April 14, 2009
Microsoft Patch Disclosure - April 2009
This month Microsoft released eight bulletins which repair a total of 23 vulnerabilities. 12 of these vulnerabilities have been publicly described in some form, and in-the-wild exploitation has been witnessed by at least two of them.
Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically.
Patch Precedence
Out of the eight patches this month, six are client-side specific, one is a privilege escalation, and one is for a network-based security device. The client-side exploits are by far the most critical vulnerabilities that should be patched as soon as possible.
As always, eEye suggests that users roll out these patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check tomorrow's Vulnerability Expert Forum.
This Month's Bulletins
Critical
- MS09-009 - Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution
- MS09-010 - Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution
- MS09-011 - Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
- MS09-013 - Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution
- MS09-014 - Cumulative Security Update for Internet Explorer
- MS09-012 - Vulnerabilities in Windows Could Allow Elevation of Privilege
- MS09-016 - Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service
- MS09-015 - Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege
Bulletin Summary
MS09-009
Vulnerabilities in Microsoft Office Excel Could Cause Remote Code Execution (968557)
http://www.microsoft.com/technet/security/bulletin/MS09-009.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within Microsoft Excel. These vulnerabilities allow an attacker to form a specially-crafted Excel spreadsheet that, when viewed a vulnerable version of Excel, could allow for the arbitrary execution of code under the context of the logged in user.
- Memory Corruption Vulnerability - CVE-2009-0100
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. - Memory Corruption Vulnerability - CVE-2009-0238
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object.
NOTE: This vulnerability has been seen in the wild in zero-day exploit scenarios.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially systems that often times open unsolicited Excel spreadsheets (ie - accounting, sales, etc).
MS09-010
Vulnerabilities in WordPad and Office Text Converters Could Allow Remote Code Execution (960477)
http://www.microsoft.com/technet/security/bulletin/MS09-010.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes four vulnerabilities within WordPad and Office Text Converters. These vulnerabilities allow an attacker to form a specially-crafted document that, when opened by an unpatched user, would allow for arbitrary code to be executed under that users privilege level.
- WordPad and Office Text Converter Memory Corruption Vulnerability - CVE-2009-0087
A remote code execution vulnerability exists in the way that text converters in WordPad and Microsoft Office process memory when a user opens a specially crafted Word 6 file that includes malformed data. - WordPad Word 97 Text Converter Stack Overflow Vulnerability - CVE-2008-4841
A remote code execution vulnerability exists in the way that Microsoft WordPad processes memory when parsing a specially crafted Word 97 document. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed list structure. - Word 2000 WordPerfect 6.x Converter Stack Corruption Vulnerability - CVE-2009-0088
A remote code execution vulnerability exists in the way that the WordPerfect 6.x converter that is included with Microsoft Office Word 2000 processes memory when parsing a specially crafted WordPerfect document. - WordPad Word 97 Text Converter Stack Overflow Vulnerability - CVE-2009-0235
A remote code execution vulnerability exists in WordPad as a result of memory corruption when a user opens a specially crafted Word file.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially those more susceptible to opening Office documents (workstations as opposed to servers).
MS09-011
Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (961373)
http://www.microsoft.com/technet/security/bulletin/MS09-011.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes one vulnerability within Microsoft DirectX. This vulnerability allows an attacker to form a specially-crafted MJPEG movie that, when viewed on a vulnerable host, could allow for the arbitrary execution of code under the context of the logged in user.
- MJPEG Decompression Vulnerability - CVE-2009-0084
A remote code execution vulnerability exists in the way Microsoft DirectShow handles supported format files.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially those more commonly seen watching videos.
MS09-012
Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)
http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Medium
Description
This patch fixes four vulnerabilities within Windows. These vulnerabilities allow an attacker to form a specially-crafted application that, when executed on a host, could allow for the elevation of privileges.
- Windows MSDTC Service Isolation Vulnerability - CVE-2008-1436
An elevation of privilege vulnerability exists in the Microsoft Distributed Transaction Coordinator (MSDTC) transaction facility in Microsoft Windows platforms. MSDTC leaves a NetworkService token that can be impersonated by any process that calls into it. The vulnerability allows a process that is not running under the NetworkService account, but that has the SeImpersonatePrivilege, to elevate its privilege to NetworkService and execute code with NetworkService privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - Windows WMI Service Isolation Vulnerability - CVE-2009-0078
An elevation of privilege vulnerability exists due to the Windows Management Instrumentation (WMI) provider improperly isolating processes that run under the NetworkService or LocalService accounts. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. - Windows RPCSS Service Isolation Vulnerability - CVE-2009-0079
An elevation of privilege vulnerability exists due to the RPCSS service improperly isolating processes that run under the NetworkService or LocalService accounts. The vulnerability could allow an attacker to run code with elevated privileges. - Windows Thread Pool ACL Weakness Vulnerability - CVE-2009-0080
An elevation of privilege vulnerability exists due to Windows placing incorrect access control lists (ACLs) on threads in the current ThreadPool. The vulnerability could allow an attacker to run code with elevated privileges.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems.
MS09-013
Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803)
http://www.microsoft.com/technet/security/bulletin/MS09-013.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Medium
Description
This patch fixes three vulnerabilities within Microsoft HTTP Services. These vulnerabilities allow an attacker to form a specially-crafted HTTP server that, when viewed by an application that utilizes the WinHTTP API, could allow (at worst) the arbitrary execution of code under the privileges of the application making the call.
- Windows HTTP Services Integer Underflow Vulnerability - CVE-2009-0086
A remote code execution vulnerability exists in the way that Windows HTTP Services handle specific values that are returned by a remote Web server. - Windows HTTP Services Certificate Name Mismatch Vulnerability - CVE-2009-0089
A spoofing vulnerability exists in Windows HTTP Services as a result of the incomplete validation of the distinguished name in a digital certificate. When combined with specific other attacks, such as DNS spoofing, this may allow an attacker to successfully spoof the digital certificate of a Web site for any application that uses Windows HTTP Services. - Windows HTTP Services Credential Reflection Vulnerability - CVE-2009-0550
A remote code execution vulnerability exists in the way that Windows HTTP Services handles NTLM credentials when a user connects to an attacker's Web server. This vulnerability allows an attacker to replay the user's credentials back to the attacker and execute code in the context of the logged-on user.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially systems that are using client applications with WinHTTP that allow a user to browse to arbitrary websites.
MS09-014
Cumulative Security Update for Internet Explorer (963027)
http://www.microsoft.com/technet/security/bulletin/MS09-014.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
Description
This patch fixes six vulnerabilities within Microsoft Internet Explorer. These vulnerabilities allow an attacker to form a specially-crafted website that, when viewed on a vulnerable host, could allow for the arbitrary execution of code under the context of the currently logged in user.
- Blended Threat Remote Code Execution Vulnerability - CVE-2008-2540
A blended threat remote code execution vulnerability exists in the way that Internet Explorer locates and opens files on the system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. - WinINet Credential Reflection Vulnerability - CVE-2009-0550
A remote code execution vulnerability exists in the way that WinINet handles NTLM credentials when a user connects to an attacker's server by way of the HTTP protocol. This vulnerability allows an attacker to replay the user's credentials back to the attacker and to execute code in the context of the logged-on user. - Page Transition Memory Corruption Vulnerability - CVE-2009-0551
A remote code execution vulnerability exists in the way Internet Explorer handles transition when navigating between Web pages. As a result, system memory may be corrupted in such a way that an attacker could execute arbitrary code if a user visited a specially crafted Web site. - Uninitialized Memory Corruption Vulnerability - CVE-2009-0552
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. - Uninitialized Memory Corruption Vulnerability - CVE-2009-0553
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. - Uninitialized Memory Corruption Vulnerability - CVE-2009-0554
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially those that are commonly used for Internet browsing.
MS09-015
Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (959426)
http://www.microsoft.com/technet/security/bulletin/MS09-015.mspx
Microsoft Severity Rating: Moderate
eEye Severity Rating: Low
Description
This patch fixes one vulnerability in Microsoft SearchPath. This vulnerability requires a lot of user interaction / social engineering to allow an attacker to execute arbitrary code on a remote system.
- Blended Threat Elevation of Privilege Vulnerability - CVE-2008-2540
A blended threat elevation of privilege vulnerability exists in the way the SearchPath function in Windows locates and opens files on the system. An attacker could exploit the vulnerability by convincing a user to download a specially crafted file to a specific location, and then open an application that could load the file under certain circumstances.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems.
MS09-016
Vulnerabilities in Microsoft ISA Server and Forefront Threat Management Gateway (Medium Business Edition) Could Cause Denial of Service (961759)
http://www.microsoft.com/technet/security/bulletin/MS09-016.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within Microsoft ISA Server / Forefront TMG. These vulnerabilities allow an attacker to form a specially-crafted set of network packets in order to DoS the vulnerable application, or a specially-crafted link in order to XSS a user on the other side of the vulnerable device.
- Web Proxy TCP State Limited Denial of Service Vulnerability - CVE-2009-0077
A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. The vulnerability could allow a remote user to cause a Web listener to stop responding to new requests. - Cross-Site Scripting Vulnerability - CVE-2009-0237
A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, cookieauth.dll, which could allow malicious script code to run on the machine of another user under the guise of the server running cookieauth.dll. This is a non-persistent cross-site scripting vulnerability that can lead to spoofing and information disclosure.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina® customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/april2009.html#audits
Blink® Unified Client Security
eEye's line of Blink® with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required. Both Blink Professional and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at
http://www.eeye.com/blink/
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/html/events/online_seminars/vef.html.
You have received this announcement to %%emailaddr%% as a valued member of eEye's Alert: eEye Security Bulletin list. If you wish to modify your subscription settings, please visit our website:
http://www.eeye.com/sub/%%userid_%%