Main Menu

August Month of Windows Bugs

Written by Editor on August 11, 2009

It is that time again in the month when Microsoft release to the world their own little month of Windows bugs. They do it every month too, this month just like all the rest they have unloaded onto the unsuspecting public five advisories rated as Critical and four advisories rated as Important.

The critical bulletins this month include MS09-037, this covers five critical vulnerabilities in the Microsoft Active Template Library (ATL). This one is interesting as it does not affect a single piece of software but rather a set of library and other code that is compiled into any third-party software that uses the ATL. So no only do Microsoft include security vulnerabilities into their own code, they have some how managed to spread their security weaknesses into other peoples code.

The issues covered by this bulletin include:

  • Microsoft Video ActiveX Control Vulnerability - CVE-2008-0015
  • ATL Header Memcopy Vulnerability - CVE-2008-0020
  • ATL Uninitialized Object Vulnerability - CVE-2009-0901
  • ATL COM Initialization Vulnerability - CVE-2009-2493
  • ATL Object Type Mismatch Vulnerability - CVE-2009-2494

This bulletin is also related to MS09-034 and MS09-035, to find out more about this bulletin you can read it here.

Next bulletin is MS09-038, again we have a media file parsing vulnerabilities, this months turn is the Microsoft AVI file format and the bulletin covers two vulnerabilities within the handling of these files that could be used to execute arbitrary code on the targeted system. The first of the two issues relates to a malformed AVI file header that could be used to execute arbitrary code, this issue affects many versions of Windows and has been rated as criticial. The second issue is an Integer Overflow vulnerability that on Windows 2000 can result in arbitrary code execution, however on other versions of Windows it would result in an denial of service attack.

Then we have MS09-039, here we have a bulletin that covers off two vulnerabilities within the Microsoft WINS service that can be enabled on Windows 2000 and Windows Server 2003. The issues can be used to allow the attacker to gain control of the targeted WINS server. The first of the two vulnerabilities (CVE-2009-1923) is a buffer overflow that affects both Windows 2000 and Windows Server 2003 when handling a maliciously crafted WINS replication packet. Successful exploitation would allow code execution within the context of the SYSTEM user on the targeted system. The second issue (CVE-2009-1924) affects only Windows 2000 and can result in code execution in the context of the SYSTEM user if the system is trusted for WINS replication and a specific registry parameter has been configured as ‘0’.

Our next critical bulletin is MS09-043, this addresses four critical vulnerabilities within Microsoft Office Web Components. Office 2000, Office XP, Office 2003, Microsoft ISA Server 2004 and 2006, Microsoft BizTalk Server 2002, Visual Studio .NET 2003 and Microsoft Office Small Business Accounting 2006 are all affected by the issues covered in this bulletin.

The issues covered by this bulletin include:

  • Office Web Components Memory Allocation Vulnerability  - CVE-2009-0562
  • Office Web Components Heap Corruption Vulnerability - CVE-2009-2496
  • Office Web Components HTML Script Vulnerability - CVE-2009-1136
  • Office Web Components Buffer Overflow Vulnerability - CVE-2009-1534

You can find out more about these vulnerabilities from the bulletin here.

The last of the critical bulletins this month is MS09-044, this bulletin covers off two vulnerabilities within the Remote Desktop Connection (RDP) client application and the RDP ActiveX control. This problems affect the RDP client included with all versions of Windows.

The first of the vulnerabilities is a heap overflow occurring within the RDP client. When a malicious server sends a malformed packet to a client, it may be possible to trigger an exceptional condition and cause a portion of memory to be corrupted. This can be used to run arbitrary code on a vulnerable client. Additionally this could technically be leveraged by an attacker carrying out a man-in-the-middle attack.

The second vulnerability is a heap-based corruption flaw occurring within an RDP Web Connection ActiveX control, this can be instantiated within Internet Explorer. Due to a flaw when parsing some user-supplied input, it is possible to corrupt heap memory, which could be leveraged to execute arbitrary code. This flaw can be exploited by using a specially constructed web page that includes the malicious HTML, or by injecting the HTML into another page via a advert or other included content. As a result it is expected that this flaw would be a prime target for use in drive by attack on web users.

The four Important bulletins released by Microsoft include:

  • MS09-036 - Vulnerability in ASP.NET Could Allow Denial of Service
  • MS09-040 - Vulnerability in Message Queuing Could Allow Elevation of Privilege
  • MS09-041 - Vulnerability in Workstation Service Could Allow Elevation of Privilege
  • MS09-042 - Vulnerability in Telnet could allow remote code execution

It is recommended that you review the advisories for the Important vulnerabilities to determine the possible impact and then install the patches anyway.

As it is the custom at this time of the month, install all the patches as soon as you possibly can and prey that no one has exploited them yet.