Microsoft and Adobe have released important security patches that correct vulnerabilities (i.e., programming mistakes) that could be exploited to do serious harm to an individual or organization.  There are no known exploits of the Adobe vulnerability but the Microsoft ones are sure to be exploited.

Microsoft on its November 2009 Security Patches

MS09-063 / CVE-2009-2512

Web Services on Devices API Memory Corruption

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely

Affected Computers: Windows Vista

Vulnerability: The vulnerability could allow remote code execution if an affected Windows system receives a specially crafted packet. Only attacks on the local subnet would be able to exploit this vulnerability.

Blue Ridge on Protection: Though an unlikely attack vector, AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. This Microsoft patch should be implemented as soon as practical.

MS09-064/ CVE-2009-2523

License Logging Server Heap Overflow

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely

Affected Computers: Windows 2000, Service Pack 4

Vulnerability: The vulnerability could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system.

Blue Ridge on Protection: Neither AppGuard nor EdgeGuard officially support Windows 2000.

MS09-0065

CVE-2009-1127, Win32k Null Pointer Dereferencing Vulnerability

CVE-2009-2513, Win32k Insufficient Data Validation Vulnerability

CVE-2009-2514, Win32k EOT Parsing Vulnerability

Microsoft Exploitability Index Assessment: Inconsistent exploit code likely: CVE-2009-1127; Consistent exploit code likely: CVE-2009-2513, CVE-2009-2514

Affected Computers: Windows XP SP2, Windows Vista, and others, Windows 7 is unaffected

Vulnerability:

CVE-2009-1127. An elevation of privilege vulnerability exists because the Windows kernel does not properly validate an argument passed to a Windows kernel system call. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-2513. A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the importer parsing of font code when building a table of directory entries. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-2514. A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the improper parsing of font code when building a table of directory entries. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Blue Ridge on Protection:

CVE-2009-1127. AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. Should such an attack elevate a guarded application to run with kernel mode privileges, AppGuard or EdgeGuard protection would not be degraded. This Microsoft patch should be implemented as soon as practical.

CVE-2009-2513. AppGuard or EdgeGuard would block such attacks that launch from user-space while drive-by download attack protection is enabled. This Microsoft patch should be implemented as soon as practical.

CVE-2009-2514. AppGuard or EdgeGuard would block such attacks. This Microsoft patch should be implemented as soon as practical.

MS09-066/ CVE-2009-1928

LSASS Recursive Stack Overflow Vulnerability

Microsoft Exploitability Index Assessment: Functioning exploit code unlikely

Affected Computers: Windows XP SP 2/3, but Windows Vista/7 are unaffected

Vulnerability: This is just a denial of service vulnerability and of little practical value to cyber criminals.

Blue Ridge on Protection: Irrelevant. Low priority patch.

MS09-0067

CVE-2009-3127, Excel Cache Memory Corruption Vulnerability

CVE-2009-3128, Excel SxView Memory Corruption Vulnerability

CVE-2009-3129, Excel Featheader Record Memory Corruption Vulnerability

CVE-2009-3130, Excel Document Parsing Heap Overflow Vulnerability

CVE-2009-3131, Excel Formula Parsing Memory Corruption Vulnerability

CVE-2009-3132, Excel Index Parsing Vulnerability

CVE-2009-3133, Excel Document Parsing Memory Corruption Vulnerability

CVE-2009-3134, Excel Field Sanitization Vulnerability

Microsoft Exploitability Index Assessment:
Inconsistent exploit code likely: CVE-2009-3127, CVE-2009-3128, CVE-2009-3132, CVE-2009-3133, CVE-2009-3134
Consistent exploit code likely: CVE-2009-3129, CVE-2009-3130, CVE-2009-3131

Affected Computers: Microsoft Office XP SP 3, Office 2003 SP 3, Office 2007 SP 1/2

Vulnerability:

CVE-2009-3127. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3128. A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3129. A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3130. A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files with malformed BIFF records. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3131. A remote code execution vulnerability exists in the way that Microsoft Office Excel parses documents containing a specially crafted formula embedded inside a cell. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights in the context of the currently logged on user.

CVE-2009-3132. A remote code execution vulnerability exists in Microsoft Office Excel as a result of pointer corruption when loading Excel formulas. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed formula. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3133. A remote code execution vulnerability exists in Microsoft Office Excel as a result of memory corruption when loading Excel records. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2009-3134. A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Blue Ridge on Protection: AppGuard or EdgeGuard would protect computers from attacks attempting to exploit any of these vulnerabilities: CVE-2009-3127, CVE-2009-3128, CVE-2009-3129, CVE-2009-3130, CVE-2009-3131, CVE-2009-3132, CVE-2009-3133, and CVE-2009-3134.

Simply put: any such attack would either seek to spawn a malicious executable in user-space, which would fail to launch because of drive-by download attack protection, or the attack would attempt to place a malicious executable elsewhere, which would be blocked because AppGuard and EdgeGuard do not allow ‘guarded’ applications to write elsewhere.

MS09-068/ 3135

Microsoft Office Word File Information Memory Corruption Vulnerability

Microsoft Exploitability Index Assessment: Consistent exploit code likely

Affected Computers: Microsoft Office 2007 SP 1/2, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2, Microsoft Works 8.5, Microsoft Works 9

Vulnerability: The vulnerability could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Blue Ridge on Protection: AppGuard or EdgeGuard would block these attacks without additional configuration.

Adobe on its November 2009 Security Patches

CVE-2009-3489, APSB09-17

Potential Photoshop Elements Privilege Escalation Vulnerability

Affected Computers: Photoshop Elements 8.0, Photoshop Elements 7.0

Vulnerability: A moderate vulnerability has been identified in Adobe Photoshop Elements versions 8.0 and 7.0. The vulnerability could allow a user with valid login credentials and/or physical access, who successfully exploits the vulnerability, to execute arbitrary commands with elevated privileges. Adobe is not aware of any exploits in the wild for the issue.

Blue Ridge on Protection: AppGuard or EdgeGuard would block an attack that attempted to exploit this vulnerability without any additional configurations. Users should make certain that Photoshop Elements has been added to the ‘Guard List’. This patch should be implemented when doing so is convenient.

Related Articles:

SANS: Client-Side Software Vulnerabilities Are Highest Priority But Most Neglected Risk

Why Should UnPatched PC Software Concern You?

Posted: Wednesday, November 11th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback