Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Microsoft Updates for Multiple Vulnerabilities
Informations
Name TA09-104A First vendor Publication 2009-04-14
Vendor US-CERT Last vendor Modification 2009-04-14
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft has released updates that address vulnerabilities in Microsoft Windows, Office, Windows Server, and ISA Server.

I. Description

As part of the Microsoft Security Bulletin Summary for April 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows, Office, Windows Server, and ISA Server.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application to crash.

III. Solution

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2009. The security bulletin describes any known issues related to the updates.
Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA09-104A.html

CWE : Common Weakness Enumeration

% Id Name
29 % CWE-399 Resource Management Errors
24 % CWE-264 Permissions, Privileges, and Access Controls
18 % CWE-94 Failure to Control Generation of Code ('Code Injection')
12 % CWE-20 Improper Input Validation
6 % CWE-189 Numeric Errors (CWE/SANS Top 25)
6 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
6 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5320
 
Oval ID: oval:org.mitre.oval:def:5320
Title: Windows HTTP Services Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
Version: 4
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5551
 
Oval ID: oval:org.mitre.oval:def:5551
Title: Uninitialized Memory Corruption Vulnerability
Description: Unspecified vulnerability in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 on Windows XP SP2 and SP3, and 6 on Windows Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a web page that triggers presence of an object in memory that was (1) not properly initialized or (2) deleted, aka "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0552
Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5618
 
Oval ID: oval:org.mitre.oval:def:5618
Title: MJPEG Decompression Vulnerability
Description: Use-after-free vulnerability in DirectShow in Microsoft DirectX 8.1 and 9.0 allows remote attackers to execute arbitrary code via an MJPEG file or video stream with a malformed Huffman table, which triggers an exception that frees heap memory that is later accessed, aka "MJPEG Decompression Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0084
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Product(s): DirectX
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5723
 
Oval ID: oval:org.mitre.oval:def:5723
Title: Uninitialized Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008 allows remote attackers to execute arbitrary code via a web page that triggers presence of an object in memory that was (1) not properly initialized or (2) deleted, aka "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0554
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5736
 
Oval ID: oval:org.mitre.oval:def:5736
Title: Word 2000 WordPerfect 6.x Converter Stack Corruption Vulnerability
Description: The WordPerfect 6.x Converter (WPFT632.CNV, 1998.1.27.0) in Microsoft Office Word 2000 SP3 and Microsoft Office Converter Pack does not properly validate the length of an unspecified string, which allows remote attackers to execute arbitrary code via a crafted WordPerfect 6.x file, related to an unspecified counter and control structures on the stack, aka "Word 2000 WordPerfect 6.x Converter Stack Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0088
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Word 2000
Microsoft Office Converter Pack
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5771
 
Oval ID: oval:org.mitre.oval:def:5771
Title: Cross-Site Scripting Vulnerability
Description: Cross-site scripting (XSS) vulnerability in cookieauth.dll in the HTML forms authentication component in Microsoft Forefront Threat Management Gateway, Medium Business Edition (TMG MBE); and Internet Security and Acceleration (ISA) Server 2006, 2006 Supportability Update, and 2006 SP1; allows remote attackers to inject arbitrary web script or HTML via "authentication input" to this component, aka "Cross-Site Scripting Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0237
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows Server 2003
Product(s): Microsoft Forefront Threat Management Gateway
Microsoft Internet Security and Acceleration Server 2006
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5782
 
Oval ID: oval:org.mitre.oval:def:5782
Title: Blended Threat Elevation of Privilege Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5799
 
Oval ID: oval:org.mitre.oval:def:5799
Title: WordPad and Office Text Converter Memory Corruption Vulnerability
Description: Unspecified vulnerability in the Word 6 text converter in WordPad in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and the Word 6 text converter in Microsoft Office Word 2000 SP3 and 2002 SP3; allows remote attackers to execute arbitrary code via a crafted Word 6 file that contains malformed data, aka "WordPad and Office Text Converter Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0087
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Word 2000
Microsoft Word 2002
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5891
 
Oval ID: oval:org.mitre.oval:def:5891
Title: Microsoft Distributed Transaction Coordinator Service Isolation Vulnerability
Description: Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.
Family: windows Class: vulnerability
Reference(s): CVE-2008-1436
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Distributed Transaction Coordinator
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5893
 
Oval ID: oval:org.mitre.oval:def:5893
Title: WordPad Word 97 Text Converter Stack Overflow Vulnerability
Description: Stack-based buffer overflow in the Word 97 text converter in WordPad in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted Word 97 file that triggers memory corruption, related to use of inconsistent integer data sizes for an unspecified length field, aka "WordPad Word 97 Text Converter Stack Overflow Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0235
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:5968
 
Oval ID: oval:org.mitre.oval:def:5968
Title: Memory Corruption Vulnerability
Description: Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.
Family: windows Class: vulnerability
Reference(s): CVE-2009-0238
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2007
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer
Microsoft Office Compatibility Pack
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6027
 
Oval ID: oval:org.mitre.oval:def:6027
Title: Windows HTTP Services Certificate Name Mismatch Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Vista Gold allows remote web servers to impersonate arbitrary https web sites by using DNS spoofing to "forward a connection" to a different https web site that has a valid certificate matching its own domain name, but not a certificate matching the domain name of the host requested by the user, aka "Windows HTTP Services Certificate Name Mismatch Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0089
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6043
 
Oval ID: oval:org.mitre.oval:def:6043
Title: Memory Corruption Vulnerability
Description: Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel in Microsoft Office 2004 and 2008 for Mac; Microsoft Office Excel Viewer and Excel Viewer 2003 SP3; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 do not properly parse the Excel spreadsheet file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that contains a malformed object with "an offset and a two-byte value" that trigger a memory calculation error, aka "Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0100
Version: 9
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel 2007
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer
Microsoft Office Compatibility Pack
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6050
 
Oval ID: oval:org.mitre.oval:def:6050
Title: WordPad Word 97 Text Converter Stack Overflow Vulnerability
Description: The WordPad Text Converter for Word 97 files in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted (1) .doc, (2) .wri, or (3) .rtf Word 97 file that triggers memory corruption, as exploited in the wild in December 2008. NOTE: As of 20081210, it is unclear whether this vulnerability is related to a WordPad issue disclosed on 20080925 with a 2008-crash.doc.rar example, but there are insufficient details to be sure.
Family: windows Class: vulnerability
Reference(s): CVE-2008-4841
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6068
 
Oval ID: oval:org.mitre.oval:def:6068
Title: Web Proxy TCP State Limited Denial of Service Vulnerability
Description: The firewall engine in Microsoft Forefront Threat Management Gateway, Medium Business Edition (TMG MBE); and Internet Security and Acceleration (ISA) Server 2004 SP3, 2006, 2006 Supportability Update, and 2006 SP1; does not properly manage the session state of web listeners, which allows remote attackers to cause a denial of service (many stale sessions) via crafted packets, aka "Web Proxy TCP State Limited Denial of Service Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0077
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Forefront Threat Management Gateway
Microsoft Internet Security and Acceleration Server 2004
Microsoft Internet Security and Acceleration Server 2006
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6069
 
Oval ID: oval:org.mitre.oval:def:6069
Title: Uninitialized Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008 allows remote attackers to execute arbitrary code via a web page that triggers presence of an object in memory that was (1) not properly initialized or (2) deleted, aka "Uninitialized Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0553
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6108
 
Oval ID: oval:org.mitre.oval:def:6108
Title: Blended Threat Remote Code Execution Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6147
 
Oval ID: oval:org.mitre.oval:def:6147
Title: Windows RPCSS Service Isolation Vulnerability
Description: The RPCSS service in Microsoft Windows XP SP2 and SP3 and Server 2003 SP1 and SP2 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows RPCSS Service Isolation Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0079
Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6149
 
Oval ID: oval:org.mitre.oval:def:6149
Title: Windows HTTP Services Integer Underflow Vulnerability
Description: Integer underflow in Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote HTTP servers to execute arbitrary code via crafted parameter values in a response, related to error handling, aka "Windows HTTP Services Integer Underflow Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0086
Version: 6
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6164
 
Oval ID: oval:org.mitre.oval:def:6164
Title: Page Transition Memory Corruption Vulnerability
Description: Microsoft Internet Explorer 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008 does not properly handle transition errors in a request for one HTTP document followed by a request for a second HTTP document, which allows remote attackers to execute arbitrary code via vectors involving (1) multiple crafted pages on a web site or (2) a web page with crafted inline content such as banner advertisements, aka "Page Transition Memory Corruption Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0551
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6177
 
Oval ID: oval:org.mitre.oval:def:6177
Title: Windows Thread Pool ACL Weakness Vulnerability
Description: The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by leveraging incorrect thread ACLs to access the resources of one of the processes, aka "Windows Thread Pool ACL Weakness Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0080
Version: 6
Platform(s): Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6193
 
Oval ID: oval:org.mitre.oval:def:6193
Title: Windows WMI Service Isolation Vulnerability
Description: The Windows Management Instrumentation (WMI) provider in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by accessing the resources of one of the processes, aka "Windows WMI Service Isolation Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0078
Version: 6
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6233
 
Oval ID: oval:org.mitre.oval:def:6233
Title: WinINet Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
Version: 2
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7569
 
Oval ID: oval:org.mitre.oval:def:7569
Title: WinINet and Windows HTTP Services Credential Reflection Vulnerability
Description: Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008; and WinINet in Microsoft Internet Explorer 5.01 SP4, 6 SP1, 6 and 7 on Windows XP SP2 and SP3, 6 and 7 on Windows Server 2003 SP1 and SP2, 7 on Windows Vista Gold and SP1, and 7 on Windows Server 2008; allows remote web servers to capture and replay NTLM credentials, and execute arbitrary code, via vectors related to absence of a "credential-reflection protections" opt-in step, aka "Windows HTTP Services Credential Reflection Vulnerability" and "WinINet Credential Reflection Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2009-0550
Version: 8
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:8509
 
Oval ID: oval:org.mitre.oval:def:8509
Title: Blended Threat Remote Code Execution Vulnerability
Description: Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X.
Family: windows Class: vulnerability
Reference(s): CVE-2008-2540
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Product(s): Microsoft Internet Explorer
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 144
Application 5
Application 1
Application 1
Application 1
Application 3
Application 4
Application 4
Application 2
Application 1
Application 1
Application 1
Application 4
Application 3
Application 2
Application 2
Os 1
Os 2
Os 6
Os 3
Os 4
Os 5
Os 7
Os 7
Os 3

SAINT Exploits

Description Link
Internet Explorer WinINet credential reflection vulnerability More info here
Microsoft WordPad Word97 text converter buffer overflow More info here
Microsoft WordPad Word 97 text converter XST buffer overflow More info here
Microsoft Excel SST record code execution More info here

OpenVAS Exploits

Date Description
2009-04-23 Name : Microsoft ISA Server and Forefront Threat Management Gateway DoS Vulnerabilit...
File : nvt/secpod_ms09-016.nasl
2009-04-15 Name : Microsoft DirectShow Remote Code Execution Vulnerability (961373)
File : nvt/secpod_ms09-011.nasl
2009-04-15 Name : Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
File : nvt/secpod_ms09-012.nasl
2009-04-15 Name : Windows HTTP Services Could Allow Remote Code Execution Vulnerabilities (960803)
File : nvt/secpod_ms09-013.nasl
2009-04-15 Name : Microsoft Internet Explorer Remote Code Execution Vulnerability (963027)
File : nvt/secpod_ms09-014.nasl
2009-04-15 Name : Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege...
File : nvt/secpod_ms09-015.nasl
2009-03-18 Name : Microsoft Excel Remote Code Execution Vulnerabilities (968557)
File : nvt/secpod_ms_excel_remote_code_exec_vuln.nasl
2008-12-12 Name : WordPad and Office Text Converter Memory Corruption Vulnerability (960477)
File : nvt/secpod_ms_wordpad_mult_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
53668 Microsoft Windows ThreadPool ACL Enforcement Weakness Local Privilege Escalation

53667 Microsoft Windows RPCSS Service Isolation Local Privilege Escalation

53666 Microsoft Windows Management Instrumentation (WMI) Service Isolation Local Pr...

53665 Microsoft Office Excel Malformed Object Handling Memory Corruption

53664 Microsoft WordPad Word 97 Text Converter File Handling Overflow

53663 Microsoft Office Word 2000 WordPerfect 6.x Converter Document Handling Stack ...

53662 Microsoft WordPad / Office Text Converter Malformed Data Handling Memory Corr...

53637 Microsoft ISA Server / Forefront Threat Management Gateway (TMG) Forms Authen...

53636 Microsoft ISA Server / Forefront Threat Management Gateway (TMG) Web Proxy TC...

53632 Microsoft DirectShow MJPEG Decompression Unspecified Arbitrary Code Execution

53627 Microsoft IE Unitialized Object Memory Corruption Arbitrary Code Execution (2...

53626 Microsoft IE EMBED Element Handling Memory Corruption Arbitrary Code Execution

53625 Microsoft IE Unitialized Object Memory Corruption Arbitrary Code Execution (2...

53624 Microsoft IE Page Transition Unspecified Memory Corruption Arbitrary Code Exe...

53623 Microsoft Windows SearchPath File Open / Locating Unspecified Arbitrary Code ...

53621 Microsoft Windows HTTP Services Digital Certificate Distinguished Name Mismat...

53620 Microsoft Windows HTTP Services Web Server Response Unspecified Integer Under...

A memory corruption flaw exists in Windows. WinHTTP.dll fails to properly parse the HTTP chunksize parameter resulting in an integer underflow. With a specially crafted HTTP response, a context-dependent attacker can cause arbitrary code execution, resulting in a loss of integrity.
53619 Microsoft Windows HTTP Services NTLM Credential Replay Privileged Code Execution

52695 Microsoft Office Excel Crafted Document Invalid Object Reference Unspecified ...

50567 Microsoft Windows WordPad Text Converter Unspecified Memory Corruption

45892 Apple Safari on Mac OS X Default Download Location Unspecified Arbitrary Code...

44580 Microsoft Windows Microsoft Distributed Transaction Coordinator (MSDTC) SeImp...

Information Assurance Vulnerability Management (IAVM)

Date Description
2009-04-19 IAVM : 2009-A-0034 - Microsoft Windows HTTP Services Remote Code Execution Vulnerability
Severity : Category I - VMSKEY : V0018756
2009-04-16 IAVM : 2009-A-0032 - Multiple Vulnerabilities in WordPad and Office Text Converters
Severity : Category I - VMSKEY : V0018752
2009-04-16 IAVM : 2009-T-0021 - Microsoft Windows SearchPath Blended Threat Vulnerability
Severity : Category II - VMSKEY : V0018776
2009-04-16 IAVM : 2009-T-0022 - Multiple Vulnerabilities in Microsoft ISA Server and Microsoft Forefront Thre...
Severity : Category II - VMSKEY : V0018781

Snort® IPS/IDS

Date Description
2014-06-19 Microsoft Office Word WordPerfect converter buffer overflow attempt
RuleID : 31032 - Revision : 2 - Type : FILE-OFFICE
2014-06-19 Microsoft Office Word WordPerfect converter buffer overflow attempt
RuleID : 31031 - Revision : 2 - Type : FILE-OFFICE
2014-01-10 Microsoft Office Excel malformed ftCMO record remote code execution attempt
RuleID : 26711 - Revision : 5 - Type : FILE-OFFICE
2014-01-10 Microsoft Office WordPad and Office text converters integer underflow attempt
RuleID : 23557 - Revision : 5 - Type : FILE-OFFICE
2014-01-10 Microsoft Office WordPad and Office text converters integer underflow attempt
RuleID : 23556 - Revision : 5 - Type : FILE-OFFICE
2014-01-10 Microsoft Office WordPad and Office text converters integer underflow attempt
RuleID : 23356 - Revision : 5 - Type : FILE-OFFICE
2014-01-10 Microsoft Internet Explorer History.go method double free corruption attempt
RuleID : 18482 - Revision : 9 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer EMBED element memory corruption attempt
RuleID : 17729 - Revision : 11 - Type : BROWSER-IE
2014-01-10 possible SMB replay attempt - overlapping encryption keys detected
RuleID : 17723 - Revision : 12 - Type : OS-WINDOWS
2014-01-10 Microsoft Internet Explorer EMBED element memory corruption attempt
RuleID : 17709 - Revision : 12 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer marquee object handling memory corruption attempt
RuleID : 17462 - Revision : 13 - Type : BROWSER-IE
2014-01-10 Microsoft Office Word Converter XST structure buffer overflow attempt
RuleID : 17406 - Revision : 10 - Type : FILE-OFFICE
2014-01-10 Microsoft Office Word Converter XST structure buffer overflow attempt
RuleID : 17405 - Revision : 11 - Type : FILE-OFFICE
2014-01-10 Microsoft Office Word Converter XST structure buffer overflow attempt
RuleID : 17404 - Revision : 13 - Type : FILE-OFFICE
2014-01-10 Apple Safari-Internet Explorer SearchPath blended threat attempt
RuleID : 16319 - Revision : 14 - Type : BROWSER-IE
2014-01-10 Microsoft ISA and Forefront Threat Management Web Proxy TCP Listener denial o...
RuleID : 16221 - Revision : 12 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows DirectShow MJPEG arbitrary code execution attempt
RuleID : 16187 - Revision : 11 - Type : OS-WINDOWS
2014-01-10 Telnet-based NTLM replay attack attempt
RuleID : 15847 - Revision : 14 - Type : OS-WINDOWS
2014-01-10 Microsoft Windows ISA Server cross-site scripting attempt
RuleID : 15475 - Revision : 10 - Type : OS-WINDOWS
2014-01-10 Microsoft ISA Server and Forefront Threat Management Gateway invalid RST deni...
RuleID : 15474 - Revision : 8 - Type : SERVER-OTHER
2014-01-10 IIS ASP/ASP.NET potentially malicious file upload attempt
RuleID : 15470 - Revision : 8 - Type : FILE-EXECUTABLE
2014-01-10 Microsoft Office WordPad and Office text converters integer underflow attempt
RuleID : 15469 - Revision : 17 - Type : FILE-OFFICE
2014-01-10 Apple Safari-Internet Explorer SearchPath blended threat dll request
RuleID : 15468 - Revision : 17 - Type : BROWSER-IE
2014-01-10 Microsoft Office WordPad and Office Text Converters PlcPcd aCP buffer overflo...
RuleID : 15467 - Revision : 17 - Type : FILE-OFFICE
2014-01-10 Microsoft Office WordPad WordPerfect 6.x converter buffer overflow attempt
RuleID : 15466 - Revision : 13 - Type : FILE-OFFICE
2014-01-10 Microsoft Excel malformed object record remote code execution attempt
RuleID : 15465 - Revision : 10 - Type : FILE-OFFICE
2014-01-10 Multiple web browsers HTTP chunked transfer-encoding memory corruption attempt
RuleID : 15462 - Revision : 20 - Type : BROWSER-OTHER
2014-01-10 Microsoft Internet Explorer marquee tag onstart memory corruption
RuleID : 15461 - Revision : 8 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer ActiveX load/unload race condition attempt
RuleID : 15460 - Revision : 10 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer deleted/unitialized object memory corruption attempt
RuleID : 15459 - Revision : 8 - Type : BROWSER-IE
2014-01-10 Microsoft Internet Explorer navigating between pages race condition attempt
RuleID : 15458 - Revision : 8 - Type : BROWSER-IE
2014-01-10 Microsoft Windows DirectShow MJPEG arbitrary code execution attempt
RuleID : 15457 - Revision : 9 - Type : OS-WINDOWS
2014-01-10 WinHTTP SSL/TLS impersonation attempt
RuleID : 15456 - Revision : 6 - Type : SERVER-OTHER
2014-01-10 Microsoft Office WordPad and Office Text Converters XST parsing buffer overfl...
RuleID : 15455 - Revision : 9 - Type : FILE-OFFICE
2014-01-10 SMB replay attempt via NTLMSSP - overlapping encryption keys detected
RuleID : 15453 - Revision : 16 - Type : OS-WINDOWS
2014-01-10 Microsoft Excel extrst record arbitrary code excecution attempt
RuleID : 15365 - Revision : 16 - Type : FILE-OFFICE
2014-01-10 Web-based NTLM replay attack attempt
RuleID : 15124 - Revision : 17 - Type : OS-WINDOWS
2014-01-10 possible SMB replay attempt - overlapping encryption keys detected
RuleID : 15009 - Revision : 22 - Type : OS-WINDOWS

Nessus® Vulnerability Scanner

Date Description
2010-10-20 Name : An application installed on the remote Mac OS X host is affected by multiple ...
File : macosx_ms09-009.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : It is possible to execute arbitrary code on the remote Windows host using Mic...
File : smb_nt_ms09-009.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : It is possible to execute arbitrary code on the remote Windows host using a t...
File : smb_nt_ms09-010.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : It is possible to execute arbitrary code on the remote Windows host using Dir...
File : smb_nt_ms09-011.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : A local user can elevate his privileges on the remote host.
File : smb_nt_ms09-012.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : The remote host contains an API that is affected by multiple vulnerabilities.
File : smb_nt_ms09-013.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : Arbitrary code can be executed on the remote host through a web browser.
File : smb_nt_ms09-014.nasl - Type : ACT_GATHER_INFO
2009-04-15 Name : The remote host may allow remote code execution.
File : smb_nt_ms09-015.nasl - Type : ACT_GATHER_INFO
2009-04-14 Name : The remote host contains an application that is affected by multiple vulnerab...
File : smb_nt_ms09-016.nasl - Type : ACT_GATHER_INFO
2008-06-20 Name : The remote host contains a web browser that is affected by several issues.
File : safari_3_1_2.nasl - Type : ACT_GATHER_INFO