McAfee Labs Security Advisory: MTIS09‐128

Version 2
    December 9, 2009

    MTIS09-128
    Executive Summary
    Since the last McAfee® Labs Security Advisory (December 5), the following noteworthy events have taken place:
    • Patches are now available for the following:
      • (MS09-069) Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
      • (MS09-070) Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
      • (MS09-071) Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
      • (MS09-072) Cumulative Security Update for Internet Explorer (976325)
      • (MS09-073) Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)
      • (MS09-074) Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)

    McAfee product coverage for these events:

    McAfee Product Coverage *
    ThreatName     Impor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-128-ALclSecAuth Subsys Vuln

    Medium

    N/A

    N/A

    N/A

    N/A

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-BSgle SO Spoof in ADFS

    Medium

    N/A

    N/A

    N/A

    N/A

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-CRCE in ADFS Vuln

    Medium

    N/A

    N/A

    N/A

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-DMem Corr in IAS Vuln

    High

    N/A

    Exp

    Exp

    N/A

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-EMS-CHAP Auth Byps Vuln

    Medium

    N/A

    N/A

    N/A

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-FATL COM Init Vuln

    High

    N/A

    Exp

    Yes

    Yes

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-GUninit Mem Corupt Vuln

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-HHTML ObjMem Corpt Vuln

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-IUnit Mem Crptn Vuln

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-JUnit Mem Corupt Vuln

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-KWP and OfcTxt Mem Vuln

    Medium

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    MTIS09-128-LPjct Mem Val Vuln

    High

    N/A

    N/A

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    (MS09-069) Local Security Authority Subsystem Service Resource Exhaustion Vulnerability (974392)[MTIS09-128-A]
     
    Threat Identifier(s)CVE-2009-3675
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; WAN; Peer-to-Peer Networks
    User Interaction RequiredNo
    Description
    A vulnerability in Microsoft Windows could allow a denial of service. The vulnerability exists due to the Local Security Authority Subsystem Service (LSASS) improperly handling a specially crafted ISAKMP message while communicating via IPSEC. A remote user could send a maliciously crafted ISAKMP message to the server that would cause LSASS.exe to consume system resources, resulting in a denial of service.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    Coverage not warranted at this time
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 8 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-069
    974392
    Local Security Authority Subsystem Service Resource Exhaustion Vulnerability (974392

    Back to top
    (MS09-070) Single Sign On Spoofing in ADFS Vulnerability (971726)[MTIS09-128-B]
     
    Threat Identifier(s)CVE-2009-2508
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsLocally logged-on user; Web
    User Interaction RequiredNo
    Description
    A vulnerability in Active Directory Federation Services could allow spoofing. The vulnerability could allow an attacker to impersonate an authenticated user if the attacker has access to a terminal and web browser that was recently used by the targeted user to access a website offering single sign-on.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    Coverage not warranted at this time
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 8 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-070
    971726
    Single Sign On Spoofing in ADFS Vulnerability (971726

    Back to top
    (MS09-070) Remote Code Execution in ADFS Vulnerability (971726)[MTIS09-128-C]
     
    Threat Identifier(s)CVE-2009-2509
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; Locally logged-on user
    User Interaction RequiredNo
    Description
    A vulnerability in implementations of Microsoft's Active Directory Federation Services (ADFS) could allow remote code execution. The vulnerability is due to incorrect validation of request headers when an authenticated user connects to an ADFS-enabled web server. Exploiting this vulnerability could allow an attacker to take complete control of a system.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Remote Code Execution in ADFS Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 8 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-070
    971726
    Remote Code Execution in ADFS Vulnerability (971726

    Back to top
    (MS09-071) Memory Corruption in Internet Authentication Service Vulnerability (974318)[MTIS09-128-D]
     
    Threat Identifier(s)CVE-2009-2505
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsLocally logged-on user; Web
    User Interaction RequiredNo
    Description
    A vulnerability in implementations of PEAP on the Internet Authentication Service could allow remote code execution. The vulnerability is caused by the incorrect copying of messages received by the server in memory when handling PEAP authentication attempts. Exploiting the vulnerability could allow an attacker to take complete control of a system.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Coverage not warranted at this time
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 8 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-071
    974318
    Memory Corruption in Internet Authentication Service Vulnerability (974318

    Back to top
    (MS09-071) MS-CHAP Authentication Bypass in Internet Authentication Service Vulnerability (974318)[MTIS09-128-E]
     
    Threat Identifier(s)CVE-2009-3677
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsLocally logged-on user; Web
    User Interaction RequiredNo
    Description
    A vulnerability in Microsoft's Internet Authentication Service could allow the elevation of privileges. The vulnerability is caused by the Internet Authentication Service incorrectly validating an MS-CHAP v2 authentication request. This causes the server to consider the request valid, even when incorrect credentials may have been provided.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "RADIUS: MS-CHAP Authentication Bypass in Internet Authentication Service Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 8 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-071
    974318
    MS-CHAP Authentication Bypass in Internet Authentication Service Vulnerability (974318

    Back to top
    (MS09-072) ATL COM Initialization Vulnerability (976325)[MTIS09-128-F]
     
    Threat Identifier(s)CVE-2009-2493
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; E-Mail; Peer-to-Peer Networks
    User Interaction RequiredYes
    Description
    A vulnerability in an ActiveX control built with vulnerable Microsoft Active Template Library (ATL) headers could allow remote code execution. The vulnerability could allow a remote, unauthenticated user to perform remote code execution on an affected system. Attackers could exploit the vulnerability via a specially crafted Web page. When a user views the page, the remote code execution could be possible.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Microsoft ATL COM Initialization Vulnerability ActiveX Kill Bits IV," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    ATL COM Initialization Vulnerability (976325

    Back to top
    (MS09-072) Uninitialized Memory Corruption Vulnerability (976325)[MTIS09-128-G]
     
    Threat Identifier(s)CVE-2009-3671
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; Peer-to-Peer Networks; E-Mail
    User Interaction RequiredYes
    Description
    A vulnerability in Internet Explorer may allow an attacker to execute remote code. The vulnerability lies in the way Internet Explorer accesses an object that hasn't been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted web page. When a user views the web page, the vulnerability could allow remote code execution. An attacker exploiting the vulnerability could gain the same user rights as the logged-on user.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Internet Explorer Uninitialized Memory Corruption Vulnerability V," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    Uninitialized Memory Corruption Vulnerability (976325

    Back to top
    (MS09-072) HTML Object Memory Corruption Vulnerability (976325)[MTIS09-128-H]
     
    Threat Identifier(s)CVE-2009-3672
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; E-Mail; Peer-to-Peer Networks
    User Interaction RequiredYes
    Description
    A vulnerability in Internet Explorer may allow an attacker to execute remote code. The vulnerability lies in the way Internet Explorer accesses an object that hasn't been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted web page. When a user views the web page, the vulnerability could allow remote code execution. An attacker exploiting the vulnerability could gain the same user rights as the logged-on user.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Internet Explorer HTML Object Memory Corruption Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    HTML Object Memory Corruption Vulnerability (976325

    Back to top
    (MS09-072) Uninitialized Memory Corruption Vulnerability (976325)[MTIS09-128-I]
     
    Threat Identifier(s)CVE-2009-3673
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Peer-to-Peer Networks; Web
    User Interaction RequiredYes
    Description
    A vulnerability in Internet Explorer may allow an attacker to execute remote code. The vulnerability lies in the way Internet Explorer accesses an object that hasn't been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted web page. When a user views the web page, the vulnerability could allow remote code execution. An attacker exploiting the vulnerability could gain the same user rights as the logged-on user.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Internet Explorer Uninitialized Memory Corruption Vulnerability VII," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    Uninitialized Memory Corruption Vulnerability (976325

    Back to top
    (MS09-072) Uninitialized Memory Corruption Vulnerability II (976325)[MTIS09-128-J]
     
    Threat Identifier(s)CVE-2009-3674
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Peer-to-Peer Networks; Web
    User Interaction RequiredYes
    Description
    A vulnerability in Internet Explorer may allow an attacker to execute remote code. The vulnerability lies in the way Internet Explorer accesses an object that hasn't been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted web page. When a user views the web page, the vulnerability could allow remote code execution. An attacker exploiting the vulnerability could gain the same user rights as the logged-on user.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Internet Explorer Uninitialized Memory Corruption Vulnerability VI," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    Uninitialized Memory Corruption Vulnerability II (976325

    Back to top
    (MS09-073) WordPad and Office Text converter Memory Corruption Vulnerability (975539)[MTIS09-128-K]
     
    Threat Identifier(s)CVE-2009-2506
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; IM; Peer-to-Peer Networks; Web
    User Interaction RequiredYes
    Description
    A vulnerability in WordPad and Microsoft Office Word could allow remote code execution. The vulnerability lies in the way that text converters in WordPad and Word process memory when a user opens a specially crafted Word 97 file. Exploiting this vulnerability could allow an attacker to remotely take complete control of a system.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: WordPad and Office Text Converter Memory Corruption Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 8 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-073
    975539
    WordPad and Office Text converter Memory Corruption Vulnerability (975539

    Back to top
    (MS09-074) Project Memory Validation Vulnerability (967183)[MTIS09-128-L]
     
    Threat Identifier(s)CVE-2009-0102
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Peer-to-Peer Networks; IM; Web
    User Interaction RequiredYes
    Description
    A vulnerability in Microsoft Office Project could allow remote code execution. The vulnerability lies in the way Project handles specially crafted Project files. The vulnerability could be exploited by sending a malformed file as an email attachment or hosted on a specially crafted or compromised website. If a user were logged on with administrative user rights, an attacker could exploit the vulnerability and take complete control of an affected system.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Project Memory Validation Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL / MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 8 will contain coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-074
    967183
    Project Memory Validation Vulnerability (967183

    Back to top
    Detailed descriptions of the Security Advisories can be found in the Users Guide: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_UsersGuid e.pdf

    For more information on McAfee Avert Labs Security Advisories, see: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_FAQ.pdf

    For McAfee Technical Support, click here.

    For Multi-National Phone Support, click here.

    McAfee values your feedback on this Security Advisory. Please reply to this mail with your comments.

    *The information provided is only for the use and convenience of McAfee's customers in connection with their McAfee products, and applies only to the threats described herein. McAfee product coverage statements are limited to known attack vectors and should not be considered comprehensive. THE INFORMATION PROVIDED HEREIN IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE WITHOUT NOTICE.

    The information contained herein is the property of McAfee, Inc. and may not be reproduced or disseminated without the expressed written consent of McAfee, Inc.

    McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

    McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054 888.847.8766 www.mcafee.com

    ® 2009 McAfee, Inc. All rights reserved.