VRDA Feed : Provides information for vulnerability impact analysis

VRDA Feed by

Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis

Vulnerability Analysis Result (Revision No : 1)

VRDA-091209-004 ( CVE-2009-3675 | CVE-2009-2508 | CVE-2009-2509 | CVE-2009-2505 | CVE-2009-3677 | CVE-2009-2493 | CVE-2009-3671 | CVE-2009-3672 | CVE-2009-3673 | CVE-2009-3674 | CVE-2009-2506 | CVE-2009-0102 )

Microsoft Updates for Multiple Vulnerabilities

http://www.microsoft.com/japan/technet/security/bulletin/ms09-dec.mspx

This bulletin summary lists security bulletins released for December 2009.

About This Analysis Information

Analysis Information Provider:

JPCERT/CC

First Published:

2009-12-09

Source Information Category:

Advisory, Alert

Last Updated:

2009-12-09

Affected Product Tags

cpe:/a:microsoft:office:2003 (Microsoft Office 2003)

cpe:/a:microsoft:office:xp (Microsoft Office XP)

cpe:/a:microsoft:project:2000 (Microsoft Project 2000)

cpe:/a:microsoft:project:2002 (Microsoft Project 2002)

cpe:/a:microsoft:project:2003 (Microsoft Office Project 2003)

cpe:/a:microsoft:works (Microsoft Works)

cpe:/o:microsoft:windows_2000 (Microsoft Windows 2000)

cpe:/o:microsoft:windows_server:2003 (Microsoft Windows Server 2003)

cpe:/o:microsoft:windows_server:2008 (Microsoft Windows Server 2008)

cpe:/o:microsoft:windows_vista (Microsoft Windows Vista)

cpe:/o:microsoft:windows_xp (Microsoft Windows XP)

lapt:/o:microsoft:windows_7 (Windows 7)

Vulnerability Analysis Results

[Information Source Reliability]^[?]

Low^[?]

Medium^[?]

High^[?]

[Impact Level]^[?]

Low^[?]

Low-Medium^[?]

Medium-High^[?]

High^[?]

[Access Required]^[?]

Physical^[?]

Local^[?]

Non-routed^[?]

Routed^[?]

[Authentication]^[?]

Privileged^[?]

Standard^[?]

Limited^[?]

None or Unnecessary^[?]

[User Interaction Required]^[?]

Complex^[?]

Simple^[?]

None^[?]

[Technical Difficulty]^[?]

High^[?]

Medium-High^[?]

Low-Medium^[?]

Low^[?]

[Availability of Remediation]^[?]

Official Patch^[?]

Official Workaround^[?]

Unofficial Patch^[?]

None^[?]

[Incident Activity]^[?]

None^[?]

Exploit or PoC^[?]

Activity Observed^[?]

Alternatives

Common Vulnerabilities and Exposures (CVE) CVE-2009-3675

Common Vulnerabilities and Exposures (CVE) CVE-2009-2508

Common Vulnerabilities and Exposures (CVE) CVE-2009-2509

Common Vulnerabilities and Exposures (CVE) CVE-2009-2505

Common Vulnerabilities and Exposures (CVE) CVE-2009-3677

Common Vulnerabilities and Exposures (CVE) CVE-2009-2493

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3,Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold andSP2; does not properly restrict use of OleLoadFromStream ininstantiating objects from data streams, which allows remote attackersto execute arbitrary code via a crafted HTML document with an ATL (1)component or (2) control, related to ATL headers and bypassingsecurity policies, aka "ATL COM Initialization Vulnerability."

Common Vulnerabilities and Exposures (CVE) CVE-2009-3671

Common Vulnerabilities and Exposures (CVE) CVE-2009-3672

Microsoft Internet Explorer 6 and 7 allows remote attackers to executearbitrary code via vectors involving a call to thegetElementsByTagName method for the CSS STYLE tag name, selection ofthe single element in the returned list, and a change to the outerHTMLproperty of this element, which triggers memory corruption in theMicrosoft HTML Viewer (mshtml.dll). NOTE: some of these details areobtained from third party information. NOTE: this issue wasoriginally assigned CVE-2009-4054, but Microsoft assigned a duplicateidentifier of CVE-2009-3672. CVE consumers should use this identifierinstead of CVE-2009-4054.

Common Vulnerabilities and Exposures (CVE) CVE-2009-3673

Common Vulnerabilities and Exposures (CVE) CVE-2009-3674

Common Vulnerabilities and Exposures (CVE) CVE-2009-2506

Common Vulnerabilities and Exposures (CVE) CVE-2009-0102

References