CVE-2009-0089: Input Validation
First published: Wed Apr 15 2009(Updated: )
Windows HTTP Services (aka WinHTTP) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Vista Gold allows remote web servers to impersonate arbitrary https web sites by using DNS spoofing to "forward a connection" to a different https web site that has a valid certificate matching its own domain name, but not a certificate matching the domain name of the host requested by the user, aka "Windows HTTP Services Certificate Name Mismatch Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Windows 2000 | =sp4 | |
| Microsoft Windows Server | ||
| Microsoft Windows Server | =sp1 | |
| Microsoft Windows Server | =sp1 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Server | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | =gold | |
| Microsoft Windows Vista | =sp1 | |
| Microsoft Windows XP | ||
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows Vista | =sp1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/34437
- http://www.us-cert.gov/cas/techalerts/TA09-104A.html
- http://www.securitytracker.com/id?1022041
- http://www.vupen.com/english/advisories/2009/1027
- http://secunia.com/advisories/34677
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6027
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-013
Frequently Asked Questions
What is the severity of CVE-2009-0089?
CVE-2009-0089 has a high severity rating as it allows remote web servers to impersonate arbitrary HTTPS websites.
How do I fix CVE-2009-0089?
To fix CVE-2009-0089, ensure your system is updated with the latest security patches from Microsoft.
Which versions of Windows are affected by CVE-2009-0089?
CVE-2009-0089 affects Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Vista Gold.
What attack vectors are associated with CVE-2009-0089?
CVE-2009-0089 can be exploited through DNS spoofing, enabling an attacker to redirect users to a malicious HTTPS site.
What are the potential impacts of CVE-2009-0089?
The potential impacts of CVE-2009-0089 include unauthorized access to sensitive information and credentials from users unknowingly connecting to fraudulent sites.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-historical
- collector/nvd-index
- agent/author
- agent/softwarecombine
- vendor/microsoft
- canonical/microsoft windows 2000
- version/microsoft windows 2000/sp4
- canonical/microsoft windows server
- version/microsoft windows server/sp1
- version/microsoft windows server/sp2
- canonical/microsoft windows vista
- version/microsoft windows vista/gold
- version/microsoft windows vista/sp1
- canonical/microsoft windows xp
- version/microsoft windows xp/sp2
- version/microsoft windows xp/sp3