=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN353
_____________________________________________________________________

DATE                      : 08/09/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Windows 2000, Windows Server 2003, Windows Vista,
                              Windows Server 2008.

======================================================================
KB967723
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
______________________________________________________________________

Microsoft Security Bulletin MS09-048 - Critical

Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

  Published: September 08, 2009

  Version: 1.0

General Information

Executive Summary

  This security update resolves several privately reported vulnerabilities in
  Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The
  vulnerabilities could allow remote code execution if an attacker sent
  specially crafted TCP/IP packets over the network to a computer with a
  listening service. Firewall best practices and standard default firewall
  configurations can help protect networks from attacks that originate outside
  the enterprise perimeter. Best practices recommend that systems that are
  connected to the Internet have a minimal number of ports exposed.

  This security update is rated Critical for all supported editions of Windows
  Vista and Windows Server 2008, and Important for all supported editions of
  Microsoft Windows 2000 Service Pack 4 and Windows Server 2003. For more
  information, see the subsection, Affected and Non-Affected Software, in this
  section.

  The security update addresses the vulnerabilities by dropping existing TCP
  connections adaptively and limiting the number of new TCP connections until
  system resources are restored, and changing the manner in which TCP/IP packets
  are processed. For more information about the vulnerabilities, see the
  Frequently Asked Questions (FAQ) subsection for the specific vulnerability
  entry under the next section, Vulnerability Information.

  Recommendation. The majority of customers have automatic updating enabled and
  will not need to take any action because this security update will be
  downloaded and installed automatically. Customers who have not enabled
  automatic updating need to check for updates and install this update manually.
  For information about specific configuration options in automatic updating,
  see Microsoft Knowledge Base Article 294871.

  For administrators and enterprise installations, or end users who want to
  install this security update manually, Microsoft recommends that customers
  apply the update immediately using update management software, or by checking
  for updates using the Microsoft Update service.

  See also the section, Detection and Deployment Tools and Guidance, later in
  this bulletin.

  Known Issues. Microsoft Knowledge Base Article 967723 documents the
  currently known issues that customers may experience when installing this
  security update. The article also documents recommended solutions for these
  issues.

Affected Software

  Microsoft Windows 2000 Service Pack 4

  Windows Server 2003 Service Pack 2

  Windows Server 2003 x64 Edition Service Pack 2

  Windows Server 2003 with SP2 for Itanium-based Systems

  Windows Vista, Windows Vista Service Pack 1,
  and Windows Vista Service Pack 2

  Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1,
  and Windows Vista x64 Edition Service Pack 2

  Windows Server 2008 for 32-bit Systems and Windows Server 2008 for
  32-bit Systems Service Pack 2

  Windows Server 2008 for x64-based Systems and Windows Server 2008 for
  x64-based Systems Service Pack 2

  Windows Server 2008 for Itanium-based Systems and
  Windows Server 2008 for Itanium-based Systems Service Pack 2

Vulnerability Information

TCP/IP Zero Window Size Vulnerability - CVE-2008-4609

  A denial of service vulnerability exists in TCP/IP processing in
  Microsoft Windows due to the way that Windows handles an excessive number of
  established TCP connections. The effect of this vulnerability can be
  amplified by the requirement to process specially crafted packets with a TCP
  receive window size set to a very small value or zero. An attacker could
  exploit the vulnerability by flooding a system with specially crafted packets
  causing the affected system to stop responding to new requests or
  automatically restart.

TCP/IP Timestamps Code Execution Vulnerability - CVE-2009-1925

  A remote code execution vulnerability exists in the Windows TCP/IP stack due
  to the TCP/IP stack not cleaning up state information correctly. This causes
  the TCP/IP stack to reference a field as a function pointer when it actually
  contains other information. An anonymous attacker could exploit the
  vulnerability by sending specially crafted TCP/IP packets to a computer that
  has a service listening over the network. An attacker who successfully
  exploited this vulnerability could take complete control of an affected system.
  An attacker could then install programs; view, change, or delete data; or
  create new accounts with full user rights.

TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926

  A denial of service vulnerability exists in TCP/IP processing in Microsoft
  Windows due to an error in the processing of specially crafted packets with a
  small or zero TCP receive window size. If an application closes a TCP connection
  with pending data to be sent and an attacker has set a small or zero TCP receive
  window size, the affected server will not be able to completely close the TCP
  connection. An attacker could exploit the vulnerability by flooding a system with
  specially crafted packets causing the affected system to stop responding to new
  requests. The system would remain non-responsive even after the attacker stops
  sending malicious packets.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================