Microsoft Windows Print Spooler 'EnumeratePrintShares()' Remote Stack Buffer Overflow Vulnerability



Date Discovered

June 9, 2009


Microsoft Windows is prone to a remote stack-based buffer-overflow vulnerability that affects the Windows Print Spooler. Exploiting this vulnerability allows attackers to execute arbitrary code with system-level privileges. Failed exploit attempts will likely cause denial-of-service conditions.

Technologies Affected

  • Avaya Messaging Application Server
  • Avaya Messaging Application Server MM 1.1
  • Avaya Messaging Application Server MM 2.0
  • Avaya Messaging Application Server MM 3.0
  • Avaya Messaging Application Server MM 3.1
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server SP4
  • Nortel Networks Communications Control Toolkit
  • Nortel Networks Contact Center - TAPI Server
  • Nortel Networks Contact Center Administration CCMA 6.0
  • Nortel Networks Contact Center Manager Server
  • Nortel Networks Contact Center Multimedia
  • Nortel Networks LinkPlexer 6.0
  • Nortel Networks Media Processing Server
  • Nortel Networks Media Processing Svr 100
  • Nortel Networks Media Processing Svr 1000 Rel 3.0
  • Nortel Networks Media Processing Svr 500 Rel 3.0
  • Nortel Networks Peri Application
  • Nortel Networks Peri Workstation
  • Nortel Networks Self Service VoiceXML
  • Nortel Networks Self-Service - CCSS7
  • Nortel Networks Self-Service - Peri Application Rel 3.0
  • Nortel Networks Self-Service CCXML
  • Nortel Networks Self-Service Media Processing Server
  • Nortel Networks Self-Service Peri Application
  • Nortel Networks Self-Service Peri Workstation
  • Nortel Networks Self-Service Speech Server
  • Nortel Networks Self-Service WVADS
  • Nortel Networks Symposium Express Call Center (SECC)
  • Nortel Networks Symposium Network Control Center (NCC)
  • Nortel Networks Symposium TAPI Service Provider


Block external access at the network boundary, unless external parties require service.
Use network access controls to regulate external access to computers at the network perimeter. Permit access to services for trusted or internal computers and networks only.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy a NID sensor between the affected service and the network perimeter. Audit the logs regularly for evidence of possible attacks.

Implement multiple redundant layers of security.
Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.

Microsoft has released fixes and an advisory. Please see the references for details.



Jun Mao of VeriSign iDefense Labs

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.