Executive Summary
| Summary | |
|---|---|
| Title | Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856) |
| Informations | |||
|---|---|---|---|
| Name | MS09-033 | First vendor Publication | 2009-07-14 |
| Vendor | Microsoft | Last vendor Modification | 2010-03-09 |
| Severity (Vendor) | Important | Revision | 2.0 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Revision Note: V2.0 (March 9, 2010): Rereleased this bulletin to add Microsoft Virtual Server 2005 to affected software. No other update packages are affected by this rerelease.Summary: This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
Original Source
| Url : http://www.microsoft.com/technet/security/bulletin/MS09-033.mspx |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:6166 | |||
| Oval ID: | oval:org.mitre.oval:def:6166 | ||
| Title: | Virtual PC and Virtual Server Privileged Instruction Decoding Vulnerability | ||
| Description: | The Virtual Machine Monitor (VMM) in Microsoft Virtual PC 2004 SP1, 2007, and 2007 SP1, and Microsoft Virtual Server 2005 R2 SP1, does not enforce CPU privilege-level requirements for all machine instructions, which allows guest OS users to execute arbitrary kernel-mode code and gain privileges within the guest OS via a crafted application, aka "Virtual PC and Virtual Server Privileged Instruction Decoding Vulnerability." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2009-1542 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 | Product(s): | Microsoft Virtual Server 2005 Microsoft Virtual PC 2004 Microsoft Virtual PC 2007 |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 4 | |
| Application | 2 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-07-15 | Name : Microsoft Virtual PC/Server Privilege Escalation Vulnerability (969856) File : nvt/secpod_ms09-033.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 55837 | Microsoft Virtual PC / Virtual Server Instruction Decoding Unspecified Local ... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2009-07-14 | Name : The remote host contains an application that is affected by a privilege escal... File : smb_nt_ms09-033.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:46:16 |
|
