Ïðîñìîòð ïîëíîé âåðñèè : Àâãóñòîâñêèé Microsoft Security Bulletin
Microsoft Security Bulletin Summary for August 2009
Published: August 11, 2009
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx
Microsoft Security Bulletin MS09-036 - MS09-044
Microsoft Windows, Microsoft .NET Framework: MS09-036
Microsoft Windows: MS09-037 - MS09-042
Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server: MS09-043
Microsoft Windows, Remote Desktop Connection Client for Mac: MS09-044
Ïðèìå÷àíèå: Äëÿ çàãðóçêè ïàò÷åé èñïîëüçóéòå ññûëêó íà ñòàòüþ áþëëåòåíÿ, èç êîòîðîé âûáèðàéòå ññûëêó íà çàãðóçêó ïðèìåíèòåëüíî ê âàøåé ÎÑ èëè êîìïîíåíòó.
Microsoft Security Bulletin MS09-037
Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx
Ìíîæåñòâåííûå óÿçâèìîñòè â ATL â êîìïîíåíòàõ Microsoft Windows
http://www.securitylab.ru/vulnerability/383530.php
Rating: Critical
Îïèñàíèå:
Îáíàðóæåííûå óÿçâèìîñòè ïîçâîëÿþò óäàëåííîìó ïîëüçîâàòåëþ îáîéòè íåêîòîðûå îãðàíè÷åíèÿ áåçîïàñíîñòè è ñêîìïðîìåòèðîâàòü öåëåâóþ ñèñòåìó.
1. Óÿçâèìîñòü ñóùåñòâóåò èç-çà íåäîñòàòî÷íîé ïðîâåðêè âõîäíûõ äàííûõ â ôóíêöèè CComVariant::ReadFromStream â ATL çàãîëîâêå. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà, îòêðûòîãî â Internet Explorer, âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå. Óÿçâèìîñòè îòíîñèòñÿ ê: Âûïîëíåíèå ïðîèçâîëüíîãî êîäà â Microsoft DirectShow MPEG2TuneRequest ActiveX (http://www.securitylab.ru/vulnerability/382197.php)
2. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè ïðîâåðêè ãðàíèö äàííûõ â ìåòîäå Load èíòåðôåéñà IPersistStreamInit â Microsoft Active Template Library (ATL). Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà, îòêðûòîãî â Internet Explorer, ïåðåäàòü íåáåçîïàñíûå äàííûå ôóíêöèè memcopy() è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
3. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè â ATL çàãîëîâêàõ, êîòîðàÿ ïîçâîëÿåò îñóùåñòâèòü âûçîâ ôóíêöèè VariantClear() äëÿ ïåðåìåííîé òèïà Variant. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå. Óÿçâèìîñòè îòíîñèòñÿ ê: Ìíîæåñòâåííûå óÿçâèìîñòè â Microsoft Visual Studio Active Template Library (http://www.securitylab.ru/vulnerability/383038.php #1)
4. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè â ATL çàãîëîâêàõ ïðè èíèöèàëèçàöèè îáúåêòà èç ïîòîêà äàííûõ. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà îáîéòè óñòàíîâëåííûå îãðàíè÷åíèÿ íà çàïóñê ActiveX êîìïîíåíòîâ è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå. Óÿçâèìîñòè îòíîñèòñÿ ê: Ìíîæåñòâåííûå óÿçâèìîñòè â Microsoft Visual Studio Active Template Library (http://www.securitylab.ru/vulnerability/383038.php #2)
5. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè ïðîâåðêè Variant â ATL çàãîëîâêàõ. Óäàëåííûé ïîëüçîâàòåëü ìîæåò âûçâàòü ïîâðåæäåíèå ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
Affected Software:
• Microsoft Windows 2000
• Microsoft Outlook Express 5.5 Service Pack 2
• Microsoft Outlook Express 6 Service Pack 1
• Windows Media Player 9
• Windows ATL Component
• DHTML Editing Component ActiveX Control• Windows XP
• Microsoft Outlook Express 6
• Windows Media Player 9, Windows Media Player 10, and Windows Media Player 11
• Windows ATL Component
• DHTML Editing Component ActiveX Control
• Microsoft MSWebDVD ActiveX Control• Windows Server 2003
• Microsoft Outlook Express 6
• Windows Media Player 10
• Windows ATL Component
• DHTML Editing Component ActiveX Control
• Microsoft MSWebDVD ActiveX Control• Windows Vista
• Windows Media Player 11
• Windows ATL Component• Windows Server 2008
• Windows Media Player 11
• Windows ATL Component
Non-Affected Software:
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
Microsoft Security Bulletin MS09-038
Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)
http://www.microsoft.com/technet/security/bulletin/ms09-038.mspx
Óÿçâèìîñòè ïðè îáðàáîòêå ìóëüòèìåäèéíûõ ôàéëîâ â Microsoft Windows
http://www.securitylab.ru/vulnerability/383531.php
Rating: Critical
Îïèñàíèå:
Îáíàðóæåííûå óÿçâèìîñòè ïîçâîëÿþò óäàëåííîìó ïîëüçîâàòåëþ ñêîìïðîìåòèðîâàòü öåëåâóþ ñèñòåìó.
1. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè ïðè îáðàáîòêå çàãîëîâêîâ AVI ôàéëå. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî AVI ôàéëà âûçâàòü ïîâðåæäåíèå ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
2. Öåëî÷èñëåííîå ïåðåïîëíåíèå ñóùåñòâóåò èç-çà îøèáêè ïðè îáðàáîòêå AVI ôàéëîâ. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî AVI ôàéëà âûçâàòü ïîâðåæäåíèå ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 *
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 *
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
*Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core (http://msdn.microsoft.com/en-us/library/ms723891(VS.85).aspx). Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options (http://www.microsoft.com/windowsserver2008/en/us/compare-core-installation.aspx).
Non-Affected Software:
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
Microsoft Security Bulletin MS09-039
Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
http://www.microsoft.com/technet/security/bulletin/ms09-039.mspx
Ìíîæåñòâåííûå óÿçâèìîñòè â WINS â Microsoft Windows
http://www.securitylab.ru/vulnerability/383532.php
Rating: Critical
Îïèñàíèå:
Îáíàðóæåííûå óÿçâèìîñòè ïîçâîëÿþò óäàëåííîìó ïîëüçîâàòåëþ ñêîìïðîìåòèðîâàòü öåëåâóþ ñèñòåìó.
1. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè â ñëóæáå WINS ïðè ïîäñ÷åòå ðàçìåðà áóôåðà. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî WINS ïàêåòà âûçâàòü ïåðåïîëíåíèå äèíàìè÷åñêîé ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
2. Öåëî÷èñëåííîå ïåðåïîëíåíèå ñóùåñòâóåò â WINS ïðè ïðîâåðêå ïîäëèííîñòè ñòðóêòóð äàííûõ. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî WINS ïàêåòà âûçâàòü ïåðåïîëíåíèå äèíàìè÷åñêîé ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå. Óÿçâèìîñòü ðàñïðîñòðàíÿåòñÿ òîëüêî íà Microsoft Windows 2000.
Affected Software:
• Microsoft Windows 2000 Server Service Pack 4
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
Non-Affected Software:
• Microsoft Windows 2000 Professional Service Pack 4
• Windows XP Service Pack 2 and Service Pack 3
• Windows XP Professional x64 Edition Service Pack 2
• Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
Microsoft Security Bulletin MS09-040
Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032)
http://www.microsoft.com/technet/security/bulletin/ms09-040.mspx
Ïîâûøåíèå ïðèâèëåãèé â Microsoft Windows
Rating: Important
Îïèñàíèå:
Óÿçâèìîñòü ïîçâîëÿåò ëîêàëüíîìó ïîëüçîâàòåëþ ïîâûñèòü ñâîè ïðèâèëåãèè íà ñèñòåìå.
Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Windows XP Service Pack 2
• Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista
• Windows Vista x64 Edition
Non-Affected Software:
• Windows XP Service Pack 3
• Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
Microsoft Security Bulletin MS09-041
Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)
http://www.microsoft.com/technet/security/bulletin/ms09-041.mspx
Ïîâðåæäåíèå ïàìÿòè â ñëóæáå ðàáî÷åé ñòàíöèè Microsoft Windows
Ïîâûøåíèå ïðèâèëåãèé â ñëóæáå Workstation â Microsoft Windows
http://www.securitylab.ru/vulnerability/383541.php
Rating: Important
Îïèñàíèå:
Óÿçâèìîñòü ïîçâîëÿåò ëîêàëüíîìó ïîëüçîâàòåëþ ïîâûñèòü ñâîè ïðèâèëåãèè íà ñèñòåìå è âûïîëíèòü ïðîèçâîëüíûé êîä.
Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè äâîéíîãî îñâîáîæäåíèÿ ïàìÿòè ïðè îáðàáîòêå àðãóìåíòîâ â ôóíêöèè NetrGetJoinInformation() â ñëóæáå Workstation. Ëîêàëüíûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî RPC çàïðîñà âûçâàòü ïîâðåæäåíèå ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà ñèñòåìå ñ ïîâûøåííûìè ïðèâèëåãèÿìè.
Affected Software:
• Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 *
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 *
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
*Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core (http://msdn.microsoft.com/en-us/library/ms723891(VS.85).aspx). Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options (http://www.microsoft.com/windowsserver2008/en/us/compare-core-installation.aspx).
Non-Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
Microsoft Security Bulletin MS09-042
Vulnerability in Telnet Could Allow Remote Code Execution (960859)
http://www.microsoft.com/technet/security/bulletin/MS09-042.mspx
Ðåëåèíã NTLM-àóòåíòèôèêàöèè â Microsoft telnet
Âûïîëíåíèå ïðîèçâîëüíîãî êîäà â ñëóæáå Telnet â Microsoft Windows
http://www.securitylab.ru/vulnerability/383542.php
Rating: Important
Îïèñàíèå:
Óÿçâèìîñòü ïîçâîëÿåò óäàëåííîìó ïîëüçîâàòåëþ ñêîìïðîìåòèðîâàòü öåëåâóþ ñèñòåìó.
Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè â ñëóæáå Telnet ïðè îáðàáîòêå NTLM àóòåíòèôèêàöèè. Óäàëåííûé ïîëüçîâàòåëü ìîæåò îòïðàâèòü îòðàæåííûå NTLM äàííûå è ïîëó÷èòü äîñòóï ê ñèñòåìå. Äëÿ óñïåøíîé ýêñïëóàòàöèè óÿçâèìîñòè çëîóìûøëåííèê äîëæåí îáìàíîì çàñòàâèòü ïîëüçîâàòåëÿ ïîäêëþ÷èòüñÿ ê çëîíàìåðåííîìó Telnet ñåðâåðó, íàïðèìåð ïðè íàæàòèè íà ññûëêè.
Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 *
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 *
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
*Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core (http://msdn.microsoft.com/en-us/library/ms723891(VS.85).aspx). Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options (http://www.microsoft.com/windowsserver2008/en/us/compare-core-installation.aspx).
Non-Affected Software:
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
Microsoft Security Bulletin MS09-043
Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)
http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
Ïîâðåæäåíèå ïàìÿòè â ActiveX Microsoft Office Web Components
Ìíîæåñòâåííûå óÿçâèìîñòè â Microsoft Office Web êîìïîíåíòàõ
http://www.securitylab.ru/vulnerability/382430.php
Rating: Critical
Îïèñàíèå:
Îáíàðóæåííûå óÿçâèìîñòè ïîçâîëÿþò óäàëåííîìó ïîëüçîâàòåëþ ñêîìïðîìåòèðîâàòü öåëåâóþ ñèñòåìó.
1. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè ïðîâåðêè ãðàíèö äàííûõ â ìåòîäå msDataSourceObject() â Office Web Components Spreadsheet ActiveX êîìïîíåíòå (OWC 10 è OWC11). Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà âûçâàòü ïåðåïîëíåíèå ñòåêà è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
Ïðèìå÷àíèå: óÿçâèìîñòè àêòèâíî ýêñïëóàòèðóåòñÿ â íàñòîÿùåå âðåìÿ.
2. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè ïðè çàãðóçêå è âûãðóçêå OWC10 ActiveX êîìïîíåíòà. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà âûçâàòü ïîâðåæäåíèå ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
3. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè â OWC10.Spreadsheet ActiveX êîìïîíåíòå, îòíîñÿùåéñÿ ê ìåòîäó BorderAround(). Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà âûçâàòü ïîâðåæäåíèå ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
4. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè ïðîâåðêè ãðàíèö äàííûõ â Office Web Components ActiveX êîìïîíåíòå. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà âûçâàòü ïîâðåæäåíèå ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
Affected Software:
• Microsoft Office Suites
• Microsoft Office XP Service Pack 3
• Microsoft Office 2003 Service Pack 3• Microsoft Office Web Components
• Microsoft Office 2000 Web Components Service Pack 3
• Microsoft Office XP Web Components Service Pack 3
• Microsoft Office 2003 Web Components Service Pack 3
• Microsoft Office 2003 Web Components Service Pack 1 for the 2007 Microsoft Office System• Microsoft Internet Security and Acceleration Server
• Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
• Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
• Microsoft Internet Security and Acceleration Server 2006 Standard Edition Service Pack 1
• Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition Service Pack 1• Other Microsoft Software
• Microsoft BizTalk Server 2002
• Microsoft Visual Studio .NET 2003 Service Pack 1
• Microsoft Office Small Business Accounting 2006
Non-Affected Software:
• Office and Other Software
• 2007 Microsoft Office Suite Service Pack 1 and 2007 Microsoft Office Suite Service Pack 2
• Microsoft Office 2004 for Mac
• Microsoft Office 2008 for Mac
• Microsoft Office PowerPoint Viewer 2003
• Microsoft Office Word Viewer 2003
• Microsoft Office Word Viewer 2003 Service Pack 3
• Microsoft Office Excel Viewer 2003
• Microsoft Office Excel Viewer 2003 Service Pack 3
• Microsoft Office Excel Viewer
• Microsoft Office PowerPoint 2007 Viewer
• Microsoft Office PowerPoint Viewer 2007 Service Pack 1
• Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
• Microsoft Internet Security and Acceleration Server 2000 Service Pack 2*
• Microsoft BizTalk Server 2004
• Microsoft BizTalk Server 2006
• Microsoft BizTalk Server 2009
• Microsoft Visual Studio 2005
• Microsoft Visual Studio 2005 Service Pack 1
• Microsoft Visual Studio 2008
• Microsoft Visual Studio 2008 Service Pack 1
• Microsoft Visual Studio 2010
Microsoft Security Bulletin MS09-044
Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)
http://www.microsoft.com/technet/security/bulletin/MS09-044.mspx
Ìíîãî÷èñëåííûå óÿçâèìîñòè â êëèåíòå Microsoft RDP
Ìíîæåñòâåííûå óÿçâèìîñòè â Microsoft Remote Desktop Connection
http://www.securitylab.ru/vulnerability/383549.php
Rating: Critical
Îïèñàíèå:
Îáíàðóæåííûå óÿçâèìîñòè ïîçâîëÿþò óäàëåííîìó ïîëüçîâàòåëþ ñêîìïðîìåòèðîâàòü öåëåâóþ ñèñòåìó.
1. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè â mstscax.dll Remote Desktop Connection (RDP) áèáëèîòåêå ïðè îáðàáîòêå îòâåòîâ îò ñåðâåðà. Çëîóìûøëåííèê ìîæåò îáìàíîì çàñòàâèòü ïîëüçîâàòåëÿ ïîäêëþ÷èòüñÿ ê âðåäîíîñíîìó RDP ñåðâåðó, âûçâàòü ïîâðåæäåíèå ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
2. Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè â Remote Desktop Web Connection ActiveX êîìïîíåíòå. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî Web ñàéòà âûçâàòü ïåðåïîëíåíèå äèíàìè÷åñêîé ïàìÿòè è âûïîëíèòü ïðîèçâîëüíûé êîä íà öåëåâîé ñèñòåìå.
Affected Software:
• RDP Version 5.*, 6.*
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
• Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 *
• Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 *
• Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
*Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core (http://msdn.microsoft.com/en-us/library/ms723891(VS.85).aspx). Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options (http://www.microsoft.com/windowsserver2008/en/us/compare-core-installation.aspx).
Affected Software:
• Remote Desktop Connection Client for Mac 2.0**
**This download upgrades Remote Desktop Connection Client for Mac 2.0 to Remote Desktop Connection Client for Mac 2.0.1, which addresses the vulnerability.
Non-Affected Software:
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
Microsoft Security Bulletin MS09-036
Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)
http://www.microsoft.com/technet/security/bulletin/MS09-036.mspx
Îòêàç â îáñëóæèâàíèè â Microsoft .NET Framework
http://www.securitylab.ru/vulnerability/383529.php
Rating: Important
Îïèñàíèå:
Óÿçâèìîñòü ïîçâîëÿåò óäàëåííîìó ïîëüçîâàòåëþ ïðîèçâåñòè DoS àòàêó.
Óÿçâèìîñòü ñóùåñòâóåò èç-çà îøèáêè óïðàâëåíèÿ çàïðîñàìè ïî ðàñïèñàíèþ â ASP .NET íà IIS 7.0 â èíòåãðèðîâàííîì ðåæèìå. Óäàëåííûé ïîëüçîâàòåëü ìîæåò ñ ïîìîùüþ ñïåöèàëüíî ñôîðìèðîâàííîãî HTTP çàïðîñà âûçâàòü îòêàç â îáñëóæèâàíèè Web ñåðâåðà.
Ïðèìå÷àíèå: óÿçâèìîñòü ýêñïëóàòèðóåòñÿ çëîóìûøëåííèêàìè â íàñòîÿùåå âðåìÿ.
Affected Software:
• Microsoft .NET Framework 2.0 Service Pack 1, Microsoft .NET Framework 3.5, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1
• Windows Vista, Windows Vista Service Pack 1
• Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1
• Windows Server 2008 for 32-bit Systems
• Windows Server 2008 for x64-based Systems
• Windows Server 2008 for Itanium-based Systems
Non-Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3
• Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
• Windows Server 2003 Service Pack 2
• Windows Server 2003 x64 Edition Service Pack 2
• Windows Server 2003 with SP2 for Itanium-based Systems
• Windows Vista Service Pack 2
• Windows Vista x64 Edition Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for Itanium-based Systems Service Pack 2
• Windows 7 for 32-bit Systems
• Windows 7 for x64-based Systems
• Windows Server 2008 R2 for x64-based Systems
• Windows Server 2008 R2 for Itanium-based Systems
vBulletin® v4.2.5, Copyright ©2000-2025, Jelsoft Enterprises Ltd. Ïåðåâîä: zCarot