Buffer overflow vulnerability in Microsoft Windows


Microsoft Windows contains a buffer overflow vulnerability.

Windows Media Format Runtime included in Microsoft Windows contains a buffer overflow vulnerability when parsing specific files.

The security update for this vulnerability is contained in the Microsoft Security Bulletin Summary for September 2009.

Hiroshi Noguchi of Alice Carroll fan club reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products

Microsoft Corporation
  • Microsoft Windows 2000
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 for x64-based Systems
  • Microsoft Windows Vista
  • Microsoft Windows Vista x64 Edition
  • Microsoft Windows XP
  • Microsoft Windows XP Professional x64 Edition


If a user opens a specially crafted file, an attacker may execute arbitrary code.

[Update the software]
Apply the update according to the information provided by Microsoft.
Vendor Information

Microsoft Corporation
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-2498
  2. CVE-2009-2499

  1. JVN : JVN#62211338
  2. National Vulnerability Database (NVD) : CVE-2009-2498
  3. National Vulnerability Database (NVD) : CVE-2009-2499
  4. IPA SECURITY ALERTS : Security Alert for Vulnerability in Microsoft Windows
  5. US-CERT Cyber Security Alerts : SA09-251A
  6. US-CERT Technical Cyber Security Alert : TA09-251A
  7. Secunia Advisory : SA36596
  8. SecurityFocus : 36225
  9. SecurityFocus : 36228
  10. VUPEN Security : VUPEN/ADV-2009-2566
Revision History

  Web page published