McAfee Labs Security Advisory: MTIS09‐129

Version 1
    December 10, 2009

    MTIS09-129
    Executive Summary
    Since the last McAfee® Labs Security Advisory (December 9), the following noteworthy events have taken place:
    • Adobe has released an update to address multiple code-execution vulnerabilities.
    • McAfee product coverage has been updated for vulnerabilities in Microsoft Windows.

    McAfee product coverage for these events:

    McAfee Product Coverage *
    ThreatName     Impor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-129-AAdobe JPEG parsing Vuln

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    UA

    Pend

    UA

    UA

    MTIS09-129-BAdobe Flash Data Inj RCE

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    No

    Pend

    UA

    UA

    MTIS09-129-CAdobe Flash Mem Corr RCE

    Medium

    UA

    Exp

    Exp

    Yes

    Yes

    UA

    Pend

    UA

    UA

    MTIS09-129-DATL COM Init Vuln

    High

    UA

    Exp

    Exp

    Yes

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-129-EAdobe Flash Int OF RCE

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    No

    Pend

    UA

    UA

    MTIS09-129-FFlash multi crash RCE

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    No

    UA

    UA

    UA



    McAfee Product Coverage Updates *
    ThreatAdvisoryImpor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-128-A
    LclSecAuth Subsys Vuln
    Previous

    Medium

    N/A

    N/A

    N/A

    N/A

    Yes

    Pend

    Pend

    UA

    UA

    Current

    Medium

    N/A

    N/A

    N/A

    N/A

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-B
    Sgle SO Spoof in ADFS
    Previous

    Medium

    N/A

    N/A

    N/A

    N/A

    Yes

    Pend

    Pend

    UA

    UA

    Current

    Medium

    N/A

    N/A

    N/A

    N/A

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-C
    RCE in ADFS Vuln
    Previous

    Medium

    N/A

    N/A

    N/A

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    Current

    Medium

    N/A

    N/A

    N/A

    Pend

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-D
    Mem Corr in IAS Vuln
    Previous

    High

    N/A

    Exp

    Exp

    N/A

    Yes

    Pend

    Pend

    UA

    UA

    Current

    High

    N/A

    Exp

    Exp

    N/A

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-E
    MS-CHAP Auth Byps Vuln
    Previous

    Medium

    N/A

    N/A

    N/A

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    Current

    Medium

    N/A

    N/A

    N/A

    Pend

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-F
    ATL COM Init Vuln
    Previous

    High

    N/A

    Exp

    Yes

    Yes

    Yes

    Pend

    Pend

    UA

    UA

    Current

    High

    N/A

    Exp

    Yes

    Yes

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-G
    Uninit Mem Corupt Vuln
    Previous

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    Current

    High

    UA

    Exp

    Exp

    Pend

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-H
    HTML ObjMem Corpt Vuln
    Previous

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    Current

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-I
    Unit Mem Crptn Vuln
    Previous

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    Current

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-J
    ATL COM Init Vuln
    Previous

    High

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    Current

    High

    UA

    Exp

    Yes

    Yes

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-L
    Pjct Mem Val Vuln
    Previous

    High

    N/A

    N/A

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    Current

    High

    UA

    N/A

    Exp

    Pend

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-128-K
    WP and OfcTxt Mem Vuln
    Previous

    Medium

    N/A

    Exp

    Exp

    Pend

    Yes

    Pend

    Pend

    UA

    UA

    Current

    Medium

    UA

    Exp

    Exp

    Pend

    Yes

    Pend

    Yes

    UA

    UA

    Adobe Flash player / AIR JPEG data parsing Remote Code Execution Vulnerability[MTIS09-129-A]
     
    Threat Identifier(s)CVE-2009-3794
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsWeb
    User Interaction RequiredNo
    Description
    A vulnerability in Adobe Flash Player and Adobe AIR while parsing JPEG data could potentially lead to code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    An upcoming V-Flash will provide coverage.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    Adobe Flash Player Data Injection Remote Code Execution Vulnerability[MTIS09-129-B]
     
    Threat Identifier(s)CVE-2009-3796
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsWeb; E-Mail
    User Interaction RequiredNo
    Description
    A data-injection vulnerability in Adobe Flash Player and Adobe AIR could lead to code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    An upcoming V-Flash will provide coverage.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    Adobe Flash Player Memory Corruption Remote code execution Vulnerability[MTIS09-129-C]
     
    Threat Identifier(s)CVE-2009-3797
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsWeb; E-Mail
    User Interaction RequiredNo
    Description
    A vulnerability in Adobe Flash Player that causes memory corruption could lead to remote code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Adobe Flash Player Memory Corruption Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    An upcoming V-Flash will provide coverage.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    (MS09-072) ATL COM Initialization Vulnerability (976325)[MTIS09-129-D]
     
    Threat Identifier(s)CVE-2009-2493
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsWeb; E-Mail; Peer-to-Peer Networks
    User Interaction RequiredNo
    Description
    A vulnerability in an ActiveX control built with vulnerable Microsoft Active Template Library (ATL) headers could allow remote code execution. Attackers could exploit the vulnerability via a specially crafted web page. When a user views the page, the attacker could execute remote code.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Microsoft ATL COM Initialization Vulnerability ActiveX Kill Bits IV," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    ATL COM Initialization Vulnerability (976325

    Back to top
    Adobe Flash Player Integer Overflow Remote Code Execution Vulnerability[MTIS09-129-E]
     
    Threat Identifier(s)CVE-2009-3799
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsE-Mail; Web
    User Interaction RequiredNo
    Description
    An integer-overflow vulnerability in Adobe Flash Player and Adobe AIR could lead to remote code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    An upcoming V-Flash will provide coverage.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    Adobe Flash Player Multiple Crash Remote Code Execution Vulnerability[MTIS09-129-F]
     
    Threat Identifier(s)CVE-2009-3800
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsE-Mail; Web
    User Interaction RequiredNo
    Description
    Multiple crash vulnerabilities in Adobe Flash Player and AIR could lead to remote code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    Under analysis
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    (MS09-069) Local Security Authority Subsystem Service Resource Exhaustion Vulnerability (974392)[MTIS09-128-A]
     
    Threat Identifier(s)CVE-2009-3675
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; WAN; Peer-to-Peer Networks
    User Interaction RequiredNo
    Description
    A vulnerability in Microsoft Windows could allow a denial of service. The vulnerability exists due to the Local Security Authority Subsystem Service (LSASS) improperly handling a specially crafted ISAKMP message while communicating via IPSEC. A remote user could send a maliciously crafted ISAKMP message to the server that would cause LSASS.exe to consume system resources, resulting in a denial of service.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    Coverage not warranted at this time
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-069
    974392
    Local Security Authority Subsystem Service Resource Exhaustion Vulnerability (974392

    Back to top
    (MS09-070) Single Sign On Spoofing in ADFS Vulnerability (971726)[MTIS09-128-B]
     
    Threat Identifier(s)CVE-2009-2508
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsLocally logged-on user; Web
    User Interaction RequiredNo
    Description
    A vulnerability in Active Directory Federation Services could allow spoofing. The vulnerability could allow an attacker to impersonate an authenticated user if the attacker has access to a terminal and web browser that was recently used by the targeted user to access a website offering single sign-on.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    Coverage not warranted at this time
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-070
    971726
    Single Sign On Spoofing in ADFS Vulnerability (971726

    Back to top
    (MS09-070) Remote Code Execution in ADFS Vulnerability (971726)[MTIS09-128-C]
     
    Threat Identifier(s)CVE-2009-2509
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; Locally logged-on user
    User Interaction RequiredNo
    Description
    A vulnerability in implementations of Microsoft's Active Directory Federation Services (ADFS) could allow remote code execution. The vulnerability is due to incorrect validation of request headers when an authenticated user connects to an ADFS-enabled web server. Exploiting this vulnerability could allow an attacker to take complete control of a system.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Remote Code Execution in ADFS Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-070
    971726
    Remote Code Execution in ADFS Vulnerability (971726

    Back to top
    (MS09-071) Memory Corruption in Internet Authentication Service Vulnerability (974318)[MTIS09-128-D]
     
    Threat Identifier(s)CVE-2009-2505
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsLocally logged-on user; Web
    User Interaction RequiredNo
    Description
    A vulnerability in implementations of PEAP on the Internet Authentication Service could allow remote code execution. The vulnerability is caused by the incorrect copying of messages received by the server in memory when handling PEAP authentication attempts. Exploiting the vulnerability could allow an attacker to take complete control of a system.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Coverage not warranted at this time
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-071
    974318
    Memory Corruption in Internet Authentication Service Vulnerability (974318

    Back to top
    (MS09-071) MS-CHAP Authentication Bypass in Internet Authentication Service Vulnerability (974318)[MTIS09-128-E]
     
    Threat Identifier(s)CVE-2009-3677
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsLocally logged-on user; Web
    User Interaction RequiredNo
    Description
    A vulnerability in Microsoft's Internet Authentication Service could allow the elevation of privileges. The vulnerability is caused by the Internet Authentication Service incorrectly validating an MS-CHAP v2 authentication request. This causes the server to consider the request valid, even when incorrect credentials may have been provided.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "RADIUS: MS-CHAP Authentication Bypass in Internet Authentication Service Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-071
    974318
    MS-CHAP Authentication Bypass in Internet Authentication Service Vulnerability (974318

    Back to top
    (MS09-072) ATL COM Initialization Vulnerability (976325)[MTIS09-128-F]
     
    Threat Identifier(s)CVE-2009-2493
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; E-Mail; Peer-to-Peer Networks
    User Interaction RequiredYes
    Description
    A vulnerability in an ActiveX control built with vulnerable Microsoft Active Template Library (ATL) headers could allow remote code execution. Attackers could exploit the vulnerability via a specially crafted web page. When a user views the page, the remote code execution could be possible.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesCoverage not warranted at this time
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection for code-execution exploits is provided through Signature 2924.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Microsoft ATL COM Initialization Vulnerability ActiveX Kill Bits IV," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    ATL COM Initialization Vulnerability (976325

    Back to top
    (MS09-072) Uninitialized Memory Corruption Vulnerability (976325)[MTIS09-128-G]
     
    Threat Identifier(s)CVE-2009-3671
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; Peer-to-Peer Networks; E-Mail
    User Interaction RequiredYes
    Description
    A vulnerability in Internet Explorer may allow an attacker to execute remote code. The vulnerability lies in the way Internet Explorer accesses an object that hasn't been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted web page. When a user views the web page, the vulnerability could allow remote code execution. An attacker exploiting the vulnerability could gain the same user rights as the logged-on user.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Internet Explorer Uninitialized Memory Corruption Vulnerability V," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    Uninitialized Memory Corruption Vulnerability (976325

    Back to top
    (MS09-072) HTML Object Memory Corruption Vulnerability (976325)[MTIS09-128-H]
     
    Threat Identifier(s)CVE-2009-3672
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; E-Mail; Peer-to-Peer Networks
    User Interaction RequiredYes
    Description
    A vulnerability in Internet Explorer may allow an attacker to execute remote code. The vulnerability lies in the way Internet Explorer accesses an object that hasn't been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted web page. When a user views the web page, the vulnerability could allow remote code execution. An attacker exploiting the vulnerability could gain the same user rights as the logged-on user.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesCoverage not warranted at this time
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Internet Explorer HTML Object Memory Corruption Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    HTML Object Memory Corruption Vulnerability (976325

    Back to top
    (MS09-072) Uninitialized Memory Corruption Vulnerability (976325)[MTIS09-128-I]
     
    Threat Identifier(s)CVE-2009-3673
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Peer-to-Peer Networks; Web
    User Interaction RequiredYes
    Description
    A vulnerability in Internet Explorer may allow an attacker to execute remote code. The vulnerability lies in the way Internet Explorer accesses an object that hasn't been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted web page. When a user views the web page, the vulnerability could allow remote code execution. An attacker exploiting the vulnerability could gain the same user rights as the logged-on user.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesCoverage not warranted at this time
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Internet Explorer Uninitialized Memory Corruption Vulnerability VII," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    Uninitialized Memory Corruption Vulnerability (976325

    Back to top
    (MS09-072) ATL COM Initialization Vulnerability (976325)[MTIS09-128-J]
     
    Threat Identifier(s)CVE-2009-2493
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; E-Mail; Peer-to-Peer Networks
    User Interaction RequiredYes
    Description
    A vulnerability in an ActiveX control built with vulnerable Microsoft Active Template Library (ATL) headers could allow remote code execution. Attackers could exploit the vulnerability via a specially crafted web page. When a user views the page, the attacker could execute remote code.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Microsoft ATL COM Initialization Vulnerability ActiveX Kill Bits IV," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    ATL COM Initialization Vulnerability (976325

    Back to top
    (MS09-074) Project Memory Validation Vulnerability (967183)[MTIS09-128-L]
     
    Threat Identifier(s)CVE-2009-0102
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Peer-to-Peer Networks; IM; Web
    User Interaction RequiredYes
    Description
    A vulnerability in Microsoft Office Project could allow remote code execution. The vulnerability lies in the way Project handles specially crafted Project files. The vulnerability could be exploited by sending a malformed file as an email attachment or hosted on a specially crafted or compromised website. If a user were logged on with administrative user rights, an attacker could exploit the vulnerability and take complete control of an affected system.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPOut of scope
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Project Memory Validation Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-074
    967183
    Project Memory Validation Vulnerability (967183

    Back to top
    (MS09-073) WordPad and Office Text converter Memory Corruption Vulnerability (975539)[MTIS09-128-K]
     
    Threat Identifier(s)CVE-2009-2506
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; IM; Peer-to-Peer Networks; Web
    User Interaction RequiredYes
    Description
    A vulnerability in WordPad and Microsoft Office Word could allow remote code execution. The vulnerability lies in the way that text converters in WordPad and Word process memory when a user opens a specially crafted Word 97 file. Exploiting this vulnerability could allow an attacker to remotely take complete control of a system.
    ImportanceMedium. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: WordPad and Office Text Converter Memory Corruption Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-073
    975539
    WordPad and Office Text converter Memory Corruption Vulnerability (975539

    Back to top
    Detailed descriptions of the Security Advisories can be found in the Users Guide: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_UsersGuid e.pdf

    For more information on McAfee Avert Labs Security Advisories, see: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_FAQ.pdf

    For McAfee Technical Support, click here.

    For Multi-National Phone Support, click here.

    McAfee values your feedback on this Security Advisory. Please reply to this mail with your comments.

    *The information provided is only for the use and convenience of McAfee's customers in connection with their McAfee products, and applies only to the threats described herein. McAfee product coverage statements are limited to known attack vectors and should not be considered comprehensive. THE INFORMATION PROVIDED HEREIN IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE WITHOUT NOTICE.

    The information contained herein is the property of McAfee, Inc. and may not be reproduced or disseminated without the expressed written consent of McAfee, Inc.

    McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

    McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054 888.847.8766 www.mcafee.com

    ® 2009 McAfee, Inc. All rights reserved.