Microsoft Security Bulletin for the Month of November

Number: AV09-045
Date: 11 November 2009

Purpose

The purpose of this advisory is to bring attention to the following vulnerabilities (three critical and three important) in some Microsoft products.

Assessment

Microsoft has released the following security bulletins:

MS09-063 - Critical -Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)

Details:  This update resolves a vulnerability in the Web Services on Devices Application Programming Interface (WSDAPI). Which could allow remote code execution on an affected Windows system when it receives a specially crafted packet. A successful attack could result in complete control of the targeted system. This attack would have to come from the local subnet.
Impact: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: Inconsistent exploit code likely Affected Products: Microsoft Windows
CVE reference: CVE-2009-2512
http://www.microsoft.com/technet/security/bulletin/ms09-063.mspx

MS09-064 - Critical - Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)

Details: This update resolves a vulnerability in Microsoft Windows 2000.
Attackers can send specially crafted network messages to License Logging servers to exploit this vulnerability. A successful attack could result in complete control of the targeted system. Best practises regarding Firewall security will help mitigate this issue.
Impact: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: Inconsistent exploit code likely Affected Products: Microsoft Windows CVE reference: CVE-2009-2523 http://www.microsoft.com/technet/security/bulletin/ms09-064.mspx

MS09-065 - Critical - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)

Details: This update resolves several vulnerabilities in the Windows kernel. These drivers could allow attackers to execute malicious code by enticing users to open files containing the Embedded OpenType (EOT) font. Web-based attacks would involve an attacker hosting a Web site that contains specially crafted embedded fonts.
Impact: Remote Code Execution
Maximum Severity Rating: Critical
Maximum Exploitability Index: Consistent exploit code likely Affected Products: Microsoft Windows CVE reference: CVE-2009-1127, CVE-2009-2513, CVE-2009-2514 http://www.microsoft.com/technet/security/Bulletin/MS09-065.mspx

MS09-066 - Vulnerability in Active Directory Could Allow Denial of Service (973309)

Details: This security update resolves a privately reported vulnerability in Active Directory directory service, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) which could lead to a Denial of Service. This is due to stack space exhaustion during execution of certain types of LDAP or LDAPS requests. The stack exhaustion is related to LSASS Recursive Stack Overflow Vulnerability published in July earlier this year.
Impact: Denial of Service
Maximum Severity Rating: Important
Affected Products: Microsoft Windows
Maximum Exploitability Index: Functioning exploit code unlikely CVE Reference: CVE-2009-1928
 http://www.microsoft.com/technet/security/bulletin/ms09-066.mspx

MS09-067 - Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)

Details: This security update resolves several privately reported vulnerabilities in Microsoft Office Excel. The vulnerabilities could allow remote code execution if a user opens a specially crafted Excel file. A successful exploit of these vulnerabilities could allow an attacker to gain elevated user privileges equal to those of the user who opens this malformed excel document. Users with restricted user privileges are likely to be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Maximum Severity Rating: Important
Affected Products: Microsoft Office
Maximum Exploitability Index: Inconsistent exploit code likely CVE Reference: CVE-2009-3127, CVE-2009-3128, CVE-2009-3129, CVE-2009-3130, CVE-2009-3131, CVE-2009-3132, CVE-2009-3133, CVE-2009-3134
http://www.microsoft.com/technet/security/bulletin/MS09-067.mspx

MS09-068 - Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)

Details: This security update resolves a privately reported vulnerability that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Impact: Remote Code Execution
Maximum Severity Rating: Important
Affected Products: Microsoft Office
Maximum Exploitability Index: Consistent exploit code likely CVE Reference: CVE-2009-3135 http://www.microsoft.com/technet/security/bulletin/MS09-068.mspx

Suggested action

CCIRC recommends that administrators test and deploy these updates at the earliest opportunity. Microsoft has published a risk matrix table to assist organizations in evaluating and prioritizing deployment of these security updates. This table is available at the following URL:
http://blogs.technet.com/msrc/archive/2009/11/10/november-2009-security-bulletin-release.aspx

References:
http://www.microsoft.com/technet/security/bulletin/MS09-nov.mspx

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca