Microsoft Security Bulletin: Multiple Security Vulnerabilities

August 09, 2005 – Qualys^TM Vulnerability R&D Lab has released 6 new vulnerability checks in QualysGuard^® to protect organizations against the new vulnerabilities present in several Microsoft technologies that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft has released 6 security patches to fix newly discovered flaws in several Microsoft technologies.

Qualys has released the following checks for these new vulnerabilities:

Microsoft Internet Explorer Cumulative Patch MS05-038 Not Installed (MS05-038)
SEVERITY: Urgent  5
QUALYS ID: 100029
VENDOR REFERENCE: MS05-038, 896727
CVE REFERENCE: CAN-2005-1988, CAN-2005-1989, CAN-2005-1990
THREAT: The target Microsoft Windows system is missing a cumulative update for Internet Explorer explained in Microsoft Security Bulletin MS05-038.
IMPACT: This update fixes vulnerabilities that could be exploited by a remote attacker.
SOLUTION: Refer to Microsoft Security Bulletin MS05-038 for more details and instructions on installing the patch.

Windows Plug and Play Remote Code Execution (MS05-039)
SEVERITY: Urgent  5
QUALYS ID: 90267
VENDOR REFERENCE: MS05-039, 899588
CVE REFERENCE: CAN-2005-1983
THREAT: The target Microsoft Windows system is missing the security update described in Microsoft Security Bulletin MS05-039. This update resolves a remote code execution vulnerability in the Plug and Play component of the operating system.
IMPACT: A remote attacker could take complete control of the system.
SOLUTION: Refer to Microsoft Security Bulletin MS05-039 for more details and instructions on downloading and installing the update.

Windows Telephony Service Remote Code Execution (MS05-040)
SEVERITY: Critical  4
QUALYS ID: 90268
VENDOR REFERENCE: MS05-040, 893756
CVE REFERENCE: CAN-2005-0058
THREAT: The target Windows system is vulnerable to a remote code execution issue in the Telephony Service as described in Microsoft Security Bulleting MS05-040.
IMPACT: This issue can cause remote code execution on the target system.
SOLUTION: Disable the Telephony Service. Refer to Microsoft Security Bulletin MS05-040 for more details and instructions on downloading the patches.

Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (MS05-041)
SEVERITY: Serious  3
QUALYS ID: 115267
VENDOR REFERENCE: MS05-041, 899591
CVE REFERENCE: CAN-2005-1218
THREAT: Remote Desktop Protocol, which is installed on the host, is missing the patch described in Microsoft Security Bulletin MS05-041. Remote Desktop Protocol (RDP) lets users create a virtual session on their desktop computers. It allows remote users to access all the data and applications on their computers. A vulnerability in the Remote Desktop Protocol (RDP) exists that could allow an attacker to cause a system to stop responding.
IMPACT: An attacker could cause this system to stop responding and automatically restart. During that time, the server would not respond to requests. Successful exploitation of this denial of service vulnerability could cause the affected system to stop accepting requests, however it could not allow an attacker to execute code or to elevate their user rights.
SOLUTION: The vendor has released a patch to address this issue. Refer to Microsoft Security Bulletin MS05-041 for more details and instructions on downloading and installing the update.

Kerberos Could Allow Denial of Service, Information Disclosure, and Spoofing (MS05-042)
SEVERITY: Serious  3
QUALYS ID: 90269
VENDOR REFERENCE: MS05-042, 899587
CVE REFERENCE: CAN-2005-1981
THREAT: A denial of service vulnerability could allow an attacker to send a specially-crafted message to a Windows domain controller, which could cause the service responsible for authenticating users in an Active Directory domain to stop responding. Another information disclosure and spoofing vulnerability is also reported. This vulnerability could allow an attacker to tamper with certain information that is sent from a domain controller, and potentially access sensitive client network communication. Users could believe they are accessing a trusted server when in reality they are accessing a malicious server.
IMPACT: An attacker who exploits this vulnerability could cause the affected system to stop responding and to restart. Also the attacker may get sensitive information and spoof a domain controller, which allows the attacker to see encrypted communication between the client and the domain controller.
SOLUTION: Microsoft has released a patch to address the issue. Refer to Microsoft Security Bulletin MS05-042 for more details and instructions on downloading and installing the update.

Windows Print Spooler Service Remote Code Execution (MS05-043)
SEVERITY: Urgent  5
QUALYS ID: 90270
VENDOR REFERENCE: MS05-043, 896423
CVE REFERENCE: CAN-2005-1984
THREAT: The target Microsoft Windows system is missing the security update described in Microsoft Security Bulletin MS05-043. This update resolves a remote code execution vulnerability in the Print Spooler service of the operating system.
IMPACT: A remote attacker could take complete control of the system.
SOLUTION: Refer to Microsoft Security Bulletin MS05-043 for more details and instructions on downloading and installing the update.

These new vulnerability checks are included in Qualys vulnerability signatures v1.11.98-6. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile use the following options:

1. Enable scanning of TCP ports 135 and 139
2. Enable Windows Authentication (specify Authentication records)
3. Enable the following Qualys IDs:
   • 90267
   • 90268
   • 90269
   • 90270
   • 100029
   • 115267
4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
5. If you would like to be notified if Authentication is unable to logon to a host, also include QID 105015

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/solutions/free/trials