[Japanese]

JVNDB-2009-000059

Buffer overflow vulnerability in Microsoft Windows

Overview

Microsoft Windows contains a buffer overflow vulnerability.

Windows Media Format Runtime included in Microsoft Windows contains a buffer overflow vulnerability when parsing specific files.

The security update for this vulnerability is contained in the Microsoft Security Bulletin Summary for September 2009.

Hiroshi Noguchi of Alice Carroll fan club reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Microsoft Corporation
  • Microsoft Windows 2000
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 (x64)
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 (x64)
  • Microsoft Windows Vista
  • Microsoft Windows Vista (x64)
  • Microsoft Windows XP sp3
  • Microsoft Windows XP (x64)

Impact

If a user opens a specially crafted file, an attacker may execute arbitrary code.
Solution

[Update the software]
Apply the update according to the information provided by Microsoft.
Vendor Information

Microsoft Corporation
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-2498
  2. CVE-2009-2499
References

  1. JVN : JVN#62211338
  2. JVN Status Tracking Notes : JVNTR-2009-22
  3. National Vulnerability Database (NVD) : CVE-2009-2498
  4. National Vulnerability Database (NVD) : CVE-2009-2499
  5. IPA SECURITY ALERTS : Security Alert for Vulnerability in Microsoft Windows
  6. US-CERT Cyber Security Alerts : SA09-251A
  7. US-CERT Technical Cyber Security Alert : TA09-251A
  8. Secunia Advisory : SA36596
  9. SecurityFocus : 36225
  10. SecurityFocus : 36228
  11. VUPEN Security : VUPEN/ADV-2009-2566
Revision History

  • [2009/09/09]
      Web page published