Microsoft Security Bulletins for

A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, cookieauth.dll, which could allow malicious script code to run on the machine of another user under the guise of the server running cookieauth.dll. This is a non-persistent cross-site scripting vulnerability that can lead to spoofing and information disclosure.

• Check Point Response
• Preemptive Protection against Microsoft ISA Server Cross-Site Scripting (XSS) Vulnerability (MS09-016) Release Date:

A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. The vulnerability could allow a remote user to cause a Web listener to stop responding to new requests.

• Check Point Response
• Workaround for Microsoft ISA Server TCP State Limited Denial of Service Vulnerability (MS09-016) Release Date:

A blended threat elevation of privilege vulnerability exists in the way the SearchPath function in Windows locates and opens files on the system. An attacker could exploit the vulnerability by convincing a user to download a specially crafted file to a specific location, and then open an application that could load the file under certain circumstances.

• Check Point Response
• Update Protection against Apple Safari on Windows Platform Remote Code Execution Vulnerability (MS09-015) Release Date:

A blended threat remote code execution vulnerability exists in the way that Internet Explorer locates and opens files on the system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• Update Protection against Apple Safari on Windows Platform Remote Code Execution Vulnerability (MS09-015) Release Date:

A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• Update Protection against Microsoft Internet Explorer ActiveX Object Reloading Race Condition Memory Corruption Vulnerability (MS09-014) Release Date:

A remote code execution vulnerability exists in the way Internet Explorer handles transition when navigating between Web pages. As a result, system memory may be corrupted in such a way that an attacker could execute arbitrary code if a user visited a specially crafted Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• Update Protection against Microsoft Internet Explorer Page Transition Memory Corruption Vulnerability (MS09-014) Release Date:

A remote code execution vulnerability exists in the way that WinINet handles NTLM credentials when a user connects to an attackers server by way of the HTTP protocol. This vulnerability allows an attacker to replay the users credentials back to the attacker and to execute code in the context of the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• Update Protection against Microsoft Windows HTTP Services Credential Reflection Remote Code Execution Vulnerability (MS09-013) Release Date:

A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• Update Protection against Microsoft Internet Explorer history.go Improper Parameter Handling Remote Code Execution Vulnerability (MS09-014) Release Date:

A remote code execution vulnerability exists in the way Internet Explorer accesses an object that has not been initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

• Check Point Response
• Update Protection against Microsoft Internet Explorer Marquee Object Improper Handling Remote Code Execution Vulnerability (MS09-014) Release Date:

A spoofing vulnerability exists in Windows HTTP Services as a result of the incomplete validation of the distinguished name in a digital certificate. When combined with specific other attacks, such as DNS spoofing, this may allow an attacker to successfully spoof the digital certificate of a Web site for any application that uses Windows HTTP Services.

• Check Point Response
• Protection against Microsoft Windows HTTP Services Certificate Name Mismatch Remote Code Execution Vulnerability (MS09-013) Release Date:

A remote code execution vulnerability exists in the way that Windows HTTP Services handles NTLM credentials when a user connects to an attackers Web server. This vulnerability allows an attacker to replay the users credentials back to the attacker and execute code in the context of the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• Check Point Response
• Update Protection against Microsoft Windows HTTP Services Credential Reflection Remote Code Execution Vulnerability (MS09-013) Release Date:

A remote code execution vulnerability exists in the way that Windows HTTP Services handle specific values that are returned by a remote Web server. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with the same user rights as the service or application which calls the WinHTTP API to connect to the attackers Web server.

• Check Point Response
• Update Protection against Microsoft Windows HTTP Services Chunked Encoding Integer Underflow Code Execution Vulnerability (MS09-013) Release Date:

An elevation of privilege vulnerability exists in the Microsoft Distributed Transaction Coordinator (MSDTC) transaction facility in Microsoft Windows platforms. MSDTC leaves a NetworkService token that can be impersonated by any process that calls into it. The vulnerability allows a process that is not running under the NetworkService account, but that has the SeImpersonatePrivilege, to elevate its privilege to NetworkService and execute code with NetworkService privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• This is a local vulnerability that can not be mitigated by a Network IPS protection

An elevation of privilege vulnerability exists due to the Windows Management Instrumentation (WMI) provider improperly isolating processes that run under the NetworkService or LocalService accounts. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• This is a local vulnerability that can not be mitigated by a Network IPS protection

An elevation of privilege vulnerability exists due to the RPCSS service improperly isolating processes that run under the NetworkService or LocalService accounts. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• This is a local vulnerability that can not be mitigated by a Network IPS protection

An elevation of privilege vulnerability exists due to Windows placing incorrect access control lists (ACLs) on threads in the current ThreadPool. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• This is a local vulnerability that can not be mitigated by a Network IPS protection

A remote code execution vulnerability exists in the way Microsoft DirectShow handles supported format files. This vulnerability could allow code execution if a user opened a specially crafted MJPEG file. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

• Check Point Response
• Update Protection against Microsoft DirectShow MJPEG Decompression Remote Code Execution Vulnerability (MS09-011) Release Date:

A remote code execution vulnerability exists in the way that text converters in WordPad and Microsoft Office process memory when a user opens a specially crafted Word 6 file that includes malformed data.

• Check Point Response
• Update Protection against Microsoft WordPad and Office Text Converter Document Parsing Memory Corruption Vulnerability (MS09-010) Release Date:

A remote code execution vulnerability exists in the way that Microsoft WordPad processes memory when parsing a specially crafted Word 97 document. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed list structure.

• Check Point Response
• Update Protection against Microsoft WordPad Word 97 Text Converter XST Parsing Stack Overflow Vulnerability (MS09-010) Release Date:

A remote code execution vulnerability exists in the way that the WordPerfect 6.x converter that is included with Microsoft Office Word 2000 processes memory when parsing a specially crafted WordPerfect document.

• Check Point Response
• IPS Updates teams are studying this vulnerability and may provide protection at a later date

A remote code execution vulnerability exists in WordPad as a result of memory corruption when a user opens a specially crafted Word file.

• Check Point Response
• Update Protection against Microsoft WordPad Word 97 Text Converter Text Location Stack Overflow Vulnerability (MS09-010) Release Date:

A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response
• Update Protection against Microsoft Excel Rich Text Parsing Zero-Day Remote Code Execution Vulnerability (MS09-009) Release Date:

A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

• Check Point Response