Executive Summary

Summary
Title Cumulative Security Update for Internet Explorer (963027)
Informations
Name MS09-014 First vendor Publication 2009-04-14
Vendor Microsoft Last vendor Modification 2010-07-21
Severity (Vendor) Critical Revision 1.4

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Revision Note: V1.4 (July 21, 2010): Corrected the value of the dword associated with enabling the defense-in-depth protection in the section, Frequently Asked Questions (FAQ) Related to This Security Update. Users who previously enabled the defense-in-depth protection against the blended threat issue should verify their environment is using the correct dword value.Summary: This security update resolves four privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user connects to an attacker's server by way of the HTTP protocol. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Original Source

Url : http://www.microsoft.com/technet/security/bulletin/MS09-014.mspx

CWE : Common Weakness Enumeration

% Id Name
60 % CWE-399 Resource Management Errors
20 % CWE-264 Permissions, Privileges, and Access Controls
20 % CWE-94 Failure to Control Generation of Code ('Code Injection')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5320
 
Oval ID: oval:org.mitre.oval:def:5320
Title: Windows HTTP Services Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
Version: 4
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5551
 
Oval ID: oval:org.mitre.oval:def:5551
Title: Uninitialized Memory Corruption Vulnerability
Description: Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 on Windows XP SP2 and SP3, and 6 on Windows Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a web page that triggers presence of an object in memory that was (1) not properly initialized or (2) deleted, aka "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0552
Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5723
 
Oval ID: oval:org.mitre.oval:def:5723
Title: Uninitialized Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008 allows remote attackers to execute arbitrary code via a web page that triggers presence of an object in memory that was (1) not properly initialized or (2) deleted, aka "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0554
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5782
 
Oval ID: oval:org.mitre.oval:def:5782
Title: Blended Threat Elevation of Privilege Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6069
 
Oval ID: oval:org.mitre.oval:def:6069
Title: Uninitialized Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008 allows remote attackers to execute arbitrary code via a web page that triggers presence of an object in memory that was (1) not properly initialized or (2) deleted, aka "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0553
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6108
 
Oval ID: oval:org.mitre.oval:def:6108
Title: Blended Threat Remote Code Execution Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6164
 
Oval ID: oval:org.mitre.oval:def:6164
Title: Page Transition Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008 does not properly handle transition errors in a request for one HTTP document followed by a request for a second HTTP document, which allows remote attackers to execute arbitrary code via vectors involving (1) multiple crafted pages on a web site or (2) a web page with crafted inline content such as banner advertisements, aka "Page Transition Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0551
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6233
 
Oval ID: oval:org.mitre.oval:def:6233
Title: WinINet Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7569
 
Oval ID: oval:org.mitre.oval:def:7569
Title: WinINet and Windows HTTP Services Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8509
 
Oval ID: oval:org.mitre.oval:def:8509
Title: Blended Threat Remote Code Execution Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 144
Application 3
Application 4
Os 1
Os 4
Os 3
Os 4
Os 4

SAINT Exploits

Description Link
Internet Explorer WinINet credential reflection vulnerability More info here

ExploitDB Exploits

id Description
2009-04-20 MS Internet Explorer EMBED Memory Corruption PoC (MS09-014)

OpenVAS Exploits

Date Description
2009-04-15 Name : Windows HTTP Services Could Allow Remote Code Execution Vulnerabilities (960803)
File : nvt/secpod_ms09-013.nasl
2009-04-15 Name : Microsoft Internet Explorer Remote Code Execution Vulnerability (963027)
File : nvt/secpod_ms09-014.nasl
2009-04-15 Name : Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege...
File : nvt/secpod_ms09-015.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
53627 Microsoft IE Unitialized Object Memory Corruption Arbitrary Code Execution (2...

53626 Microsoft IE EMBED Element Handling Memory Corruption Arbitrary Code Execution

53625 Microsoft IE Unitialized Object Memory Corruption Arbitrary Code Execution (2...

53624 Microsoft IE Page Transition Unspecified Memory Corruption Arbitrary Code Exe...

53623 Microsoft Windows SearchPath File Open / Locating Unspecified Arbitrary Code ...

53619 Microsoft Windows HTTP Services NTLM Credential Replay Privileged Code Execution

45892 Apple Safari on Mac OS X Default Download Location Unspecified Arbitrary Code...

Information Assurance Vulnerability Management (IAVM)

Date Description
2009-04-19 IAVM : 2009-A-0034 - Microsoft Windows HTTP Services Remote Code Execution Vulnerability
Severity : Category I - VMSKEY : V0018756
2009-04-16 IAVM : 2009-T-0021 - Microsoft Windows SearchPath Blended Threat Vulnerability
Severity : Category II - VMSKEY : V0018776

Snort® IPS/IDS

Date Description
2014-01-10 Microsoft Internet Explorer History.go method double free corruption attempt
RuleID : 18482 - Revision : 9 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer EMBED element memory corruption attempt
RuleID : 17729 - Revision : 11 - Type : BROWSER-IE
2014-01-10 possible SMB replay attempt - overlapping encryption keys detected
RuleID : 17723 - Revision : 12 - Type : OS-WINDOWS
2014-01-10 Microsoft Internet Explorer EMBED element memory corruption attempt
RuleID : 17709 - Revision : 12 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer marquee object handling memory corruption attempt
RuleID : 17462 - Revision : 13 - Type : BROWSER-IE
2014-01-10 Apple Safari-Internet Explorer SearchPath blended threat attempt
RuleID : 16319 - Revision : 14 - Type : BROWSER-IE
2014-01-10 Telnet-based NTLM replay attack attempt
RuleID : 15847 - Revision : 14 - Type : OS-WINDOWS
2014-01-10 Apple Safari-Internet Explorer SearchPath blended threat dll request
RuleID : 15468 - Revision : 17 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer marquee tag onstart memory corruption
RuleID : 15461 - Revision : 8 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer ActiveX load/unload race condition attempt
RuleID : 15460 - Revision : 10 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted/unitialized object memory corruption attempt
RuleID : 15459 - Revision : 8 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer navigating between pages race condition attempt
RuleID : 15458 - Revision : 8 - Type : BROWSER-IE
2014-01-10 SMB replay attempt via NTLMSSP - overlapping encryption keys detected
RuleID : 15453 - Revision : 16 - Type : OS-WINDOWS
2014-01-10 Web-based NTLM replay attack attempt
RuleID : 15124 - Revision : 17 - Type : OS-WINDOWS
2014-01-10 possible SMB replay attempt - overlapping encryption keys detected
RuleID : 15009 - Revision : 22 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2009-04-15 Name : The remote host contains an API that is affected by multiple vulnerabilities.
File : smb_nt_ms09-013.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : Arbitrary code can be executed on the remote host through a web browser.
File : smb_nt_ms09-014.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : The remote host may allow remote code execution.
File : smb_nt_ms09-015.nasl - Type : ACT_GATHER_INFO
2008-06-20 Name : The remote host contains a web browser that is affected by several issues.
File : safari_3_1_2.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:46:12
  • Multiple Updates
2014-01-19 21:30:18
  • Multiple Updates