Multiple vulnerabilities in Microsoft Windows

Published: 2009-10-13 | Updated: 2016-12-19

Risk	Critical
Patch available	YES
Number of vulnerabilities	8
CVE-ID	CVE-2009-2518 CVE-2009-2528 CVE-2009-2504 CVE-2009-2503 CVE-2009-2502 CVE-2009-2501 CVE-2009-2500 CVE-2009-3126
CWE-ID	CWE-119 CWE-122 CWE-190
Exploitation vector	Network
Public exploit	Vulnerability #6 is being exploited in the wild. Vulnerability #8 is being exploited in the wild.
Vulnerable software Subscribe	Microsoft Office Client/Desktop applications / Office applications Microsoft Report Viewer Client/Desktop applications / Office applications Microsoft Works Client/Desktop applications / Office applications Microsoft Project Client/Desktop applications / Office applications Microsoft Visio Client/Desktop applications / Office applications Word Viewer Client/Desktop applications / Office applications Excel Viewer Client/Desktop applications / Office applications Microsoft Forefront Client Security Client/Desktop applications / Antivirus software/Personal firewalls Microsoft SQL Server Server applications / Database software Windows Server Operating systems & Components / Operating system Windows Operating systems & Components / Operating system Microsoft .NET Framework Server applications / Frameworks for developing and running applications Microsoft Internet Explorer Client/Desktop applications / Web browsers
Vendor	Microsoft

Security Bulletin

This security bulletin contains information about 8 vulnerabilities.

1) Integer Overflow or Wraparound

EUVDB-ID: #VU1390

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-2518

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in GDI+ when handling malformed Office Documents. A remote attacker can create a Microsoft Office document containing a specially crafted BMP image, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Install update from vendor's website:

Microsoft Office XP Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?familyid=b4ac7fbe-dd19-4940-a576-89a6b7ed602d

Vulnerable software versions

Microsoft Office: XP

External links

http://technet.microsoft.com/en-us/library/security/ms09-062.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

EUVDB-ID: #VU1389

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-2528

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in GDI+ when parsing Office Art Property Tables. A remote attacker can create a specially crafted Microsoft Office file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Install update from vendor's website:

Microsoft Office XP Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?familyid=b4ac7fbe-dd19-4940-a576-89a6b7ed602d

Vulnerable software versions

Microsoft Office: XP

External links

http://technet.microsoft.com/en-us/library/security/ms09-062.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory corruption

EUVDB-ID: #VU1387

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-2504

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in APIs accessible from .NET Framework applications. A remote attacker can create a specially crafted ASP.NET or .NET Framework application, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Vulnerable software versions

Microsoft Forefront Client Security: 1.0

Microsoft Report Viewer: 2005 - 2008

Microsoft SQL Server: 2000 8.0.194 - 2005 9.0.1399

Microsoft Works: 8.5

Microsoft Office: 2003 - XP

Windows Server: 2003 - 2008

Windows: Vista - XP

Microsoft .NET Framework: 1.1 - 2.0

Microsoft Project: 2002

Microsoft Visio: 2002

Word Viewer: 2003

Excel Viewer: 2003

External links

http://technet.microsoft.com/en-us/library/security/ms09-062.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Memory corruption

EUVDB-ID: #VU1386

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-2503

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error in GDI+ when handling TIFF image file. A remote attacker can create a specially crafted TIFF image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Vulnerable software versions

Microsoft Internet Explorer: 6

Windows: XP

Windows Server: 2003

Microsoft Office: 2003 - XP

Microsoft Project: 2002

Microsoft Visio: 2002

Word Viewer: 2003

Excel Viewer: 2003

Microsoft SQL Server: 2000 8.0.194 - 2005 9.0.1399

Microsoft Forefront Client Security: 1.0

Microsoft Report Viewer: 2005 - 2008

External links

http://technet.microsoft.com/en-us/library/security/ms09-062.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

EUVDB-ID: #VU1385

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-2502

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to buffer overflow in GDI+ when handling TIFF image file. A remote attacker can create a specially crafted TIFF image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Vulnerable software versions

Word Viewer: 2003 - 2007

Windows: 2000 - XP

Microsoft Office: 2003 - XP

Microsoft Works: 8.5

Microsoft SQL Server: 2000 8.0.194 - 2005 9.0.1399

Microsoft Forefront Client Security: 1.0

Microsoft Report Viewer: 2005 - 2008

Excel Viewer: 2003

Microsoft Project: 2002

Microsoft Visio: 2002

External links

http://technet.microsoft.com/en-us/library/security/ms09-062.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Heap-based buffer overflow

EUVDB-ID: #VU1384

Risk: Critical

CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2009-2501

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: the vulnerability was being actively exploited.

Mitigation

Vulnerable software versions

Word Viewer: 2003

Microsoft Internet Explorer: 6

Windows: XP

Microsoft Office: 2003 - XP

Microsoft Works: 8.5

Microsoft SQL Server: 2000 8.0.194 - 2005 9.0.1399

Microsoft Forefront Client Security: 1.0

Microsoft Report Viewer: 2005 - 2008

Microsoft Visio: 2002

Microsoft Project: 2002

Excel Viewer: 2003

External links

http://technet.microsoft.com/en-us/library/security/ms09-062.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

7) Integer Overflow or Wraparound

EUVDB-ID: #VU1383

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2009-2500

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow when handling WMF image file. A remote attacker can create a specially crafted WMF image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Mitigation

Vulnerable software versions

Word Viewer: 2003

Microsoft Internet Explorer: 6

Windows: XP

Microsoft Office: 2007 - XP

Microsoft Project: 2002

Microsoft Works: 8.5

Microsoft SQL Server: 2005 9.0.1399

Microsoft Forefront Client Security: 1.0

Microsoft Report Viewer: 2005 - 2008

Microsoft Visio: 2002

Excel Viewer: 2003

External links

http://technet.microsoft.com/en-us/library/security/ms09-062.aspx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Integer Overflow or Wraparound

EUVDB-ID: #VU1388

Risk: Critical

CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2009-3126

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in GDI+ when handling PNG image file. A remote attacker can create a specially crafted PNG image file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.

Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.

Mitigation

Vulnerable software versions

Word Viewer: 2003 - 2007

Windows: 2000 - XP

Microsoft Office: 2003 - XP

Microsoft Works: 8.5

Microsoft SQL Server: 2000 8.0.194 - 2005 9.0.1399

Microsoft Forefront Client Security: 1.0

Microsoft Report Viewer: 2005 - 2008

Excel Viewer: 2003

Microsoft Project: 2002

Microsoft Visio: 2002

External links

http://technet.microsoft.com/en-us/library/security/ms09-062.aspx
http://fe-ddis.dk/cfcs/CFCSDocuments/Zeroday.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.