April 11, 2006
Microsoft Security Bulletin: April 2006 Security Bulletin
Advisory Overview
April 11, 2006 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 5 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 5 security patches to fix 5 newly discovered flaws in Microsoft Windows, and Microsoft Office.

Qualys has released the following checks for these new vulnerabilities:
Cumulative Security Update for Internet Explorer Missing (MS06-013)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 100034
VENDOR REFERENCE: MS06-013 | 912812
CVE REFERENCE: CVE-2006-1359 | CVE-2006-1245 | CVE-2006-1359 | CVE-2006-1388 | CVE-2006-1185 | CVE-2006-1186 | CVE-2006-1188 | CVE-2006-1189 | CVE-2006-1190 | CVE-2006-1191 | CVE-2006-1192
CVSS SCORES: Base: 8 / Temporal: 6.3
THREAT: Multiple vulnerabilities have been found in IE that can be exploited by visiting malicious websites. They are:
  • DHTML Method Call Memory Corruption Vulnerability.
  • Multiple Event Handler Memory Corruption Vulnerability.
  • HTA Execution Vulnerability.
  • HTML Parsing Vulnerability.
  • COM Object Instantiation Memory Corruption Vulnerability.
  • HTML Tag Memory Corruption Vulnerability.
  • Double-Byte Character Parsing Memory Corruption Vulnerability.
  • Script Execution Vulnerability.
  • Cross-Domain Information Disclosure Vulnerability.
  • Address Bar Spoofing Vulnerability.
Details of individual vulnerabilities may be found in the referenced advisory.
IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: Microsoft has released MS06-013 to address these issues. Please refer to the referenced advisory for details on remediation.

Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (MS06-014)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90306
VENDOR REFERENCE: MS06-014 | 911562
CVSS SCORES: Base: 2.3 / Temporal: 1.8
THREAT: A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: Microsoft has released security bulletin MS06-014 to address this issue. Refer to the referenced document for further details.

Microsoft Windows Explorer Remote Code Execution Vulnerability (MS06-015)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90305
VENDOR REFERENCE: MS06-015 | 908531
CVE REFERENCE: CVE-2006-0012
CVSS SCORES: Base: 8 / Temporal: 6.3
THREAT: A remote code execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. To exploit this vulnerability, an attacker would need to convince a user to visit a Web site that could force a connection to a remote file server. This remote file server could then cause Windows Explorer to fail in a way that would allow code execution. An attacker who successfully exploits this vulnerability could take complete control of an affected system.

Microsoft has rated this vulnerability as Critical.
IMPACT: Successful exploitation could allow an attacker to remotely take complete control of an affected system. An attacker could then install programs, view, change, or delete data, and create new accounts with full user rights.
SOLUTION: Microsoft released security bulletin MS06-015 to address this issue.

Microsoft Outlook Express Cumulative Security Update Missing (MS06-016)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90307
VENDOR REFERENCE: MS06-016 | 911567
CVE REFERENCE: CVE-2006-0014
CVSS SCORES: Base: 5.6 / Temporal: 4.1
THREAT: A remote code execution vulnerability exists in Outlook Express when using a Windows Address Book (.wab) file.
IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploits this vulnerability could take complete control of the affected system. An attacker could then install programs, view, change, or delete data, and create new accounts with full user rights.

Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: Microsoft has released security bulletin MS06-016 to address this issue. Read the security bulletin for more information.

FrontPage Server Extensions Cross-Site Scripting Vulnerability (MS06-017)
SEVERITY: Medium Medium-2 2
QUALYS ID: 86739
VENDOR REFERENCE: MS06-017 | 917627
CVE REFERENCE: CVE-2006-0015
CVSS SCORES: Base: 2.3 / Temporal: 1.7
THREAT: FrontPage Server Extensions is a set of tools that can be installed on a Web site. They allow authorized personnel to manage the server, add or change content, and perform other tasks.

A cross-site scripting vulnerability exists that could allow an attacker to convince a user to run a malicious client-side script on behalf of a FrontPage Server Extensions user.
IMPACT: An attacker who successfully exploits this vulnerability could gain the same rights as the user's rights on the FrontPage Server Extensions 2002 or SharePoint Team Services 2002 server.
SOLUTION: Microsoft has released security bulletin MS06-017 to address this issue. Read the security bulletin for more information.

This new vulnerability check is included in Qualys vulnerability signatures v1.14.18-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100034
    • 90305
    • 90306
    • 90307
    • 86738
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/