June 14, 2005
Microsoft Security Bulletin: Multiple Security Vulnerabilities
Advisory Overview
Qualys' Vulnerability R&D Lab has released 10 new vulnerability checks in QualysGuard® to protect organizations against the new vulnerabilities present in several Microsoft technologies that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 10 security patches to fix newly discovered flaws in several Microsoft technologies.

Qualys has released the following checks for these new vulnerabilities:
Cumulative Security Update For Internet Explorer Missing (MS05-025)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 100026
VENDOR REFERENCE: MS05-025, 883939
CVE REFERENCE: CAN-2005-1211
THREAT: Microsoft Windows machine is missing the cumulative security update for internet explorer described in the Microsoft document MS05-025.
IMPACT: This update fixes security vulnerabilities which could be exploited by a remote attacker.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-025 for details.

Microsoft HTML Help Remote Code Execution Vulnerability (MS05-026)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90253
VENDOR REFERENCE: MS05-026, 896358
CVE REFERENCE: CAN-2005-1208
THREAT: Microsoft Security Update MS05-026 is not installed on the target. A remote code execution vulnerability exists in HTML Help that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-026 for details.

Microsoft SMB Remote Code Execution Vulnerability (MS05-027)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90252
VENDOR REFERENCE: MS05-027, 896422
CVE REFERENCE: CAN-2005-1206
THREAT: A remote code execution vulnerability exists in Server Message Block (SMB) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
IMPACT: A remote attacker could exploit this vulnerability to execute arbitrary code and take complete control of the affected system.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-027 for details.

Microsoft Windows Web Client Service Remote Code Execution (MS05-028)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90256
VENDOR REFERENCE: MS05-028, 896426
CVE REFERENCE: CAN-2005-1207
THREAT: The Web Client service allows applications to access documents on the Internet. Web Client extends the networking capability of Windows by allowing standard Win32 applications to create, read, and write files on Internet file servers by using the WebDAV protocol.
IMPACT: A remote code execution vulnerability exists in the way that Windows processes Web Client requests that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-028 for details.

Microsoft Outlook Web Access for Exchange Server Cross-Site Scripting Vulnerability (MS05-029)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90254
VENDOR REFERENCE: MS05-029, 895179
CVE REFERENCE: CAN-2005-0563
THREAT: Microsoft Security Update MS05-029 is not installed on the target. This is a cross-site scripting vulnerability. The cross-site scripting vulnerability could allow an attacker to convince a user to run a malicious script. Attempts to exploit this vulnerability require user interaction.
IMPACT: If the malicious script is run it would execute in the security context of the user. This vulnerability could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-029 for details.

Outlook Express News Reading Vulnerability (MS05-030)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90258
VENDOR REFERENCE: MS05-030, 897715
CVE REFERENCE: CAN-2005-1213
THREAT: A remote code execution vulnerability exists in Outlook Express when it is used as a newsgroup reader. An attacker could exploit the vulnerability by constructing a malicious newsgroup server that could that potentially allow remote code execution if a user queried the server for news.
IMPACT: An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-030 for details.

Microsoft Step-by-Step Interactive Training Could Allow Remote Code Execution (MS05-031)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90257
VENDOR REFERENCE: MS05-031, 898458
CVE REFERENCE: CAN-2005-1212
THREAT: The Step-by-Step Interactive Training has a remote code execution vulnerability that could allow an attacker to take complete control of an affected system.
IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. However, user interaction is required to exploit this vulnerability.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-031 for details.

Microsoft Agent Content-Spoofing Vulnerability (MS05-032)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90259
VENDOR REFERENCE: MS05-032, 890046
CVE REFERENCE: CAN-2005-1214
THREAT: Microsoft Agent is a software technology that enables an enriched form of user interaction that can make using and learning to use a computer easier. A vulnerability exists in Microsoft Agent that could enable an attacker to spoof trusted Internet content.
IMPACT: Users could believe that they are accessing trusted Internet content. However, they are accessing malicious Internet content such as a malicious Web site. An attacker would first have to persuade a user to visit the attacker's site to attempt to exploit this vulnerability.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-032 for details.

Vulnerability in Microsoft Windows Telnet Client Could Allow Information Disclosure (MS05-033)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90260
VENDOR REFERENCE: MS05-033, 896428
CVE REFERENCE: CAN-2005-1205
THREAT: The target Microsoft Windows is missing a security update described in Microsoft Security Advisory MS05-033. This update fixes a vulnerability in the telnet client that could lead to information disclosure.
IMPACT: An attacker could exploit this issue to read telnet session variables remotely.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-033 for details.

Microsoft ISA Server 2000 Cumulative Update Missing (MS05-034)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90255
VENDOR REFERENCE: MS05-034, 899753
CVE REFERENCE: CAN-2005-1215
THREAT: Microsoft ISA Server 2000 at the target machine is missing the cumulative update described in the Microsoft Security Bulletin MS05-034.
IMPACT: This update fixes issues which could be exploited by an attacker to gain escalated privileges on the vulnerable system.
SOLUTION: Microsoft has released a patch for this vulnerability. Check Microsoft Security Bulletin MS05-034 for details.

These new vulnerability checks are included in Qualys vulnerability signatures v.1.11.46-6. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile use the following options:
  1. Enable scanning of TCP ports 135 and 139
  2. Enable Windows Authentication (specify Authentication records)
  3. Enable the following Qualys IDs:
    • 90252
    • 90253
    • 90254
    • 90255
    • 90256
    • 90257
    • 90258
    • 90259
    • 90260
    • 100026
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and enable scanning of UDP port 137
  5. If you would like to be notified if Authentication is unable to logon to a host, also include QID 105015
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/