Microsoft Patch Disclosure - June 9, 2009
Overview
This month Microsoft released 10 bulletins which repair a total of 31 vulnerabilities. Five of these vulnerabilities have been publicly described in some form, and in-the-wild exploitation has been witnessed by at least two of them.
Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically.
Both eEye's Blink® Professional and Blink® Personal client security software with anti-virus have protected from client-side memory-corruption vulnerabilities generically.
Patch Precedence
Out of the ten patches this month, five are client-side specific, two are privilege escalations, and three are for a network-based security device. The cumulative Internet Explorer patch is the only patch rated critical for an operating system other than Windows 2000 and should be installed immediately.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check tomorrow's Vulnerability Expert Forum.
For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
As always, eEye suggests that users roll out Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please check tomorrow's Vulnerability Expert Forum.
For more information on patch precedence, see the eEye Versa Newsletter article Patch Tuesday Prioritization for a Large Enterprise.
Bulletin Summary
Critical
MS09-018 - Vulnerabilities in Active Directory Could Allow Remote Code Execution
MS09-019 - Cumulative Security Update for Internet Explorer
MS09-021 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
MS09-022 - Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution
MS09-024 - Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution
MS09-027 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
MS09-019 - Cumulative Security Update for Internet Explorer
MS09-021 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution
MS09-022 - Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution
MS09-024 - Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution
MS09-027 - Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution
Important
MS09-020 - Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege
MS09-025 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
MS09-026 - Vulnerability in RPC Could Allow Elevation of Privilege
MS09-025 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
MS09-026 - Vulnerability in RPC Could Allow Elevation of Privilege
Moderate
MS09-023 - Vulnerability in Windows Search Could Allow Information Disclosure
Bulletin Details
Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
http://www.microsoft.com/technet/security/Bulletin/MS09-018.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-018.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: High
eEye Severity Rating: High
Description
This patch fixes two vulnerabilities within Microsoft Active Directory and Active Directory Application Mode (ADAM). These vulnerabilities allow an attacker to craft a malicious Active Directory network request that, when received by a vulnerable host, could allow for the arbitrary execution of code on Windows 2000 hosts or a Denial of Service (DoS) condition on other host operating systems.
This patch fixes two vulnerabilities within Microsoft Active Directory and Active Directory Application Mode (ADAM). These vulnerabilities allow an attacker to craft a malicious Active Directory network request that, when received by a vulnerable host, could allow for the arbitrary execution of code on Windows 2000 hosts or a Denial of Service (DoS) condition on other host operating systems.
- Active Directory Invalid Free Vulnerability - CVE-2009-1138
A remote code execution vulnerability exists in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability is due to incorrect freeing of memory when processing specially crafted LDAP or LDAPS requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system. - Active Directory Memory Leak Vulnerability - CVE-2009-1139
A denial of service vulnerability exists in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003. The vulnerability also exists in implementations of Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The vulnerability is due to improper memory management during execution of certain types of LDAP or LDAPS requests. An attacker who successfully exploited this vulnerability could cause the affected server to stop responding.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially Windows 2000 Active Directory Servers.
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially Windows 2000 Active Directory Servers.
Cumulative Security Update for Internet Explorer (969897)
http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes eight vulnerabilities within Microsoft Internet Explorer. These vulnerabilities allow an attacker to craft a malicious website or HTML page that when viewed by a vulnerable Internet Explorer browser, could allow for Cross-Domain Information Disclosure (Cross-Domain Scripting/Hijacking), Denial of Service (Browser crash), or execution of arbitrary code in the context of the current user.
This patch fixes eight vulnerabilities within Microsoft Internet Explorer. These vulnerabilities allow an attacker to craft a malicious website or HTML page that when viewed by a vulnerable Internet Explorer browser, could allow for Cross-Domain Information Disclosure (Cross-Domain Scripting/Hijacking), Denial of Service (Browser crash), or execution of arbitrary code in the context of the current user.
- Race Condition Cross-Domain Information Disclosure Vulnerability - CVE-2007-3091
An information disclosure vulnerability exists in Internet Explorer that could allow script to gain access to the content in another browser window in another domain or Internet Explorer zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view data from a Web page in another Internet Explorer domain. - Cross-Domain Information Disclosure Vulnerability - CVE-2009-1140
An information disclosure vulnerability exists in the way that Internet Explorer caches data and incorrectly allows the cached content to be called, potentially bypassing Internet Explorer domain restriction. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. An attacker who successfully exploited this vulnerability could view content from the local computer or another browser window in another domain or Internet Explorer zone. - DHTML Object Memory Corruption Vulnerability - CVE-2009-1141
A remote code execution vulnerability exists in the way Internet Explorer displays a Web page that contains certain unexpected method calls to HTML objects. As a result, system memory may be corrupted in such a way that an attacker could execute arbitrary code if a user visited a specially crafted Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. - HTML Object Memory Corruption Vulnerability - CVE-2009-1528/1530/1531/1532
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - Uninitialized Memory Corruption Vulnerability - CVE-2009-1529
A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially those that are commonly used for Internet browsing.
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially those that are commonly used for Internet browsing.
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: Important
eEye Severity Rating: Important
Description
This patch fixes two vulnerabilities within Microsoft IIS 5, 5.1, and 6.0 WebDAV. These vulnerabilities allow an attacker to craft a malicious HTTP WebDAV request that, when received by a vulnerable host, could allow the attacker to bypass certain authentication restrictions and gain access to sensitive information or files.
This patch fixes two vulnerabilities within Microsoft IIS 5, 5.1, and 6.0 WebDAV. These vulnerabilities allow an attacker to craft a malicious HTTP WebDAV request that, when received by a vulnerable host, could allow the attacker to bypass certain authentication restrictions and gain access to sensitive information or files.
- IIS 5.0 WebDAV Authentication Bypass Vulnerability - CVE-2009-1122
An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that should require authentication. - IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability - CVE-2009-1535
An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially those that are implementing WebDAV authentication.
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, especially those that are implementing WebDAV authentication.
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
http://www.microsoft.com/technet/security/Bulletin/MS09-021.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-021.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes seven vulnerabilities within all versions of Microsoft Excel. These vulnerabilities allow an attacker to form a specially-crafted Excel document that, when viewed by a vulnerable user, could allow for an attacker to execute arbitrary code on the remote system.
This patch fixes seven vulnerabilities within all versions of Microsoft Excel. These vulnerabilities allow an attacker to form a specially-crafted Excel document that, when viewed by a vulnerable user, could allow for an attacker to execute arbitrary code on the remote system.
- Record Pointer Corruption Vulnerability - CVE-2009-0549/1134
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - Object Record Corruption Vulnerability - CVE-2009-0557
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - Array Indexing Memory Corruption Vulnerability - CVE-2009-0558
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - String Copy Stack-Based Overrun Vulnerability - CVE-2009-0559
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - Field Sanitization Memory Corruption Vulnerability - CVE-2009-0560
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - Record Integer Overflow Vulnerability - CVE-2009-0561
A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. End-users should also be trained on the potential for attacks utilizing file-format vulnerabilities in order to avoid these vulnerabilities or other similar ones.
Administrators are urged to roll out this patch as soon as possible to vulnerable systems. End-users should also be trained on the potential for attacks utilizing file-format vulnerabilities in order to avoid these vulnerabilities or other similar ones.
Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes three vulnerabilities within Microsoft Windows Print Spooler service. These vulnerabilities allow an attacker to craft a malicious RPC network request that, when received by a vulnerable host, could allow the attacker to gain access to sensitive local information, elevate their privileges or execute arbitrary code at elevated privileges that would lead to the complete compromise of the affected system.
This patch fixes three vulnerabilities within Microsoft Windows Print Spooler service. These vulnerabilities allow an attacker to craft a malicious RPC network request that, when received by a vulnerable host, could allow the attacker to gain access to sensitive local information, elevate their privileges or execute arbitrary code at elevated privileges that would lead to the complete compromise of the affected system.
- Buffer Overflow in Print Spooler Vulnerability - CVE-2009-0228
A remote code execution vulnerability exists in the Windows Print Spooler that could allow a remote, unauthenticated attacker to execute arbitrary code on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. - Print Spooler Read File Vulnerability - CVE-2009-0229
A local, authenticated information disclosure vulnerability exists in the Windows Printing Service that could allow a user to read or print any file on the system. This action can be taken even if the user does not have administrative access. However, the vulnerability could not be exploited remotely or by anonymous users. - Print Spooler Load Library Vulnerability - CVE-2009-0230
A remote, authenticated elevation of privilege vulnerability exists in the Windows Print Spooler that could allow an arbitrary dynamic link library (DLL) to be loaded by the Print Spooler. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Recommendations
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, particularly those implementing the Print Spooler service.
Administrators are urged to roll out this patch as soon as possible to vulnerable systems, particularly those implementing the Print Spooler service.
Vulnerability in Windows Search Could Allow Information Disclosure (963093)
http://www.microsoft.com/technet/security/Bulletin/MS09-023.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-023.mspx
Microsoft Severity Rating: Moderate
eEye Severity Rating: Moderate
eEye Severity Rating: Moderate
Description
This patch fixes a single vulnerabilities within the optional Microsoft Windows Search. This vulnerability allows an attacker to craft a malicious search request/file that, when executed by a vulnerable host, could allow the attacker to execute arbitrary HTML script that could disclose sensitive information to remote attackers. This attack requires user interaction in order to successfully exploit a system.
This patch fixes a single vulnerabilities within the optional Microsoft Windows Search. This vulnerability allows an attacker to craft a malicious search request/file that, when executed by a vulnerable host, could allow the attacker to execute arbitrary HTML script that could disclose sensitive information to remote attackers. This attack requires user interaction in order to successfully exploit a system.
- Script Execution in Windows Search Vulnerability - CVE-2009-0239
An information disclosure vulnerability exists in Windows Search due to the way file previews are generated. Attempts to exploit this vulnerability require user interaction. An attacker who successfully exploited this vulnerability could run a malicious HTML script that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.
Recommendations
Administrators are urged to roll out this patch as they see fit. Additionally, Windows XP and 2003 do not come with Windows Search installed by default. Windows Vista and 2008 are not vulnerable to this attack vector.
Administrators are urged to roll out this patch as they see fit. Additionally, Windows XP and 2003 do not come with Windows Search installed by default. Windows Vista and 2008 are not vulnerable to this attack vector.
Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
http://www.microsoft.com/technet/security/Bulletin/MS09-024.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-024.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes a vulnerability within the Microsoft Works Converters. This vulnerability allows an attacker to craft a malicious Works file (.wps) that, when opened by a vulnerable host, could allow the attacker to execute arbitrary code in the context of the currently logged in user.
This patch fixes a vulnerability within the Microsoft Works Converters. This vulnerability allows an attacker to craft a malicious Works file (.wps) that, when opened by a vulnerable host, could allow the attacker to execute arbitrary code in the context of the currently logged in user.
- File Converter Buffer Overflow Vulnerability - CVE-2009-1533 A remote code execution vulnerability exists in the way that the Works for Windows document converters handle specially crafted Works files. The vulnerability could allow remote code execution if a user opens a specially crafted .wps file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Recommendations
Administrators are urged to roll out this patch on all systems as soon as possible. Highest risk machines are workstations with internet and email access which attackers can send malicious files to easily.
Administrators are urged to roll out this patch on all systems as soon as possible. Highest risk machines are workstations with internet and email access which attackers can send malicious files to easily.
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
http://www.microsoft.com/technet/security/Bulletin/MS09-025.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-025.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
eEye Severity Rating: High
Description
This patch fixes four vulnerabilities within the Microsoft Kernel. These vulnerabilities allow an local attacker or exploit to craft a malicious API call or execute code in such a way that it would trigger a denial of service condition (BSOD) or elevate the malicious program or attackers privileges to kernel level. This could then be used to completely compromise the system.
This patch fixes four vulnerabilities within the Microsoft Kernel. These vulnerabilities allow an local attacker or exploit to craft a malicious API call or execute code in such a way that it would trigger a denial of service condition (BSOD) or elevate the malicious program or attackers privileges to kernel level. This could then be used to completely compromise the system.
- Windows Kernel Desktop Vulnerability- CVE-2009-1123
A remote code execution vulnerability exists in the way that the Works for Windows document converters handle specially crafted Works files. The vulnerability could allow remote code execution if a user opens a specially crafted .wps file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. - Windows Kernel Pointer Validation Vulnerability- CVE-2009-1124
An elevation of privilege vulnerability exists in the Windows kernel due to the insufficient validation of certain pointers passed from user mode. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - Windows Driver Class Registration Vulnerability - CVE-2009-1125
An elevation of privilege vulnerability exists because the Windows kernel does not properly validate an argument passed to a Windows kernel system call. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. - Windows Desktop Parameter Edit Vulnerability - CVE-2009-1126
An elevation of privilege vulnerability exists when the Windows kernel improperly validates input passed from user mode to the kernel when editing a specific desktop parameter. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Recommendations
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible after internal applications have been verified to not be adversely affected by this patch.
eEye Research suggests that vulnerable hosts be patched for this vulnerability as soon as possible after internal applications have been verified to not be adversely affected by this patch.
Vulnerability in RPC Could Allow Elevation of Privilege (970238)
http://www.microsoft.com/technet/security/Bulletin/MS09-026.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-026.mspx
Microsoft Severity Rating: Important
eEye Severity Rating: High
eEye Severity Rating: High
Description
This patch fixes a vulnerability within the Microsoft Remote Procedure Call (RPC) framework. This vulnerability allows an attacker to craft a malicious RPC request that, when processed by a vulnerable application, could allow the attacker to execute arbitrary code with elevated privileges. It's important to know that this vulnerability does not affect any RPC interface that ships with Microsoft Windows, however certain 3rd party applications are at risk.
This patch fixes a vulnerability within the Microsoft Remote Procedure Call (RPC) framework. This vulnerability allows an attacker to craft a malicious RPC request that, when processed by a vulnerable application, could allow the attacker to execute arbitrary code with elevated privileges. It's important to know that this vulnerability does not affect any RPC interface that ships with Microsoft Windows, however certain 3rd party applications are at risk.
- RPC Marshalling Engine Vulnerability - CVE-2009-0568
An elevation of privilege vulnerability exists in the Windows remote procedure call (RPC) facility where the RPM Marshalling Engine does not update its internal state appropriately. The failure to update internal state could lead to a pointer being read from an incorrect location. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Recommendations
Administrator should coordinate with development teams and review all applications that implement the vulnerable RPC data structures. Microsoft Security Response Center (MSRC) has provided a detailed web page that development teams can review to determine if their applications are vulnerable (http://blogs.technet.com/srd/archive/2009/06/09/ms09-026-how-a-developer-can-know-if-their-rpc-interface-is-affected.aspx). Systems installing the patch will mitigate the vulnerability, however this may interfere with certain 3rd party application functionality. Testing is advised.
Administrator should coordinate with development teams and review all applications that implement the vulnerable RPC data structures. Microsoft Security Response Center (MSRC) has provided a detailed web page that development teams can review to determine if their applications are vulnerable (http://blogs.technet.com/srd/archive/2009/06/09/ms09-026-how-a-developer-can-know-if-their-rpc-interface-is-affected.aspx). Systems installing the patch will mitigate the vulnerability, however this may interfere with certain 3rd party application functionality. Testing is advised.
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
http://www.microsoft.com/technet/security/Bulletin/MS09-027.mspx
http://www.microsoft.com/technet/security/Bulletin/MS09-027.mspx
Microsoft Severity Rating: Critical
eEye Severity Rating: Critical
eEye Severity Rating: Critical
Description
This patch fixes two vulnerabilities within all supported versions of Microsoft Office Word. This vulnerability allows an attacker to craft a malicious Word document that, when opened by a vulnerable host, could allow the attacker to execute arbitrary code in the context of the currently logged in user.
This patch fixes two vulnerabilities within all supported versions of Microsoft Office Word. This vulnerability allows an attacker to craft a malicious Word document that, when opened by a vulnerable host, could allow the attacker to execute arbitrary code in the context of the currently logged in user.
- Word Buffer Overflow Vulnerability - CVE-2009-0563/0565
A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Recommendations
Administrators are urged to roll out this patch on all vulnerable systems as soon as possible. Highest risk machines are workstations with internet and email access which attackers can send malicious files to easily.
Administrators are urged to roll out this patch on all vulnerable systems as soon as possible. Highest risk machines are workstations with internet and email access which attackers can send malicious files to easily.
The eEye Advantage
Retina® Network Security Scanner
eEye Digital Security's Retina customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/2009-06-09.html#audits
Blink® Endpoint Security
eEye's line of Blink with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required. Blink Professional, Blink Server and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at http://www.eeye.com/blink/
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/html/resources/vef/index.html.
Retina® Network Security Scanner
eEye Digital Security's Retina customers can update their scanner to detect systems vulnerable to these latest issues and verify this month's Microsoft patches are installed. Updated Retina audits are automatically available to eEye Retina customers via Auto-Update. To view a list of the corresponding audits, please visit:
http://www.eeye.com/html/mspatch/2009-06-09.html#audits
Blink® Endpoint Security
eEye's line of Blink with Anti-Virus software protects from the potential exploitation of these flaws without requiring invasive firewalling, which could limit system functionality and business connectivity as Blink does not require the disabling of services or applications as a means of protection. The result is complete protection for the system and the sensitive data that resides on it with zero downtime or impact to critical system operations.
Current Blink customers aren't required to do anything to realize the protection from these remote code execution flaws. No updates or policy changes are required. Blink Professional, Blink Server and Blink Personal now include multiple integrated anti-virus engines. Blink Personal is available for free for one year for personal use and can be downloaded at: http://www.eeye.com/blinkpersonal/. Business users can download a trial version of Blink Professional at http://www.eeye.com/blink/
Online Seminar: Vulnerability Expert Forum
As a service to the network security community, the eEye Research Team conducts a Vulnerability Expert Forum web seminar during the second week of every month. eEye will host this month's forum on Wednesday of this week. This forum enables participants to stay current on the potential risks and remediation requirements of the patches announced today, by exploring the effects that high-risk vulnerabilities and exploits have on network environments and infrastructures.
To register, visit http://www.eeye.com/html/resources/vef/index.html.