Executive Summary
| Summary | |
|---|---|
| Title | Microsoft Updates for Multiple Vulnerabilities |
| Informations | |||
|---|---|---|---|
| Name | TA09-069A | First vendor Publication | 2009-03-10 |
| Vendor | US-CERT | Last vendor Modification | 2009-03-10 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9.3 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Microsoft has released updates that address vulnerabilities in Microsoft Windows and Windows Server. I. Description As part of the Microsoft Security Bulletin Summary for March 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows and Windows Server. II. Impact A remote, unauthenticated attacker could gain elevated privileges, poison the DNS cache, execute arbitrary code, or cause a vulnerable application to crash. III. Solution Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2009. The security bulletin describes any known issues related to the updates. |
Original Source
| Url : http://www.us-cert.gov/cas/techalerts/TA09-069A.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 86 % | CWE-20 | Improper Input Validation |
| 14 % | CWE-287 | Improper Authentication |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:5440 | |||
| Oval ID: | oval:org.mitre.oval:def:5440 | ||
| Title: | Windows Kernel Invalid Pointer Vulnerability | ||
| Description: | The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 does not properly handle invalid pointers, which allows local users to gain privileges via an application that triggers use of a crafted pointer, aka "Windows Kernel Invalid Pointer Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-0083 | Version: | 1 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:5715 | |||
| Oval ID: | oval:org.mitre.oval:def:5715 | ||
| Title: | DNS Server Response Validation Vulnerability | ||
| Description: | The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008 does not properly cache crafted DNS responses, which makes it easier for remote attackers to predict transaction IDs and poison caches by sending many crafted DNS queries that trigger "unnecessary lookups," aka "DNS Server Response Validation Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-0234 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6011 | |||
| Oval ID: | oval:org.mitre.oval:def:6011 | ||
| Title: | SChannel Spoofing Vulnerability | ||
| Description: | The Secure Channel (aka SChannel) authentication component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008, when certificate authentication is used, does not properly validate the client's key exchange data in Transport Layer Security (TLS) handshake messages, which allows remote attackers to spoof authentication by crafting a TLS packet based on knowledge of the certificate but not the private key, aka "SChannel Spoofing Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-0085 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6036 | |||
| Oval ID: | oval:org.mitre.oval:def:6036 | ||
| Title: | Windows Kernel Handle Validation Vulnerability | ||
| Description: | The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate handles, which allows local users to gain privileges via a crafted application that triggers unspecified "actions," aka "Windows Kernel Handle Validation Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-0082 | Version: | 5 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6117 | |||
| Oval ID: | oval:org.mitre.oval:def:6117 | ||
| Title: | WPAD WINS Server Registration Vulnerability | ||
| Description: | The WINS server in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 does not restrict registration of the (1) "wpad" and (2) "isatap" NetBIOS names, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) features, and conduct man-in-the-middle attacks by spoofing a proxy server or ISATAP route, by registering one of these names in the WINS database, aka "WPAD WINS Server Registration Vulnerability," a related issue to CVE-2007-1692. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-0094 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows Server 2003 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6138 | |||
| Oval ID: | oval:org.mitre.oval:def:6138 | ||
| Title: | DNS Server Vulnerability in WPAD Registration Vulnerability | ||
| Description: | Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, when dynamic updates are enabled, does not restrict registration of the "wpad" hostname, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) feature, and conduct man-in-the-middle attacks by spoofing a proxy server, via a Dynamic Update request for this hostname, aka "DNS Server Vulnerability in WPAD Registration Vulnerability," a related issue to CVE-2007-1692. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-0093 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows Server 2003 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6202 | |||
| Oval ID: | oval:org.mitre.oval:def:6202 | ||
| Title: | Windows Kernel Input Validation Vulnerability | ||
| Description: | The graphics device interface (GDI) implementation in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate input received from user mode, which allows remote attackers to execute arbitrary code via a crafted (1) Windows Metafile (aka WMF) or (2) Enhanced Metafile (aka EMF) image file, aka "Windows Kernel Input Validation Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-0081 | Version: | 5 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6228 | |||
| Oval ID: | oval:org.mitre.oval:def:6228 | ||
| Title: | DNS Server Query Validation Vulnerability | ||
| Description: | The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, when dynamic updates are enabled, does not reuse cached DNS responses in all applicable situations, which makes it easier for remote attackers to predict transaction IDs and poison caches by simultaneously sending crafted DNS queries and responses, aka "DNS Server Query Validation Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-0233 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Windows Server 2008 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Os | 1 | |
| Os | 4 | |
| Os | 3 | |
| Os | 3 | |
| Os | 4 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-03-11 | Name : Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690) File : nvt/secpod_ms09-006.nasl |
| 2009-03-11 | Name : Vulnerability in SChannel Could Allow Spoofing (960225) File : nvt/secpod_ms09-007.nasl |
| 2009-03-11 | Name : Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238) File : nvt/secpod_ms09-008.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 52524 | Microsoft Windows Invalid Pointer Local Privilege Escalation Windows contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by an unspecified flaw in the kernel related to invalid pointers. This flaw may lead to a loss of integrity. |
| 52523 | Microsoft Windows Handle Validation Local Privilege Escalation Windows contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by an unspecified handle validation flaw in the kernel. This flaw may lead to a loss of integrity. |
| 52522 | Microsoft Windows GDI Kernel Component Unspecified Remote Code Execution An unspecified remote code execution flaw exists in Window. The GDI kernel interface fails to validate WMF and EMF graphics files resulting in arbitrary code execution. With a specially crafted file, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity. |
| 52521 | Microsoft Windows SChannel Certificate Based Authentication Spoofing Bypass Windows contains a flaw that may allow a malicious user to authenticate against a protected server using only the public portion of a valid user's credential. The issue is triggered by weak certificate validation by the SChannel security component. It is possible that the flaw may allow unauthorized access to protected servers resulting in a loss of integrity. |
| 52520 | Microsoft Windows WPAD WINS Server Registration Web Proxy MiTM Weakness |
| 52519 | Microsoft Windows DNS Server WPAD Registration Dynamic Update MiTM Weakness Windows contains a flaw that may allow a malicious user to spoof a WPAD (Web Proxy Auto-Discovery) DNS record. The issue is caused by the DNS server allowing any client to register a WPAD entry in DNS. It is possible that the flaw may allow a malicious proxy to redirect Internet traffic resulting in a loss of integrity. |
| 52518 | Microsoft Windows DNS Server Response Response Validation Transaction ID Pred... Windows contains a flaw that may allow a malicious user to poison its DNS cache. The issue is triggered by a weakness which allows for predictable transaction IDs, allowing spoofed records to be stored in the DNS cache. It is possible that the flaw may allow DNS cache poisoning resulting in a loss of integrity. |
| 52517 | Microsoft Windows DNS Server Query Validation Spoofing Windows contains a flaw that may allow a malicious user to spoof DNS records. The issue is triggered by the use of predictable transaction IDs in the Windows DNS Server. It is possible that the flaw may allow DNS cache poisoning resulting in a loss of integrity. |
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2009-03-12 | IAVM : 2009-A-0019 - Microsoft Windows Secure Channel Vulnerability Severity : Category II - VMSKEY : V0018549 |
| 2009-03-12 | IAVM : 2009-A-0018 - Multiple Vulnerabilities in Windows DNS and WINS Servers Severity : Category I - VMSKEY : V0018553 |
Snort® IPS/IDS
| Date | Description |
|---|---|
| 2019-09-05 | Microsoft Windows GDI EMF parsing arbitrary code execution attempt RuleID : 50885 - Revision : 1 - Type : FILE-OTHER |
| 2019-09-05 | Microsoft Windows GDI EMF parsing arbitrary code execution attempt RuleID : 50884 - Revision : 1 - Type : FILE-OTHER |
| 2014-01-10 | Microsoft Windows wpad dynamic update request RuleID : 17731 - Revision : 10 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft Windows DNS Server ANY query cache weakness RuleID : 17696 - Revision : 9 - Type : PROTOCOL-DNS |
| 2014-01-10 | Microsoft Windows IIS SChannel improper certificate verification RuleID : 17431 - Revision : 12 - Type : SERVER-IIS |
| 2014-01-10 | udp WINS WPAD registration attempt RuleID : 15387 - Revision : 13 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft Windows wpad dynamic update request RuleID : 15386 - Revision : 10 - Type : OS-WINDOWS |
| 2014-01-10 | Microsoft Internet Explorer EMF polyline overflow attempt RuleID : 15300 - Revision : 9 - Type : BROWSER-IE |
| 2014-01-10 | excessive outbound NXDOMAIN replies - possible spoof of domain run by local D... RuleID : 13949 - Revision : 17 - Type : PROTOCOL-DNS |
| 2014-01-10 | large number of NXDOMAIN replies - possible DNS cache poisoning RuleID : 13948 - Revision : 13 - Type : PROTOCOL-DNS |
| 2014-01-10 | dns cache poisoning attempt RuleID : 13667 - Revision : 19 - Type : PROTOCOL-DNS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2014-03-05 | Name : The DNS server running on the remote host is vulnerable to DNS spoofing attacks. File : ms_dns_kb961063.nasl - Type : ACT_GATHER_INFO |
| 2009-03-11 | Name : It is possible to execute arbitrary code on the remote host. File : smb_nt_ms09-006.nasl - Type : ACT_GATHER_INFO |
| 2009-03-11 | Name : It may be possible to spoof user identities. File : smb_nt_ms09-007.nasl - Type : ACT_GATHER_INFO |
| 2009-03-11 | Name : The remote host is vulnerable to DNS and/or WINS spoofing attacks. File : smb_nt_ms09-008.nasl - Type : ACT_GATHER_INFO |
