Microsoft Security Bulletin: March 2006 Security Bulletin

March 14, 2006 – Qualys^® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard^® to protect organizations against the 2 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft has released 2 security patches to fix 2 newly discovered flaws in Microsoft Windows, and Microsoft Office.

Qualys has released the following checks for these new vulnerabilities:

Windows Services DACLs Privilege Elevation (MS06-011)
SEVERITY: Serious  3
QUALYS ID: 90293
VENDOR REFERENCE: MS06-011 | 914798
CVE REFERENCE: CVE-2006-0023
CVSS SCORES: Base: 3.3 / Temporal: 2.8
THREAT: Security update MS06-011 is not installed. A privilege elevation vulnerability exists on Windows XP Service Pack 1 on the identified Windows services where the permissions are set by default to a level that may allow a low-privileged user to change properties associated with the service. On Windows 2003 permissions on the identified services are set to a level that may allow a user that belongs to the network configuration operators group to change properties associated with the service. Only members of the Network Configuration Operators group on the targeted machine can remotely attack Windows Server 2003, and this group contains no users by default. The vulnerability could allow a user with valid logon credentials to take complete control of the system on Microsoft Windows XP Service Pack 1. Proof of concept code exists that attempts to exploit overly permissive access controls on default services of Windows XP Service Pack 1 and Windows Server 2003. Microsoft has rated this vulnerability as Important.
IMPACT: If successful, an attacker who has low user privileges could gain privilege escalation. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Microsoft has released security bulletin MS06-011 to address this issue. Refer to the referenced document for further details.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS06-012)
SEVERITY: Urgent  5
QUALYS ID: 90303
VENDOR REFERENCE: MS006-012 | 905413
CVE REFERENCE: CVE-2005-4131 | CVE-2006-0028 | CVE-2006-0029 | CVE-2006-0030 | CVE-2006-0031 | CVE-2006-0009
CVSS SCORES: Base: 8 / Temporal: 6.3
THREAT: The target does not have the Microsoft security update MS06-012 installed. MS06-012 addresses the following issues: Microsoft Office Excel Remote Code Execution Using a Malformed Range Vulnerability - CVE-2005-4131 Microsoft Office Excel Remote Code Execution Using a Malformed File Format Parsing Vulnerability - CVE-2006-0028 Microsoft Office Excel Remote Code Execution Using a Malformed Description Vulnerability - CVE-2006-0029 Microsoft Office Excel Remote Code Execution Using a Malformed Graphic Vulnerability - CVE-2006-0030 Microsoft Office Excel Remote Code Execution Using a Malformed Record Vulnerability - CVE-2006-0031 Microsoft Office Remote Code Execution Using a Malformed Routing Slip Vulnerability - CVE-2006-0009 On vulnerable versions of Microsoft Office, if a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation. Microsoft has rated this vulnerability as critical.
IMPACT: An attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: Microsoft has released security advisory MS06-012 to address this issue.

This new vulnerability check is included in Qualys vulnerability signatures v1.13.91-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

1. Ensure access to TCP ports 135 and 139 are available.
2. Enable Windows Authentication (specify Authentication Records).
3. Enable the following Qualys IDs:
   • 90293
   • 90303
4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/