Hello and welcome to this month’s blog on the Microsoft patch releases. This is a fairly light month—the vendor is releasing five bulletins covering a total of eight vulnerabilities.
Six of the issues are rated “Critical” and affect DHTML Editing ActiveX control, Windows TCP/IP, Windows Wireless, Windows Media, and JScript. The DHTML, Media, and JScript issues are all familiar client-side vulnerabilities that can allow arbitrary code to run in the context of the currently logged-in user. The TCP/IP issue is a remote code-execution vulnerability that attackers can leverage to gain complete control of a vulnerable computer.
The remaining issues, rated “Important,” are denial-of-service vulnerabilities affecting Windows TCP/IP.
As always, customers are advised to follow these security best practices:
- Install vendor patches as soon as they are available.
- Run all software with the least privileges required while still maintaining functionality.
- Avoid handling files from unknown or questionable sources.
- Never visit sites of unknown or questionable integrity.
- Block external access at the network perimeter to all key systems unless specific access is required.
Microsoft’s summary of the September releases can be found here:
http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx
The following is a breakdown of the “Critical” issues being addressed this month:
1. MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
CVE-2009-2519 (BID 36280) Microsoft DHTML Editing Component ActiveX Control Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects the DHTML Editing Component ActiveX control. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a webpage containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the application running the control (typically Internet Explorer).
Affects: Microsoft Windows 2000 SP4, Windows XP SP2, and SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2, Windows Server 2003 x64 Edition SP2, and Windows Server 2003 with SP2 for Itanium-based Systems
2. MS09-045 Vulnerability in JScript Scripting Engines Could Allow Remote Code Execution (971961)
CVE-2009-1920 (BID 36224) Microsoft JScript Scripting Engine Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects the Jscript scripting engine because of how it decodes script in Web pages. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: JScript 5.1, 5.6, 5.7, and 5.8
3. MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
CVE-2009-2498 (BID 36225) Microsoft Windows Media Format ASF Header Invalid Free Memory Corruption Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects Microsoft Windows when handling ASF format files containing a malformed header. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: Windows Media Format Runtime 9.0. 9.5, 9.5 x64 Edition, and 11, and Windows Media Services 9.1 and 2008
CVE-2009-2499 (BID 36228) Microsoft Windows Media Format MP3 Metadata Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.1/10)
A remote code execution vulnerability affects Microsoft Windows when handling MP3 media files containing specially crafted metadata. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.
Affects: Windows Media Format Runtime 9.0. 9.5, 9.5 x64 Edition, and 11
4. MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
CVE-2009-1925 (BID 36265) Microsoft Windows TCP/IP TimeStamps Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 7.6/10)
A remote code-execution vulnerability affects the Windows TCP/IP stack because it fails to properly clean up state information. An attacker can exploit this issue by sending specially crafted TCP/IP packets to the vulnerable computer. A successful attack will result in the execution of arbitrary attacker-supplied code aiding in a complete compromise of the affected system.
Affects: Windows Vista, Vista SP1, and Vista SP2, Windows Vista x64 Edition, x64 Edition SP1, and x64 Edition SP2, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems SP2, Windows Server 2008 for Itanium-based Systems, and Windows Server 2008 for Itanium-based Systems SP2
5. MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
CVE-2009-1132 (BID 36223) Microsoft Windows Wireless LAN AutoConfig Frame Parsing Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Urgency Rating 8.2/10)
A remote code execution vulnerability affects the Wireless LAN AutoConfig service (wlansvc) when handling specific frames over the wireless network. An attacker in wireless proximity to a vulnerable computer can exploit this issue by sending specifically malformed wireless packets. A successful exploit will result in the execution of arbitrary attacker-supplied code facilitating a complete compromise of the affected computer.
Affects: Windows Vista, Vista SP1, and Vista SP2, Windows Vista x64 Edition, x64 Edition SP1, and x64 Edition SP2, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems SP2, Windows Server 2008 for x64-based Systems, and Windows Server 2008 for x64-based Systems SP2
More information on these and the other vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.