates processor time to processes, and manages error handling.The following security vulnerabilities exist in the Windows kernel:- The Windows kernel does not correctly truncate a 64-bit value to a 32-bit value. This results in an integer underflow when the value is later subtracted from another value. (CVE-2009-2515)- An elevation of privilege vulnerability exists in the Windows kernel because it does not properly validate certain data passed from user mode. (CVE-2009-2516)- A denial of service vulnerability exists in the Windows kernel because of the way the kernel handles certain exceptions. An attacker could exploit the vulnerability by running a specially crafted application causing the system to restart. (CVE-2009-2517)Microsoft has released a security update that addresses these vulnerabilities by ensuring that the Windows kernel truncates 64-bit values properly, ensuring that the Windows kernel properly validates data within an executable, and ensuring that the Windows kernel cleans up exceptions under error conditions.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB971486)ConsequenceSuccessful exploitation of these vulnerabilities can allow an attacker to conduct privilege escalation attacks. Exploitation can also result in denial of service conditions.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4Windows XP Service Pack 2 and Windows XP Service Pack 3Windows XP Professional x64 Edition Service Pack 2Windows Server 2003 Service Pack 2Windows Server 2003 x64 Edition Service Pack 2Windows Server 2003 with SP2 for Itanium-based SystemsWindows Vista and Windows Vista Service Pack 1Windows Vista Service Pack 2Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1Windows Vista x64 Edition Service Pack 2Windows Server 2008 for 32-bit SystemsWindows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based SystemsWindows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for Itanium-based SystemsWindows Server 2008 for Itanium-based Systems Service Pack 2Refer to Microsoft Security Bulletin MS09-058 for further details.Microsoft Windows Local Security Authority Subsystem Service Denial of Service Vulnerability (MS09-059)SeveritySerious3Qualys ID90553Vendor ReferenceMS09-059CVE ReferenceCVE-2009-2524CVSS ScoresBase 7.8 / Temporal 5.8DescriptionThe Local Security Authority Subsystem Service (LSASS) manages local security, domain authentication and Active Directory service processes.The Windows NTLM implentation in LSASS is vulnerable to a denial of service issue when processing malformed packets during the authentication process. (CVE-2009-2524)Microsoft released a security update that addresses the vulnerability by implementing additional validation of specific value sets used in the authentication process. Microsoft rated this issue as Important for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7.Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB975467)Updates for Windows Embedded Standard 7 Are Now Available (KB975467)ConsequenceSuccessful exploitation results in denial of service which causes the affected system to reboot.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 2 and Windows XP Service Pack 3Windows XP Professional x64 Edition Service Pack 2Windows Server 2003 Service Pack 2Windows Server 2003 x64 Edition Service Pack 2Windows Server 2003 with SP2 for Itanium-based SystemsWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2Windows 7 for 32-bit SystemsWindows 7 for x64-based SystemsWindows Server 2008 R2 for x64-based SystemsWindows Server 2008 R2 for Itanium-based SystemsRefer to Microsoft Security Bulletin MS09-059 for further details.Workaround:1) Uninstall KB968389 from Windows XP or Windows Server 2003 computersImpact of workaround #1: Windows XP and Windows Server 2003 computers will not benefit from Extended Protection for Authentication while this KB is disabled.2) Enable advanced TCP/IP filtering on systems that support this feature3) Use a personal firewall, such as the Internet Connection FirewallRefer to Microsoft Security Bulletin MS09-059 to obtain additional details on the workarounds.Microsoft Active Template Library (ATL) for Microsoft Office Remote Code Execution Vulnerability (MS09-060)SeverityUrgent5Qualys ID90543Vendor ReferenceMS09-060CVE ReferenceCVE-2009-0901, CVE-2009-2493, CVE-2009-2495CVSS ScoresBase 9.3 / Temporal 7.7DescriptionMicrosoft Active Template Library (ATL) ActiveX Controls for Microsoft Office are prone to the following vulnerabilities:- A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to an issue in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. (CVE-2009-0901)- A vulnerability exists due to issues in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass certain related security policies. (CVE-2009-2493)- An information disclosure vulnerability exists in the Microsoft Active Template Library (ATL) that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory. (CVE-2009-2495)Microsoft has released a security update that addresses these vulnerabilities by correcting the manner in which ATL handles the instantiation of objects from data streams, providing updated versions of the affected components and controls built using corrected ATL headers.It is rated Critical for all supported editions of Microsoft Outlook 2002, Microsoft Office Outlook 2003, Microsoft Office Outlook 2007, Microsoft Visio 2002 Viewer, Microsoft Office Visio 2003 Viewer, and Microsoft Office Visio Viewer 2007.ConsequenceThe vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3 (Microsoft Outlook 2002 Service Pack 3)Microsoft Office 2003 Service Pack 3 (Microsoft Office Outlook 2003 Service Pack 3)2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2 (Microsoft Office Outlook 2007 Service Pack 1 and Microsoft Office Outlook 2007 Service Pack 2)Microsoft Office Visio Viewer 2007, Microsoft Office Visio Viewer 2007 Service Pack 1, and Microsoft Office Visio Viewer 2007 Service Pack 2Refer to Microsoft Security Bulletin MS09-060 for further details.Workarounds:- Do not open or save Microsoft Office files received from untrusted sources or files received unexpectedly from trusted sources.Microsoft .NET Common Language Runtime Multiple Vulnerabilities (MS09-061)SeverityUrgent5Qualys ID90547Vendor ReferenceMS09-061CVE ReferenceCVE-2009-0090, CVE-2009-0091, CVE-2009-2497CVSS ScoresBase 9.3 / Temporal 7.3DescriptionThree vulnerabilities exist in the Microsoft .NET Framework (Versions 1.1 and 2) that allow maliciously crafted .NET applications, XAML Browser Applications, or Silverlight applications to evade managed code checks and execute arbitrary code with the permissions of the logged in user.Microsoft has released a security update that addresses these vulnerabilities by modifying the way in which the Microsoft .NET verifies and enforces the rules of Microsoft .NET verifiable code and by modifying the way in which the Microsoft .NET Common Language Runtime handles interfaces.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):June 2010 Security Updates are Available on ECE for Standard 09and XP Embedded (KB974378, 953300, 974417, 953300, 974417)May 2010 Security Updates for XPe\Standard 2009 are Finally Available on ECE (KB974378, 953300, 974417, 953300, 974417)ConsequenceSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 1.1 Service Pack 1)Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 2.0 Service Pack 1)Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 2.0 Service Pack 2)Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft .NET Framework 1.0 Service Pack 3)Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft .NET Framework 1.1 Service Pack 1)Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5)Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1)Windows XP Professional x64 Edition Service Pack 2 (Microsoft .NET Framework 1.1 Service Pack 1)Windows XP Professional x64 Edition Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5)Windows XP Professional x64 Edition Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1)Windows Server 2003 Service Pack 2 (Microsoft .NET Framework 1.1 Service Pack 1)Windows Server 2003 Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5)For a complete list of patch download links, including Windows 7, please refer to Microsoft Security Bulletin MS09-061.Workarounds:1) Disable partially trusted Microsoft .NET applicationsImpact of workaround #1: Some Microsoft .NET applications will not run.2) Disable XAML browser applications in Internet ExplorerImpact of workaround #2: Microsoft .NET code will not run in Internet Explorer or will not run without a prompt. Disabling Microsoft .NET applications and components in the Internet and Local intranet security zones may cause some Web sites to work incorrectly.Additional workaround details available at Microsoft Security Bulletin MS09-061.Microsoft Windows GDI+ Remote Code Execution Vulnerability (MS09-062)SeverityUrgent5Qualys ID90551Vendor ReferenceMS09-062CVE ReferenceCVE-2009-2500, CVE-2009-2501, CVE-2009-2502, CVE-2009-2503, CVE-2009-2504, CVE-2009-2518, CVE-2009-2528, CVE-2009-3126CVSS ScoresBase 9.3 / Temporal 7.7DescriptionGDI+ is a graphics device interface that provides two-dimensional vector graphics, imaging, and typography to applications and programmers.Microsoft has released updates to address the following issues:- A remote code execution vulnerability exists in the way that GDI+ allocates buffer size when handling WMF image files. The vulnerability could allow remote code execution if a user opens a specially crafted WMF image file or browses to a Web site that contains specially crafted content. (CVE-2009-2500)- A remote code execution vulnerability exists in the way that GDI+ allocates memory. The vulnerability could allow remote code execution if a user opens a specially crafted PNG image file. (CVE-2009-2501)- A remote code execution vulnerability exists in the way that GDI+ allocates memory. The vulnerability could allow remote code execution if a user opens a specially crafted TIFF file. (CVE-2009-2502, CVE-2009-2503)- A remote code execution vulnerability exists in GDI+ that can allow a malicious Microsoft .NET application to gain unmanaged code execution privileges, this vulnerability is caused by an integer overflow in certain GDI+ APIs that are accessible from .NET Framework applications. (CVE-2009-2504)- A remote code execution vulnerability exists in the way that GDI+ allocates memory. The vulnerability could allow remote code execution if a user opens a specially crafted PNG image file. (CVE-2009-3126)- A remote code execution vulnerability exists in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file that includes a malformed object. (CVE-2009-2528)- A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted Office Documents containing BMP images. The vulnerability could allow remote code execution if an Outlook user opens a specially crafted e-mail or opens an Office Document with a malformed Bitmap file. (CVE-2009-2518)Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):October 2009 Security Database Updates are Available (KB958869)ConsequenceAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.SolutionPatch:Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 2 and Windows XP Service Pack 3Windows XP Professional x64 Edition Service Pack 2Windows Server 2003 Service Pack 2Windows Server 2003 x64 Edition Service Pack 2Windows Server 2003 with SP2 for Itanium-based SystemsWindows Vista and Windows Vista Service Pack 1Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1Windows Server 2008 for 32-bit SystemsWindows Server 2008 for x64-based SystemsWindows Server 2008 for Itanium-based SystemsMicrosoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 ServicePack 1)Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 1.1 Service Pack 1)Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 2.0 Service Pack 1)Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 2.0 Service Pack 2)Microsoft Office XP Service Pack 3Microsoft Office 2003 Service Pack 32007 Microsoft Office System Service Pack 1For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-062. A list of workarounds with details on enabling and disabling them is also available in the Bulletin.These new vulnerability checks are included in Qualysvulnerability signature1.24.23-3.Each Qualys account is automatically updated with the latestvulnerability signatures as they become available. To view thevulnerability signature version in your account, from theQualys Help menu, select the About tab.
Windows Media Format Runtime X64 13
2ff7e9595c
Comments