nCircle Resources - VERT Alert

Solutions

Vulnerability Management Configuration Compliance PCI Regulations Government Consensus Audit Guidelines

IT GRC nCircle Technology Small Businesses CSO Center Secure Everywhere
Products

nCircle PureCloud nCircle Benchmark Suite360 Intelligence Hub Configuration Compliance Manager File Integrity Monitoring

nCircle IP360 WebApp360 PCI Scan Service HITRUST Service
Services

VERT Consulting Services Training
Customers

Testimonials Case Studies
Partners

Suite360 Partner Portal
News

Articles Press Releases Awards Certifications Events
Resources

Data Sheets Case Studies White Papers Regulation Mappings Analyst Reports Bellwether Metrics Security Survey Results

Tools Podcasts Webinars Videos VERT Alert Patch Priority Index
Support

Customer Portal Login
Community

Blog Worldwide User Conference nCircle Viewpoint
Company

Board of Directors Investors Employment Job Openings Contact Us Trust Stewardship

October 13, 2009 4:00 PDT

nCircle’s VERT Alert addresses the 13 new Microsoft Security Bulletins issued today. nCircle VERT is actively working on coverage for these issues to meet our 24-hour SLA. VERT is expecting to ship ASPL-319 Wednesday, October 14, with coverage for 34 CVEs. It is noteworthy that this is the first time Windows 7 has been patched.

MS09-050	SMBv2 Infinite Loop Vulnerability	CVE-2009-2526	No Known Exploit	Remote Availability
	SMBv2 Command Value Vulnerability	CVE-2009-2532	No Known Exploit	Remote Privileged
	SMBv2 Negotiation Vulnerability	CVE-2009-3103	Automated Exploit	Remote Privileged
MS09-051	Windows Media Runtime Voice Sample Rate Vulnerability	CVE-2009-0555	Extremely Difficult	Remote Privileged
MS09-051	Windows Media Runtime Heap Corruption Vulnerability	CVE-2009-2525	No Known Exploit	Remote Privileged
MS09-052	WMP Heap Overflow Vulnerability	CVE-2009-2527	No Known Exploit	Remote Privileged
MS09-053	IIS FTP Service DoS Vulnerability	CVE-2009-2521	Automated Exploit	Local Availability
MS09-053	IIS FTP Service RCE and DoS Vulnerability	CVE-2009-3023	Automated Exploit	Remote Privileged
MS09-054	Data Stream Header Corruption Vulnerability	CVE-2009-1547	No Known Exploit	Remote Privileged
	HTML Component Handling Vulnerability	CVE-2009-2529	Extremely Difficult	Remote Privileged
	Uninitialized Memory Corruption Vulnerability	CVE-2009-2530	Extremely Difficult	Remote Privileged
	Uninitialized Memory Corruption Vulnerability (II)	CVE-2009-2531	No Known Exploit	Remote Privileged
MS09-055	ATL COM Initialization Vulnerability	CVE-2009-2493	Extremely Difficult	Remote Privileged
MS09-056	Null Truncation in X.509 Common Name Vulnerability	CVE-2009-2510	Automated Exploit	Remote Access
MS09-056	Integer Overflow in X.509 Object Identifiers Vulnerability	CVE-2009-2511	Extremely Difficult	Remote Access
MS09-057	Memory Corruption in Indexing Service Vulnerability	CVE-2009-2507	No Known Exploit	Remote Privileged
MS09-058	Windows Kernel Integer Underflow Vulnerability	CVE-2009-2515	No Known Exploit	Local Privileged
	Windows Kernel NULL Pointer Dereference Vulnerability	CVE-2009-2516	No Known Exploit	Remote Privileged
	Windows Kernel Exception Handler Vulnerability	CVE-2009-2517	No Known Exploit	Local Privileged
MS09-059	Local Security Authority Subsystem Service Integer Overflow Vulnerability	CVE-2009-2524	No Known Exploit	Remote Availability
MS09-060	ATL Uninitialized Object Vulnerability	CVE-2009-0901	No Known Exploit	Remote Privileged
	ATL COM Initialization Vulnerability	CVE-2009-2493	No Known Exploit	Remote Privileged
	ATL Null String Vulnerability	CVE-2009-2495	No Known Exploit	Remote Privileged
MS09-061	Microsoft .NET Framework Pointer Verification Vulnerability	CVE-2009-0090	No Known Exploit	Remote Privileged
	Microsoft .NET Framework Type Verification Vulnerability	CVE-2009-0091	No Known Exploit	Remote Privileged
	Microsoft Silverlight and Microsoft .NET Framework CLR Vulnerability	CVE-2009-2497	Difficult to Exploit	Remote Privileged
MS09-062	GDI+ WMF Integer Overflow Vulnerability	CVE-2009-2500	No Known Exploit	Remote Privileged
	GDI+ PNG Heap Overflow Vulnerability	CVE-2009-2501	No Known Exploit	Remote Privileged
	GDI+ TIFF Buffer Overflow Vulnerability	CVE-2009-2502	No Known Exploit	Remote Privileged
	GDI+ TIFF Memory Corruption Vulnerability	CVE-2009-2503	No Known Exploit	Remote Privileged
	GDI+ .NET API Vulnerability	CVE-2009-2504	No Known Exploit	Remote Privileged
	GDI+ PNG Integer Overflow Vulnerability	CVE-2009-3126	No Known Exploit	Remote Privileged
	Memory Corruption Vulnerability	CVE-2009-2528	No Known Exploit	Remote Privileged
	Office BMP Integer Overflow Vulnerability	CVE-2009-2518	No Known Exploit	Remote Privileged

*The end two columns are based on nCircle internal scoring. If you are aware of any changes to this, please let us know.

MS09-050

The very public SMBv2 vulnerability is patched by MS09-050, which has two other CVEs related to SMBv2. Given that this existed in the Windows 7 and Server 2008 R2 release candidates but not the final product, it’s implies that Microsoft most likely found this via SDLC and fixed the issue. That would mean that it was an unfortunate set of circumstances that it went public prior to being rolled back into Vista and Server 2008.

MS09-051

Two CVEs are identified here affecting the Windows Media Runtime. It is important to note that having Windows Media Player doesn’t automatically imply that you are vulnerable. If you are affected by this vulnerability, it is advised that you patch it as quickly as possible as browsing to a malicious website could lead to exploit.

MS09-052

This single vulnerability represents a heap overflow in Windows Media Player and again should be updated quickly as it represents another drive-by exploit attack vector.

MS09-053

Another public vulnerability being patched today exists in Microsoft IIS FTP. It is important to note that IIS 7.0 – FTP Service 7.5 is not vulnerable. While VERT does not expect many people to be running IIS FTP with anonymous access, it is advisable to update these systems as quickly as possible. If you don’t require anonymous access, VERT recommends disabling this service. If you must utilize anonymous access, we recommend that you ensure anonymous users don’t have write permissions.

MS09-054

The expected IE cumulative update is with us again this month. It contains a mix of vulnerabilities, but one in particular stands out: CVE-2009-2529, which was discussed at Blackhat¹earlier this year. This vulnerability is interesting because Firefox presents an attack vector. This is due to .NET Framework 3.51 SP1 installing the Windows Presentation Framework plugin within Firefox. So don’t think that you are safe from this one simply because you don’t use Internet Explorer.

MS09-055

This month’s cumulative ActiveX kill bit update includes additional protection against various malicious kill bits. It is important to note that while there are security concerns with these ActiveX controls, if you actively use any of them, this update will stop that component from working. If you do require one of these controls please ensure that you limit the access.

ActiveX Controls Included:

ATL OWC
- OWC9 RecordNavigationControl
- OWC9 FieldList
- OWC9 ExpandControl
- OWC10 RecordNavigationControl
- OWC11
Visio Viewer 2002-2007
Windows Live Mail
- Mail Object
- Mesg Table Object
- Mime Editor
- Message List
MSN Photo Upload Tool
Office Excel Add-in for SQL Analysis Services

MS09-056

This is another important advisory as it contains a fix for the Windows CryptoAPI null byte SSL certificate discussed by Dan Kaminsky and Moxie Marlinspike². This issue was fixed in Firefox quite a while ago and people had been actively awaiting the fix for CryptoAPI as two malicious certificates are available to the public.

MS09-057

This bulletin addresses a vulnerability in the Indexing Service which is not installed by default. However, if you have the service installed, or the ActiveX control manually installed, it is recommended that you apply this update as soon as possible; it can be exploited by simply visiting a malicious web page.

MS09-058

Privilege escalation in the Windows Kernel is becoming more and more common these days, as we see these attacks patched quite frequently now. It is important to note that vulnerabilities like this are generally less significant than the others that Microsoft patches, as they require local access to the system with an account. The primary threats here are:

Attackers elevating their permissions on a standard user account that they have already compromised via another vulnerability
Insider Threat

MS09-059

Always a welcome sight to see Microsoft patching a denial of service vulnerability, as this doesn’t always happen. In this case, however, a server service is affected so a patch has been issued. The vulnerability itself is due to LSASS improperly handling malformed packets during NTLM authentication. This means that an attacker with anonymous credentials could force a reboot of the target computer. It should be noted that Windows XP and Server 2003 are only affected when Extended Protection for Authentication (KB973811³) has been installed.

MS09-060

ATL ActiveX Controls for Microsoft Office are patched in MS09-060. Once again ATL is rearing its ugly head and once again an attack vector for this vulnerability involves visiting a malicious site, a trend with today’s bulletins.

MS09-061

A series of vulnerabilities affecting Silverlight and .NET, these vulnerabilities are exploited by visiting a malicious website.

MS09-062

GDI+ is back again, this bulletin replacing MS08-052 from last year. This affects everything from Windows to Office and SQL Server to the Visual Studio Redistributable Package. The important thing to remember when a library is patched is to ensure that you have patched everything that is affected. Many times people will apply only the Windows patch and miss one of the other patches, especially if they are patching manually.

¹http://www.hustlelabs.com/stuff/bh2009_dowd_smith_dewey.pdf
²http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-PAPER1.pdf
³http://www.microsoft.com/technet/security/advisory/973811.mspx