MS-ISAC ADVISORY NUMBER:
2009-011
DATE(S) ISSUED:
3/10/2009
SUBJECT:
Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (MS09-006)
Three vulnerabilities have been discovered in Microsoft Windows which could allow an attacker to take complete control of a vulnerable system. These vulnerabilities can be exploited if a user opens a specially crafted image file or previews it in windows explorer; views or previews an email or visits a website with a specially crafted image file embedded; or runs a specially crafted application. Successful exploitation will result in an attacker gaining system-level privileges. This will allow the attacker to then install programs; view, change, or delete data; or create new accounts with administrative privileges.
SYSTEMS AFFECTED:
- Windows 2000 SP4
- Windows XP
- Windows Vista
- Windows Server 2003
- Windows Server 2008
RISK:
Government:
Large and medium government entities: High
Small government entities: High
Businesses:
Large and medium business entities: High
Small business entities: High
Home users: High
DESCRIPTION:
Three vulnerabilities have been discovered in Microsoft Windows Kernel
which could allow an attacker to take complete control of a vulnerable
system. The Windows kernel is the core of the operating system. It provides
system level services such as device management and memory management,
allocation of processor time to processes and error handling. Details
of these vulnerabilities are as follows:
Windows Kernel Input Validation Vulnerability
A remote code vulnerability has been discovered in the way Windows Kernel
validates input that is passed from the user mode through the kernel component
of GDI when processing specially crafted Windows Metafile (WMF) and Enhanced
Metafile (EMF) images. In order to be exploited, a user must open a specially
crafted image file or preview it in Windows Explorer; view or preview
an email or visit a website with a specially crafted image file embedded.
Windows Kernel Handle Validation Vulnerability
Microsoft Windows kernel fails to properly validate handles when performing
certain actions which results in an elevation of privilege vulnerability.
Successful exploitation of this vulnerability requires attacker to logon
to a system and run a specially crafted application.
Windows Kernel Invalid Pointer Vulnerability
An elevation of privilege vulnerability has been discovered in the way
that the Windows Kernel handles a specially-crafted invalid pointers.
Successful exploitation of this vulnerability requires attacker to logon
to a system and run a specially crafted application.
Successful exploitation of all the vulnerabilities described above will allow the attacker to install programs; view, change, or delete data; or create new accounts with administrative privileges.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Do not visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Do not open email attachments from un-trusted sources.
- Ensure that all anti-virus software is up to date with the latest signatures.
- Install the appropriate vendor patch immediately after appropriate testing.
REFERENCES:
Microsoft:
http://www.microsoft.com/technet/security/Bulletin/ms09-006.mspx
Security Focus:
http://www.securityfocus.com/bid/34025
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0082
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0083
This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.