Executive Summary

Summary
Title Microsoft Updates for Multiple Vulnerabilities
Informations
Name TA09-069A First vendor Publication 2009-03-10
Vendor US-CERT Last vendor Modification 2009-03-10
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft has released updates that address vulnerabilities in Microsoft Windows and Windows Server.

I. Description

As part of the Microsoft Security Bulletin Summary for March 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows and Windows Server.

II. Impact

A remote, unauthenticated attacker could gain elevated privileges, poison the DNS cache, execute arbitrary code, or cause a vulnerable application to crash.

III. Solution

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2009. The security bulletin describes any known issues related to the updates.
Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA09-069A.html

CWE : Common Weakness Enumeration

% Id Name
86 % CWE-20 Improper Input Validation
14 % CWE-287 Improper Authentication

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5440
 
Oval ID: oval:org.mitre.oval:def:5440
Title: Windows Kernel Invalid Pointer Vulnerability
Description: The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 does not properly handle invalid pointers, which allows local users to gain privileges via an application that triggers use of a crafted pointer, aka "Windows Kernel Invalid Pointer Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0083
Version: 1
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5715
 
Oval ID: oval:org.mitre.oval:def:5715
Title: DNS Server Response Validation Vulnerability
Description: The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008 does not properly cache crafted DNS responses, which makes it easier for remote attackers to predict transaction IDs and poison caches by sending many crafted DNS queries that trigger "unnecessary lookups," aka "DNS Server Response Validation Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0234
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6011
 
Oval ID: oval:org.mitre.oval:def:6011
Title: SChannel Spoofing Vulnerability
Description: The Secure Channel (aka SChannel) authentication component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008, when certificate authentication is used, does not properly validate the client's key exchange data in Transport Layer Security (TLS) handshake messages, which allows remote attackers to spoof authentication by crafting a TLS packet based on knowledge of the certificate but not the private key, aka "SChannel Spoofing Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0085
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6036
 
Oval ID: oval:org.mitre.oval:def:6036
Title: Windows Kernel Handle Validation Vulnerability
Description: The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate handles, which allows local users to gain privileges via a crafted application that triggers unspecified "actions," aka "Windows Kernel Handle Validation Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0082
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6117
 
Oval ID: oval:org.mitre.oval:def:6117
Title: WPAD WINS Server Registration Vulnerability
Description: The WINS server in Microsoft Windows 2000 SP4 and Server 2003 SP1 and SP2 does not restrict registration of the (1) "wpad" and (2) "isatap" NetBIOS names, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) features, and conduct man-in-the-middle attacks by spoofing a proxy server or ISATAP route, by registering one of these names in the WINS database, aka "WPAD WINS Server Registration Vulnerability," a related issue to CVE-2007-1692.
Family: windows Class: vulnerability
Reference(s): CVE-2009-0094
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows Server 2003
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6138
 
Oval ID: oval:org.mitre.oval:def:6138
Title: DNS Server Vulnerability in WPAD Registration Vulnerability
Description: Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, when dynamic updates are enabled, does not restrict registration of the "wpad" hostname, which allows remote authenticated users to hijack the Web Proxy Auto-Discovery (WPAD) feature, and conduct man-in-the-middle attacks by spoofing a proxy server, via a Dynamic Update request for this hostname, aka "DNS Server Vulnerability in WPAD Registration Vulnerability," a related issue to CVE-2007-1692.
Family: windows Class: vulnerability
Reference(s): CVE-2009-0093
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows Server 2003
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6202
 
Oval ID: oval:org.mitre.oval:def:6202
Title: Windows Kernel Input Validation Vulnerability
Description: The graphics device interface (GDI) implementation in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate input received from user mode, which allows remote attackers to execute arbitrary code via a crafted (1) Windows Metafile (aka WMF) or (2) Enhanced Metafile (aka EMF) image file, aka "Windows Kernel Input Validation Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0081
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6228
 
Oval ID: oval:org.mitre.oval:def:6228
Title: DNS Server Query Validation Vulnerability
Description: The DNS Resolver Cache Service (aka DNSCache) in Windows DNS Server in Microsoft Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008, when dynamic updates are enabled, does not reuse cached DNS responses in all applicable situations, which makes it easier for remote attackers to predict transaction IDs and poison caches by simultaneously sending crafted DNS queries and responses, aka "DNS Server Query Validation Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0233
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 4
Os 3
Os 4
Os 4

OpenVAS Exploits

Date Description
2009-03-11 Name : Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
File : nvt/secpod_ms09-006.nasl
2009-03-11 Name : Vulnerability in SChannel Could Allow Spoofing (960225)
File : nvt/secpod_ms09-007.nasl
2009-03-11 Name : Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)
File : nvt/secpod_ms09-008.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
52524 Microsoft Windows Invalid Pointer Local Privilege Escalation

Windows contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by an unspecified flaw in the kernel related to invalid pointers. This flaw may lead to a loss of integrity.
52523 Microsoft Windows Handle Validation Local Privilege Escalation

Windows contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered by an unspecified handle validation flaw in the kernel. This flaw may lead to a loss of integrity.
52522 Microsoft Windows GDI Kernel Component Unspecified Remote Code Execution

An unspecified remote code execution flaw exists in Window. The GDI kernel interface fails to validate WMF and EMF graphics files resulting in arbitrary code execution. With a specially crafted file, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.
52521 Microsoft Windows SChannel Certificate Based Authentication Spoofing Bypass

Windows contains a flaw that may allow a malicious user to authenticate against a protected server using only the public portion of a valid user's credential. The issue is triggered by weak certificate validation by the SChannel security component. It is possible that the flaw may allow unauthorized access to protected servers resulting in a loss of integrity.
52520 Microsoft Windows WPAD WINS Server Registration Web Proxy MiTM Weakness

52519 Microsoft Windows DNS Server WPAD Registration Dynamic Update MiTM Weakness

Windows contains a flaw that may allow a malicious user to spoof a WPAD (Web Proxy Auto-Discovery) DNS record. The issue is caused by the DNS server allowing any client to register a WPAD entry in DNS. It is possible that the flaw may allow a malicious proxy to redirect Internet traffic resulting in a loss of integrity.
52518 Microsoft Windows DNS Server Response Response Validation Transaction ID Pred...

Windows contains a flaw that may allow a malicious user to poison its DNS cache. The issue is triggered by a weakness which allows for predictable transaction IDs, allowing spoofed records to be stored in the DNS cache. It is possible that the flaw may allow DNS cache poisoning resulting in a loss of integrity.
52517 Microsoft Windows DNS Server Query Validation Spoofing

Windows contains a flaw that may allow a malicious user to spoof DNS records. The issue is triggered by the use of predictable transaction IDs in the Windows DNS Server. It is possible that the flaw may allow DNS cache poisoning resulting in a loss of integrity.

Information Assurance Vulnerability Management (IAVM)

Date Description
2009-03-12 IAVM : 2009-A-0019 - Microsoft Windows Secure Channel Vulnerability
Severity : Category II - VMSKEY : V0018549
2009-03-12 IAVM : 2009-A-0018 - Multiple Vulnerabilities in Windows DNS and WINS Servers
Severity : Category I - VMSKEY : V0018553

Snort® IPS/IDS

Date Description
2019-09-05 Microsoft Windows GDI EMF parsing arbitrary code execution attempt
RuleID : 50885 - Revision : 1 - Type : FILE-OTHER
2019-09-05 Microsoft Windows GDI EMF parsing arbitrary code execution attempt
RuleID : 50884 - Revision : 1 - Type : FILE-OTHER
2014-01-10 Microsoft Windows wpad dynamic update request
RuleID : 17731 - Revision : 10 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows DNS Server ANY query cache weakness
RuleID : 17696 - Revision : 9 - Type : PROTOCOL-DNS
2014-01-10 Microsoft Windows IIS SChannel improper certificate verification
RuleID : 17431 - Revision : 12 - Type : SERVER-IIS
2014-01-10 udp WINS WPAD registration attempt
RuleID : 15387 - Revision : 13 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows wpad dynamic update request
RuleID : 15386 - Revision : 10 - Type : OS-WINDOWS
2014-01-10 Microsoft Internet Explorer EMF polyline overflow attempt
RuleID : 15300 - Revision : 9 - Type : BROWSER-IE
2014-01-10 excessive outbound NXDOMAIN replies - possible spoof of domain run by local D...
RuleID : 13949 - Revision : 17 - Type : PROTOCOL-DNS
2014-01-10 large number of NXDOMAIN replies - possible DNS cache poisoning
RuleID : 13948 - Revision : 13 - Type : PROTOCOL-DNS
2014-01-10 dns cache poisoning attempt
RuleID : 13667 - Revision : 18 - Type : PROTOCOL-DNS

Nessus® Vulnerability Scanner

Date Description
2014-03-05 Name : The DNS server running on the remote host is vulnerable to DNS spoofing attacks.
File : ms_dns_kb961063.nasl - Type : ACT_GATHER_INFO
2009-03-11 Name : It is possible to execute arbitrary code on the remote host.
File : smb_nt_ms09-006.nasl - Type : ACT_GATHER_INFO
2009-03-11 Name : It may be possible to spoof user identities.
File : smb_nt_ms09-007.nasl - Type : ACT_GATHER_INFO
2009-03-11 Name : The remote host is vulnerable to DNS and/or WINS spoofing attacks.
File : smb_nt_ms09-008.nasl - Type : ACT_GATHER_INFO