Microsoft Patch Tuesday - August 2009

Updated: 11 Aug 2009

Symantec Employee

+1 1 Vote

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly heavy month—the vendor is releasing nine bulletins covering a total of 19 vulnerabilities.

Fifteen of the issues are rated “Critical” and affect Active Template Library (ATL), Office Web Components, Remote Desktop Connection, WINS, and Windows AVI file handling. The ATL issues are a continuation of the vulnerabilities addressed in the out-of-band bulletins Microsoft released last month. The two WINS issues, primarily affecting Enterprise customers, can be exploited to gain a SYSTEM-level compromise of a vulnerable computer from the local LAN.

The remaining issues, rated “Important”, affect Microsoft Telnet, ASP.NET, Windows Message Queuing Service (MSMQ), and Workstation Service.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the August releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx

The following is a breakdown of the “Critical” issues being addressed this month:

1. MS09-037 Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution. (973908)

CVE-2008-0015 (BID 35558) Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)

A remote code-execution vulnerability affects the Microsoft Active Template Library (ATL) in the ‘CComVariant::ReadFromStream’ function. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page that instantiates an ActiveX control affected by this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

Affects: Microsoft Windows 2000 SP4, Windows XP Media Center Edition 2005, Windows XP SP2 and SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista, Vista SP1, and Vista SP2, Windows Vista x64 Edition, Vista x64 Edition SP1, and Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems, and Windows Server 2008 for Itanium-based Systems SP2

CVE-2008-0020 (BID 35585) Microsoft Active Template Library 'IPersistStreamInit' Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects the Microsoft Active Template Library (ATL) in the ‘Load’ method of the ‘IPersistStreamInit’ interface. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page that instantiates an ActiveX control affected by this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

CVE-2009-0901 (BID 35832) Microsoft Visual Studio ATL 'VariantClear()' Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects the Microsoft Active Template Library (ATL) in the ‘VariantClear’ function. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page that instantiates an ActiveX control affected by this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

CVE-2009-2493 (BID 35828) Microsoft Visual Studio Active Template Library COM Object Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects the Microsoft Active Template Library (ATL) due to unsafe usage of ‘OleLoadFromStream’. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page that instantiates an ActiveX control affected by this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

CVE-2009-2494 (BID 35982) Microsoft Active Template Library Object Type Mismatch Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects the Microsoft Active Template Library (ATL) due to errors in variant handling. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page that instantiates an ActiveX control affected by this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

2. MS09-043 Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)

CVE-2009-0562 (BID 35990) Microsoft Office Web Components ActiveX Control Memory Allocation Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Office Web Components ActiveX control due to a failure to properly allocate memory. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

Affects: Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components for the 2007 Office system SP1, Internet Security and Acceleration Server 2004 Standard Edition SP3, Internet Security and Acceleration Server 2004 Enterprise Edition SP3, Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Internet Security and Acceleration Server 2006 SP1, and Office Small Business Accounting 2006

CVE-2009-2496 (BID 35991) Microsoft Office Web Components ActiveX Control Heap Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Office Web Components ActiveX control due to improper parameter validation resulting in heap corruption. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

CVE-2009-1136 (BID 35642) Microsoft Office Web Components ActiveX Control 'msDataSourceObject' Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.5/10)

A remote code-execution vulnerability affects Office Web Components ActiveX control because it does not properly handle parameter values. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

CVE-2009-1534 (BID 35992) Microsoft Office Web Components ActiveX Control Buffer Overflow Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Office Web Components ActiveX control due to a buffer overflow. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious Web page. A successful attack will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).

Affects: Microsoft Office 2000 SP3, Office XP SP3, Office 2000 Web Components SP3, Office XP Web Components SP3, BizTalk Server 2002, and Visual Studio .NET 2003 SP1

3. MS09-039 Vulnerabilities in WINS Could Allow Remote Code Execution (969883)

CVE-2009-1923 (BID 35980) Microsoft Windows WINS Server Network Packet Remote Heap Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)

A remote code-execution vulnerability affects the Windows Internet Name System (WINS) due to a buffer overflow when handling specially crafted WINS network packets. A remote attacker can exploit this issue by sending a malformed packet to a vulnerable server. A successful exploit will result in the execution of attacker-supplied code in the context of SYSTEM. This could facilitate a complete system compromise.

Affects: Microsoft Windows 2000 SP4, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, and Windows Server 2003 with SP2 for Itanium-based Systems

CVE-2009-1924 (BID 35981) Microsoft Windows WINS Server Network Buffer Length Integer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)

A remote code-execution vulnerability affects the Windows Internet Name System (WINS) due to an integer overflow when validating specially crafted WINS network packets. A remote attacker can exploit this issue by sending a malformed packet to a vulnerable server. A successful exploit will result in the execution of attacker-supplied code in the context of SYSTEM. This could facilitate a complete system compromise.

Affects: Microsoft Windows 2000 SP4

4. MS09-038 Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)

CVE-2009-1545 (BID 35967) Microsoft Windows Malformed AVI File Header Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Microsoft Windows because of how it handles AVI files with malformed headers. An attacker can exploit this issue by sending a specially crafted AVI file to a victim. When the file is processed, attacker-supplied code will run in the context of the currently logged-in user.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista, Vista SP1, and Vista SP2, Windows Vista x64 Edition, Vista x64 Edition SP1, amd Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems, and Windows Server 2008 for Itanium-based Systems SP2

CVE-2009-1546 (BID 35970) Microsoft Windows Malformed AVI File Parsing Remote Integer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Microsoft Windows because it does not properly validate data when handling AVI files. An attacker can exploit this issue by sending a specially crafted AVI file to a victim. When the file is processed, attacker-supplied code will run in the context of the currently logged-in user.

5. MS09-044 Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)

CVE-2009-1133 (BID 35971) Microsoft Remote Desktop Connection Client Heap Based Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects Microsoft Remote Desktop Connection when handling specific parameters returned by the RDP server. An attacker must trick an unsuspecting victim into connecting to a malicious RDP server or perform a man-in-the-middle attack to exploit this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista, Vista SP1, Vista SP2, Windows Vista x64 Edition, and Vista x64 Edition SP1, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems, and RDP 5.1, 5.2, 6.0 and 6.1

CVE-2009-1929 (BID 35973) Microsoft Remote Desktop Connection ActiveX Control Heap Based Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code-execution vulnerability affects the Microsoft Remote Desktop Connection ActiveX control because it does not perform adequate validation of user-supplied input. An attacker must trick an unsuspecting victim into viewing a web page containing malicious content to exploit this issue. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows XP SP2 and SP3, Windows XP Professional x64 SP2, Windows Vista SP1, Vista SP2, Windows Vista x64 Edition SP1, and Vista x64 Edition SP2, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems, Windows Server 2008 for Itanium-based Systems SP2, and RDP 6.0 and 6.1

More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

blog entry Filed Under:

Security, Security Response, Endpoint Protection (AntiVirus), Vulnerabilities & Exploits

Microsoft Patch Tuesday - August 2009

Links

About Security Response Blog

Filter by:

Recent Blog Posts

Recently on Twitter

Blog Tags

Technical Support

Symantec.com

Store

Community Stats