CVE-2009-2528

GDI+ in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption, aka "Memory Corruption Vulnerability."

CVSS v2.0 9.3 HIGH

9.3^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.us-cert.gov/cas/techalerts/TA09-286A.html	US Government Resource
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-062
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6426
http://www.us-cert.gov/cas/techalerts/TA09-286A.html	US Government Resource
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-062
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6426

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:microsoft:windows_2003_server::sp2::::::*
	cpe:2.3:o:microsoft:windows_2003_server::sp2:itanium:::::
	cpe:2.3:o:microsoft:windows_2003_server::sp2:x64:::::
	cpe:2.3:o:microsoft:windows_server_2008:::itanium:::::*
	cpe:2.3:o:microsoft:windows_server_2008:::x32:::::*
	cpe:2.3:o:microsoft:windows_server_2008:::x64:::::*
	cpe:2.3:o:microsoft:windows_vista::::::::
	cpe:2.3:o:microsoft:windows_vista:::x64:::::*
	cpe:2.3:o:microsoft:windows_vista::sp1::::::*
	cpe:2.3:o:microsoft:windows_xp::sp2::::::*
	cpe:2.3:o:microsoft:windows_xp::sp2:professional_x64:::::
	cpe:2.3:o:microsoft:windows_xp::sp3::::::*

Configuration 2 (hide)

AND

cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*

OR	cpe:2.3:a:microsoft:.net_framework:1.1:sp1::::::
	cpe:2.3:a:microsoft:.net_framework:2.0:sp1::::::
	cpe:2.3:a:microsoft:.net_framework:2.0:sp2::::::
	cpe:2.3:a:microsoft:internet_explorer:6:sp1::::::

Configuration 3 (hide)

OR	cpe:2.3:a:microsoft:report_viewer:2005:sp1:redistributable_package:::::*
	cpe:2.3:a:microsoft:report_viewer:2008::redistributable_package:::::
	cpe:2.3:a:microsoft:report_viewer:2008:sp1:redistributable_package:::::*
	cpe:2.3:a:microsoft:sql_server:2005:sp2::::::
	cpe:2.3:a:microsoft:sql_server:2005:sp2:itanium:::::*
	cpe:2.3:a:microsoft:sql_server:2005:sp2:x64:::::*
	cpe:2.3:a:microsoft:sql_server:2005:sp3::::::
	cpe:2.3:a:microsoft:sql_server:2005:sp3:itanium:::::*
	cpe:2.3:a:microsoft:sql_server:2005:sp3:x64:::::*
	cpe:2.3:a:microsoft:sql_server_reporting_services:2000:sp2::::::

Configuration 4 (hide)

OR	cpe:2.3:a:microsoft:excel_viewer:2003:::::::*
	cpe:2.3:a:microsoft:excel_viewer:2003:sp3::::::
	cpe:2.3:a:microsoft:expression_web::::::::
	cpe:2.3:a:microsoft:expression_web:2:::::::*
	cpe:2.3:a:microsoft:office:2003:sp3::::::
	cpe:2.3:a:microsoft:office:2007:sp1::::::
	cpe:2.3:a:microsoft:office:2007:sp2::::::
	cpe:2.3:a:microsoft:office:xp:::::::*
	cpe:2.3:a:microsoft:office_compatibility_pack:2007:sp1::::::
	cpe:2.3:a:microsoft:office_compatibility_pack:2007:sp2::::::
	cpe:2.3:a:microsoft:office_excel_viewer::::::::
	cpe:2.3:a:microsoft:office_groove:2007:::::::*
	cpe:2.3:a:microsoft:office_groove:2007:sp1::::::
	cpe:2.3:a:microsoft:office_powerpoint_viewer::::::::
	cpe:2.3:a:microsoft:office_powerpoint_viewer:2007:sp1::::::
	cpe:2.3:a:microsoft:office_powerpoint_viewer:2007:sp2::::::
	cpe:2.3:a:microsoft:office_word_viewer::::::::
	cpe:2.3:a:microsoft:project:2002:sp1::::::
	cpe:2.3:a:microsoft:visio:2002:sp2::::::
	cpe:2.3:a:microsoft:word_viewer:2003:::::::*
	cpe:2.3:a:microsoft:word_viewer:2003:sp3::::::
	cpe:2.3:a:microsoft:works:8.5:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:microsoft:platform_sdk:::redistrutable_gdi\+:::::*
	cpe:2.3:a:microsoft:report_viewer:2005:sp1:redistributable_package:::::*
	cpe:2.3:a:microsoft:report_viewer:2008::redistributable_package:::::
	cpe:2.3:a:microsoft:report_viewer:2008:sp1:redistributable_package:::::*
	cpe:2.3:a:microsoft:visual_studio:2008:::::::*
	cpe:2.3:a:microsoft:visual_studio:2008:sp1::::::
	cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1::::::
	cpe:2.3:a:microsoft:visual_studio_.net:2005:sp1::::::

Configuration 6 (hide)

AND

OR	cpe:2.3:a:microsoft:forefront_client_security:1.0:::::::*
	cpe:2.3:a:microsoft:visual_foxpro:8.0:sp1::::::
	cpe:2.3:a:microsoft:visual_foxpro:9.0:sp2::::::

cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*

History

21 Nov 2024, 01:05

Type	Values Removed	Values Added
References	~~() http://www.us-cert.gov/cas/techalerts/TA09-286A.html - US Government Resource~~	() http://www.us-cert.gov/cas/techalerts/TA09-286A.html - US Government Resource
References	~~() https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-062 -~~	() https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-062 -
References	~~() https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6426 -~~	() https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6426 -

07 Dec 2023, 18:38

Type	Values Removed	Values Added
CPE	cpe:2.3:o:microsoft:windows_vista::sp1:x64:::::

Information

Published : 2009-10-14 10:30

Updated : 2024-11-21 01:05

NVD link : CVE-2009-2528

Mitre link : CVE-2009-2528

CVE.ORG link : CVE-2009-2528

JSON object : View

Products Affected

microsoft

visio
excel_viewer
visual_foxpro
sql_server
windows_2003_server
office
forefront_client_security
office_compatibility_pack
visual_studio_.net
windows_2000
windows_server_2008
platform_sdk
office_excel_viewer
windows_vista
.net_framework
project
visual_studio
windows_xp
office_word_viewer
sql_server_reporting_services
works
word_viewer
office_powerpoint_viewer
report_viewer
expression_web
internet_explorer
office_groove

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.3 /10