CVE-2009-0320 - Vulnerability Details - OpenCVE

Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O activity measurements of all processes, which allows local users to obtain sensitive information, as demonstrated by reading the I/O Other Bytes column in Task Manager (aka taskmgr.exe) to estimate the number of characters that a different user entered at a runas.exe password prompt, related to a "benchmarking attack."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact Complete

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Windows Server 2003 Windows Server 2008 Windows Vista Windows Xp

Configuration 1 [-]

OR	cpe:2.3:o:microsoft:windows_server_2003::::::::
	cpe:2.3:o:microsoft:windows_server_2008::::::::
	cpe:2.3:o:microsoft:windows_vista::::::::
	cpe:2.3:o:microsoft:windows_xp::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/archive/1/500393/100/0/threaded
http://www.securityfocus.com/bid/33440

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-01-28T18:00:00

Updated: 2024-08-07T04:31:25.585Z

Reserved: 2009-01-28T00:00:00

Link: CVE-2009-0320

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-01-28T18:30:00.217

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-0320

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-01-24T00:00:00", "descriptions": [{"lang": "en", "value": "Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O activity measurements of all processes, which allows local users to obtain sensitive information, as demonstrated by reading the I/O Other Bytes column in Task Manager (aka taskmgr.exe) to estimate the number of characters that a different user entered at a runas.exe password prompt, related to a \"benchmarking attack.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-11T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "33440", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/33440"}, {"name": "20090124 Benchmarking attacks and major security weakness on all recent Windows versions up to Windows 200", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/500393/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-0320", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O activity measurements of all processes, which allows local users to obtain sensitive information, as demonstrated by reading the I/O Other Bytes column in Task Manager (aka taskmgr.exe) to estimate the number of characters that a different user entered at a runas.exe password prompt, related to a \"benchmarking attack.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "33440", "refsource": "BID", "url": "http://www.securityfocus.com/bid/33440"}, {"name": "20090124 Benchmarking attacks and major security weakness on all recent Windows versions up to Windows 200", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/500393/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T04:31:25.585Z"}, "title": "CVE Program Container", "references": [{"name": "33440", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/33440"}, {"name": "20090124 Benchmarking attacks and major security weakness on all recent Windows versions up to Windows 200", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/500393/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-0320", "datePublished": "2009-01-28T18:00:00", "dateReserved": "2009-01-28T00:00:00", "dateUpdated": "2024-08-07T04:31:25.585Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*", "matchCriteriaId": "31A64C69-D182-4BEC-BA8A-7B405F5B2FC0", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2008:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B33C9BD-FC34-4DFC-A81F-C620D3DAA79D", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*", "matchCriteriaId": "3852BB02-47A1-40B3-8E32-8D8891A53114", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_xp:*:*:*:*:*:*:*:*", "matchCriteriaId": "E61F1C9B-44AF-4B35-A7B2-948EEF7639BD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Microsoft Windows XP, Server 2003 and 2008, and Vista exposes I/O activity measurements of all processes, which allows local users to obtain sensitive information, as demonstrated by reading the I/O Other Bytes column in Task Manager (aka taskmgr.exe) to estimate the number of characters that a different user entered at a runas.exe password prompt, related to a \"benchmarking attack.\""}, {"lang": "es", "value": "Microsoft Windows XP, Server 2003 y 2008, y Vista expone las mediciones de la actividad de I/O (entrada/salida) de todos los procesos, lo que permite a usuarios locales obtener informaci\u00f3n sensible, como se ha demostrado mediante la lectura de las I/O en la columna Other Bytes en el Administrador de tareas (Task Manager) para estimar el n\u00famero de caracteres que ha introducido (en el runas.exe - ejecutar como) un usuario (distinto del de la sesion actual) en la ventana que solicita la contrase\u00f1a, relacionado con un \"benchmarking attack\"."}], "id": "CVE-2009-0320", "lastModified": "2025-04-09T00:30:58.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:H/Au:N/C:C/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-01-28T18:30:00.217", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/500393/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/33440"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/500393/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/33440"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-362"}], "source": "nvd@nist.gov", "type": "Primary"}]}