HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-53
Remote code execution vulnerability in SearchFunction of Microsoft Windows

Original Issue Date:April 15, 2009

Severity Rating: Medium

Systems Affected

  • Microsoft Windows 2000 Service Pack 4
  • Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista and Windows Vista Service Pack 1
  • Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
  • Windows Server 2008 for 32-bit Systems*
  • Windows Server 2008 for x64-based Systems*
  • Windows Server 2008 for Itanium-based Systems

Overview

A arbitrary remote code execution vulnerability has been reported in Microsoft Windows. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code and take complete control of the affected system.

Description

A remote code execution vulnerability exists in Microsoft windows in SearchPath function while handling files on the system. An attacker could exploit the vulnerability by convincing a user to download a specially crafted file to a specific location, may be later executed by the target user when the target user opens an application. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code and take complete control of the affected system.

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-015

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-015.mspx

References

 SecurityTracker
http://securitytracker.com/alerts/2009/Apr/1022047.html

eEye Digital Security
http://www.eeye.com/research/html/newsletters/alert/pub/
AL20090414.html#MS09-015

CVE Name
CVE-2008-2540

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003