June 13, 2006
Qualys has released the following checks for these new vulnerabilities:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
Microsoft Security Bulletin: June 2006 Security Bulletin
Advisory Overview
June 13, 2006 – Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 12 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 12 security patches to fix 21 newly discovered flaws in Microsoft Windows, Microsoft Exchange, and Microsoft Office.Qualys has released the following checks for these new vulnerabilities:
| Cumulative Security Update for Internet Explorer Missing |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 100035 |
| VENDOR REFERENCE: MS06-021 | 916281 |
| CVE REFERENCE: CVE-2006-1626 | CVE-2006-2385 | CVE-2006-2384 | CVE-2005-4089 | CVE-2006-1303 | CVE-2006-2383 | CVE-2006-2382 | CVE-2006-2218 |
| CVSS SCORES: Base: 8 / Temporal: 7.6 |
| THREAT: Several vulnerabilities have been discovered in Microsoft Internet Explorer. The most severe of these vulnerabilities is caused due to an error in the processing of certain sequences of nested "object" HTML tags. The specific issues addressed by this update are: - Exception Handling Memory Corruption Vulnerability - HTML Decoding Memory Corruption Vulnerability - ActiveX Control Memory Corruption Vulnerability - COM Object Instantiation Memory Corruption Vulnerability - CSS Cross-Domain Information Disclosure Vulnerability - Address Bar Spoofing Vulnerability - MHT Memory Corruption Vulnerability - Address Bar Spoofing Vulnerability |
| IMPACT: Successful exploitation of the most severe of these vulnerabilities can result in the attacker taking complete control of the target system. The others can be used to conduct phishing attacks. |
| SOLUTION: Microsoft has released MS06-021 to address this issue. Please refer to the advisory for details on how to patch your system. |
| Microsoft ART Image Rendering Remote Code Execution Vulnerability |
|---|
SEVERITY: Serious  3 |
| QUALYS ID: 90317 |
| VENDOR REFERENCE: MS06-022 | 918439 |
| CVE REFERENCE: CVE-2006-2378 |
| CVSS SCORES: Base: 5.6 / Temporal: 4.4 |
| THREAT: There is a remote code execution vulnerability in the way that Windows handles ART images. An attacker could exploit this vulnerability by constructing a specially crafted ART image which could potentially allow remote code execution if a user visits a Web site or views a specially crafted email message. |
| IMPACT: An attacker who successfully exploits this vulnerability could execute arbitrary code and take complete control of an affected system. |
| SOLUTION: Microsoft released security bulletin MS06-022 to address this issue. Refer to the bulletin for further details.
Microsoft has rated this vulnerability as Critical. |
| Microsoft JScript Remote Code Execution Vulnerability |
|---|
| SEVERITY: Serious 3 |
| QUALYS ID: 90320 |
| VENDOR REFERENCE: MS06-023 | 917344 |
| CVE REFERENCE: CVE-2006-1313 |
| CVSS SCORES: Base: 5.6 / Temporal: 4.4 |
| THREAT: There is a remote code execution vulnerability in JScript. An attacker could exploit this vulnerability by constructing a specially crafted JScript that could potentially allow remote code execution if a user visits a Web site or views a specially crafted email message. |
| IMPACT: An attacker who successfully exploits this vulnerability could execute arbitrary code remotely and take complete control of an affected system. |
| SOLUTION: Microsoft has released security bulletin MS06-023 to address this issue. Refer to the bulletin for further details.
Microsoft has rated this vulnerability as Critical. |
| Microsoft Windows Media Player PNG Vulnerability |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 90314 |
| VENDOR REFERENCE: MS06-024 | 917734 |
| CVE REFERENCE: CVE-2006-0025 |
| CVSS SCORES: Base: 10 / Temporal: 7.8 |
| THREAT: A remote code execution vulnerability exists in Windows Media Player due to the way it handles the processing of PNG images.
An attacker could exploit the vulnerability by constructing crafted Windows Media Player content that could allow remote code execution if a user visits a malicious Web site or opens an email message with malicious content. |
| IMPACT: An attacker who successfully exploits this vulnerability could execute arbitrary code remotely and take complete control of an affected system. |
| SOLUTION: Microsoft released security bulletin MS06-024 to address this issue. Refer to the bulletin for further details.
Microsoft has rated this vulnerability as Critical. |
| Windows Routing and Remote Access Could Allow Remote Code Execution |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90319 |
| VENDOR REFERENCE: MS06-025 | 911280 |
| CVE REFERENCE: CVE-2006-2370 | CVE-2006-2371 |
| CVSS SCORES: Base: 10 / Temporal: 7.8 |
| THREAT: Microsoft Windows Routing and Remote Access Service (RRAS) makes it possible for a computer to function as a network router.
The Remote Access Service (RAS) lets users connect to a remote computer so they can work as if their system were physically connected to the remote network. The Remote Access Service is a native service in Windows 2000, Windows XP and Windows Server 2003. There is an unchecked buffer in the Routing and Remote Access Service. |
| IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. |
| SOLUTION: Microsoft has released security bulletin MS06-025 to address this issue. Refer to the bulletin for further details.
Microsoft has rated this vulnerability as Critical. |
| Vulnerability in Microsoft Word Could Allow Remote Code Execution |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90312 |
| VENDOR REFERENCE: MS06-027 | 917336 |
| CVE REFERENCE: CVE-2006-2492 |
| CVSS SCORES: Base: 8 / Temporal: 8 |
| THREAT: A vulnerability is known to exist in Microsoft Word that is actively being exploited. The exploitation relies on a user opening an email attachment from an attacker. The issue arises from the use of a malformed object pointer. Microsoft rates this vulnerability as critical. |
| IMPACT: A successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows. |
| SOLUTION: Microsoft has released MS06-027 to address this issue. Please refer to the advisory for details on how to patch your system. |
| Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution |
|---|
| SEVERITY: Serious 3 |
| QUALYS ID: 90315 |
| VENDOR REFERENCE: MS06-028 | 916768 |
| CVE REFERENCE: CVE-2006-0022 |
| CVSS SCORES: Base: 5.3 / Temporal: 3.9 |
| THREAT: There is a remote code execution vulnerability in PowerPoint that uses a malformed record. An attacker could exploit the vulnerability by constructing a specially crafted PowerPoint file that could allow remote code execution. |
| IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Microsoft has released security bulletin MS06-028 to address this issue. Refer to the advisory for details on how to patch your system.
Microsoft has rated this vulnerability as Critical. |
| Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90318 |
| VENDOR REFERENCE: MS06-029 | 912442 |
| CVE REFERENCE: CVE-2006-1193 |
| CVSS SCORES: Base: 1.7 / Temporal: 1.3 |
| THREAT: Microsoft Exchange Server running Outlook Web Access is exposed to a remote script execution issue. An attacker can trick a user to execute a malicious script contained with an email message.
These versions are affected: Microsoft Exchange Server 2000 with Service Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup, Microsoft Exchange Server 2003 with Service Pack 1 and Microsoft Exchange Server 2003 with Service Pack 2. |
| IMPACT: An attacker who successfully exploits this vulnerability could execute arbitrary code remotely and possibly take complete control of an affected system. |
| SOLUTION: Please refer to Microsoft security bulletin MS06-029 for updates and further details.
Microsoft has rated this vulnerability as Important. |
| Microsoft Windows SMB Could Allow Elevation of Privilege |
|---|
| SEVERITY: Serious 3 |
| QUALYS ID: 90323 |
| VENDOR REFERENCE: MS06-030 | 914389 |
| CVE REFERENCE: CVE-2006-2373 | CVE-2006-2374 |
| CVSS SCORES: Base: 4.8 / Temporal: 3.8 |
| THREAT: Microsoft Windows Server Message Block |
| IMPACT: If this vulnerability is successfully exploited, an attacker could remotely take complete control of the affected system or cause the affected system to stop responding. |
| SOLUTION: Microsoft has released security bulletin MS06-030 to address this issue. Refer to the bulletin for further details.
Microsoft has rated this vulnerability as Important. |
| Microsoft RPC Mutual Authentication Spoofing Vulnerability |
|---|
| SEVERITY: Serious 3 |
| QUALYS ID: 90322 |
| VENDOR REFERENCE: MS06-031 | 917736 |
| CVE REFERENCE: CVE-2006-2380 |
| CVSS SCORES: Base: 3.7 / Temporal: 2.9 |
| THREAT: There is a spoofing vulnerability in the way that RPC handles mutual authentication. This vulnerability affects custom RPC applications acting as RPC clients using SSL with mutual authentication option. An attacker who successfully exploited this vulnerability could impersonate a valid RPC server.
This issue affects Microsoft Windows 2000 Service Pack 4 and earlier |
| IMPACT: This vulnerability could allow an attacker to persuade a user to connect to a malicious RPC server which appears to be valid. |
| SOLUTION: Microsoft released security bulletin MS06-031 to address this issue. Please refer to the bulletin for further details.
Microsoft has rated this vulnerability as Moderate. |
| Vulnerability in TCP/IP Could Allow Remote Code Execution |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90316 |
| VENDOR REFERENCE: MS06-032 | 917953 |
| CVE REFERENCE: CVE-2006-2379 |
| CVSS SCORES: Base: 8 / Temporal: 5.9 |
| THREAT: There is a remote code execution vulnerability in the TCP/IP Protocol driver that results from an unchecked buffer. IP source routing is a mechanism which allows the sender to determine the IP route that a datagram should take through the network. It is disabled by default in XP SP2 and W2K3 SP1 systems. An attacker could try to exploit the vulnerability by creating a specially crafted network packet and sending the packet to an affected system. |
| IMPACT: An attacker who successfully exploits this vulnerability could take complete control of the affected system. |
| SOLUTION: Microsoft has released security bulletin MS06-032 to address this issue. Refer to the advisory for details on how to patch your system.
Microsoft has rated this vulnerability as Important. |
This new vulnerability check is included in Qualys vulnerability signatures v1.14.75-6. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 100035
- 90317
- 90320
- 90314
- 90319
- 90312
- 90315
- 90318
- 90323
- 90322
- 90316
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
