<< Back
CVE Number Vulnerability Product Severity Date
MS09-071 Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318) Microsoft Windows Critical 08-12-2009

Technical Information

Brief overview of the risk:
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if messages received by the Internet Authentication Service server are copied incorrectly into memory when handling PEAP authentication attempts. On Windows Server 2008, the Internet Authentication Service is replaced by Network Policy Server (NPS).
Detailed Information on the risk:

A remote code execution vulnerability exists in implementations of Protected Extensible Authentication Protocol (PEAP) on the Internet Authentication Service. The vulnerability is due to incorrect copying into memory of messages received by the server when handling PEAP authentication attempts. An attacker who successfully exploited this vulnerability could take complete control of an affected system.


Further information on this exploit is available at : MS09-071

Affected Software

Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Windows 2000 Service Pack 4
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Vista
Windows Vista Service Pack 1
Windows Vista Service Pack 2
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1
Windows Vista x64 Edition Service Pack 2
Windows XP Service Pack 2
Windows XP Service Pack 3