Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Microsoft Patch Tuesday - October 2009

Created: 13 Oct 2009 19:09:22 GMT • Updated: 23 Jan 2014 18:32:15 GMT
Robert Keith's picture
+2 2 Votes
Login to vote

Hello and welcome to this month’s blog on the Microsoft patch releases. This is a very heavy month—the vendor is releasing 13 bulletins covering a total of 34 vulnerabilities.

Twenty-one of the issues are rated “Critical” and affect GDI+, Active Template Library (ATL), Media Player, .NET, Silverlight, Internet Explorer, Server Message Block (SMB), and Media Runtime. Most of those are client-side vulnerabilities that require a victim to open a malicious file or visit a malicious page. The SMB issue is a fairly serious server-side vulnerability that was reported early last month.

The remaining issues, rated “Important” and “Moderate,” affect GDI+, Windows Indexing Service, Windows kernel, CryptoAPI, Internet Information Services (IIS), LSASS, and SMB.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the October releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx

The following is a breakdown of the “Critical” issues being addressed this month:

1. MS09-050 Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)

CVE-2009-2532 (BID 36594) Microsoft Windows SMB2 Command Line Remote Code Execution Vulnerability
(MS Rating: Critical / Symantec Urgency Rating 8.2/10)

A remote code execution vulnerability affects Microsoft Server Message Block (SMB) protocol software when handling SMB Multi-Protocol Negotiate Request packets. An attacker can exploit this issue by sending a malicious packet to an affected service. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the affected service. This may facilitate a complete compromise of an affected computer.

CVE-2009-3103 (BID 36299) Microsoft Windows SMB2 '_Smb2ValidateProviderCallback()' Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 9.6/10)

A previously public (Sep 7, 2009) remote code execution vulnerability affects Microsoft Server Message Block (SMB) protocol software in the ‘_Smb2ValidateProviderCallback()’ function of the ‘srv2.sys’ driver. A remote attacker can exploit this issue by sending a specially crafted SMB packet to an affected service. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the affected service. This may facilitate a complete compromise of an affected computer.

2. MS09-051 Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)

CVE-2009-0555 (BID 36602) Microsoft Windows Media Runtime Compression ASF File Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Windows Media Runtime when processing specially crafted Advanced Systems Format (ASF) files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2009-2525 (BID 36614) Microsoft Windows Media Runtime Speech Codec Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Windows Media Runtime when handling certain functions in compressed audio files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

3. MS09-052 Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)

CVE-2009-2527 (BID 36644) Microsoft Windows Media Player ASF File Processing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Windows Media Player when processing ASF files. An attacker can exploit this issue by tricking a victim into opening a specially crafted file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

4. MS09-054 Cumulative Security Update for Internet Explorer (974455)

CVE-2009-1547 (BID 36622) Microsoft Internet Explorer Data Stream Header Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Internet Explorer when it processes specific data stream headers. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

CVE-2009-2529 (BID 36621) Microsoft Internet Explorer HTML Component Handling Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Internet Explorer because it fails to properly validate certain arguments of a variable. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

CVE-2009-2530 (BID 36620) Microsoft Internet Explorer Uninitialized Memory Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Internet Explorer when it accesses an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

CVE-2009-2531 (BID 36616) Microsoft Internet Explorer Memory Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Internet Explorer when it accesses an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged in user.

5. MS09-055 Cumulative Security Update of ActiveX Kill Bits (973525)

CVE-2009-2493 (BID 35828) Microsoft Visual Studio Active Template Library COM Object Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects multiple Microsoft ActiveX controls. This issue is due to a vulnerability in the Microsoft ATL libraries when instantiating objects from a data stream. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web site containing malicious data. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

6. MS09-060 Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)

CVE-2009-0901 (BID 35832) Microsoft Visual Studio ATL 'VariantClear()' Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects the Microsoft Active Template Library (ATL) due to an issue in the ATL headers that may allow an attacker to call the ‘VariantClear()’ function on uninitialized variants. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2009-2493 (BID 35828) Microsoft Visual Studio Active Template Library COM Object Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects the Microsoft Active Template Library (ATL) because of errors in the ATL headers that instantiate objects from data streams. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

7. MS09-061 Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)

CVE-2009-0090 (BID 36611) Microsoft .NET Framework Pointer Verification Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Microsoft .NET Framework because of how Code Access Security (CAS) verifies .NET code. An attacker can exploit this issue by tricking a victim into viewing a malicious web page, by tricking a victim into running a malicious .NET application, or through a web hosting environment to break out of the CAS sandbox.

CVE-2009-0091 (BID 36617) Microsoft .NET Framework Type Verification Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Microsoft .NET Framework because of how Code Access Security (CAS) verifies .NET code. An attacker can exploit this issue by tricking a victim into viewing a malicious web page, by tricking a victim into running a malicious .NET application, or through a web hosting environment to break out of the CAS sandbox.

CVE-2009-2497 (BID 36618) Microsoft Silverlight and .NET Framework CLR Interface Handling Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects Microsoft .NET Framework and Silverlight because of how Common Language Runtime (CLR) handles interfaces. An attacker can exploit this issue by tricking a victim into viewing a malicious web page, by tricking a victim into running a malicious .NET application, or through a web hosting environment to break out of the CAS sandbox.

8. MS09-062 Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)

CVE-2009-2500 (BID 36619) Microsoft GDI+ WMF File Processing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects GDI+ because of the way it allocates a buffer size when handling a malicious WMF image file. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content, or by opening a malicious file. A successful attack will result in the execution of arbitrary attacker-supplied code with the privileges of the currently logged-in user.

CVE-2009-2501 (BID 36645) Microsoft GDI+ PNG File Processing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects GDI+ because of how it allocates memory when handling PNG image files.. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content, or by opening a malicious file. A successful attack will result in the execution of arbitrary attacker-supplied code with the privileges of the currently logged-in user.

CVE-2009-2502 (BID 36646) Microsoft GDI+ TIFF File Processing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects GDI+ because of how it allocates memory when handling TIFF image files. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content, or by opening a malicious file. A successful attack will result in the execution of arbitrary attacker-supplied code with the privileges of the currently logged-in user.

CVE-2009-2503 (BID 36647) Microsoft GDI+ TIFF File Processing Memory Corruption Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects GDI+ because of how it allocates memory when handling a TIFF image file. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content, or by opening a malicious file. A successful attack will result in the execution of arbitrary attacker-supplied code with the privileges of the currently logged-in user.

CVE-2009-2504 (BID 36648) Microsoft GDI+ .NET Framework Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects GDI+ .NET due to an integer overflow in certain APIs. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful attack will result in the execution of arbitrary attacker-supplied code with the privileges of the currently logged-in user.

CVE-2009-3126 (BID 36649) Microsoft GDI+ PNG File Integer Overflow Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)

A remote code execution vulnerability affects GDI+ because of how it allocates memory when handling PNG image files. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content, or by opening a malicious file. A successful attack will result in the execution of arbitrary attacker-supplied code with the privileges of the currently logged-in user.

More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.