CVE-2009-4312 : Unspecified vulnerability in the Indeo codec in Microsoft Windows 2000 SP4, XP S

Unspecified vulnerability in the Indeo codec in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote attackers to execute arbitrary code via crafted media content, as reported to Microsoft by Dave Lenoe of Adobe.

Published 2009-12-13 01:30:01

Updated 2017-09-19 01:29:57

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2009-4312

Microsoft » Windows 2000 » Update SP4
cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*
Matching versions
Microsoft » Windows Xp » Update SP3
cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
Matching versions
Microsoft » Windows Xp » Version: N/A Update SP2
cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:*:*:*:*
Matching versions
Microsoft » Windows Xp » Version: N/A Update SP2 X64 Edition
cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*
Matching versions
Microsoft » Windows 2003 Server » Update SP2
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
Matching versions
Microsoft » Windows 2003 Server » Update SP2 X64 Edition
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:x64:*:*:*:*:*
Matching versions
Microsoft » Windows 2003 Server » Update SP2 Itanium Edition
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2009-4312

EPSS FAQ

20.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 95 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-4312

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2009-4312

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2009-4312

http://support.microsoft.com/kb/976138

Patch;Vendor Advisory

CVEs referencing this url
http://support.microsoft.com/kb/955759

Patch;Vendor Advisory

CVEs referencing this url
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11573
https://exchange.xforce.ibmcloud.com/vulnerabilities/54645

CVEs referencing this url
http://www.vupen.com/english/advisories/2009/3440

Vendor Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/37251

CVEs referencing this url
http://support.microsoft.com/kb/954157

Vendor Advisory;Patch

CVEs referencing this url
http://www.microsoft.com/technet/security/advisory/954157.mspx

Patch;Vendor Advisory

CVEs referencing this url
http://securitytracker.com/id?1023302

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2009-4312

Products affected by CVE-2009-4312

Exploit prediction scoring system (EPSS) score for CVE-2009-4312

CVSS scores for CVE-2009-4312

CWE ids for CVE-2009-4312

References for CVE-2009-4312