Microsoft Security Bulletin: July 2006 Security Bulletin

July 11, 2006 – Qualys^® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard^® to protect organizations against the 7 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft has released 7 security patches to fix 18 newly discovered flaws in Microsoft Windows and Microsoft Office.

Qualys has released the following checks for these new vulnerabilities:

ASP.NET Could Allow Information Disclosure
SEVERITY: Medium  2
QUALYS ID: 90330
VENDOR REFERENCE: MS06-033, 917283
CVE REFERENCE: CVE-2006-1300
CVSS SCORES: Base: 4.7 / Temporal: 3.7
THREAT: ASP.NET is a collection of technologies within the .NET Framework that allows developers to build Web applications and XML Web services. ASP.NET 2.0 is vulnerable to an information disclosure vulnerability because it does not properly validate the URL passed.
IMPACT: An attacker could bypass ASP.NET security and gain unauthorized access to objects in the application folders explicitly by name. This could be exploited to produce information that could be used to further compromise the target host.
SOLUTION: Microsoft has released security bulletin MS06-033 to address this issue. Refer to the bulletin for further details. Microsoft has rated this vulnerability as Important.

Microsoft Internet Information Services Remote Code Execution Vulnerability
SEVERITY: Critical  4
QUALYS ID: 90328
VENDOR REFERENCE: MS06-034, 917537
CVE REFERENCE: CVE-2006-0026
CVSS SCORES: Base: 5.1 / Temporal: 3.8
THREAT: Internet Information Services (IIS) is exposed to a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing a specially crafted Active Server Pages (ASP) file. An attacker must have valid login credentials but if a server has been purposely configured to allow users (either anonymous or authenticated) to upload Web content such as .ASP pages to Web sites, then the server could be exploited by this issue.
IMPACT: The exploitation of this vulnerability could allow remote code execution.
SOLUTION: Refer to Microsoft Security Bulletin MS06-034 for updates and further details. Microsoft has rated this vulnerability as Important.

Microsoft Windows Server Service Remote Code Execution Vulnerability
SEVERITY: Urgent  5
QUALYS ID: 90329
VENDOR REFERENCE: MS06-035, 917159
CVE REFERENCE: CVE-2006-1314, CVE-2006-1315
CVSS SCORES: Base: 8 / Temporal: 6.3
THREAT: A heap overflow vulnerability and an information disclosure vulnerability exists in the Mailslot and SMB server services respectively. An attacker who successfully exploits these issues could remotely take complete control of an affected system and read information stored in buffers for SMB traffic.
IMPACT: If successfully exploited, a remote attacker could take complete control of the affected system. The attacker could then install programs; view, change, or delete data; and create new accounts with full user rights.
SOLUTION: Microsoft released security bulletin MS06-035 to address this issue. Read the security bulletin for more information. Microsoft has rated this vulnerability as Critical.

Microsoft Windows DHCP Client Service Remote Code Execution Vulnerability
SEVERITY: Urgent  5
QUALYS ID: 90327
VENDOR REFERENCE: MS06-036, 914388
CVE REFERENCE: CVE-2006-2372
CVSS SCORES: Base: 5.6 / Temporal: 4.4
THREAT: A remote code execution vulnerability exists in Windows DHCP Client Service due to an unchecked buffer. An attacker could exploit the vulnerability by answering a DHCP request on the local subnet with a specially crafted DHCP response, and could take complete control of an affected system.
IMPACT: If successfully exploited, a remote attacker could take complete control of the affected system. The attacker could then install programs; view, change, or delete data; and create new accounts with full user rights.
SOLUTION: Microsoft released security bulletin MS06-036 to address this issue. Read the security bulletin for more information. Microsoft has rated this vulnerability as Critical.

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
SEVERITY: Critical  4
QUALYS ID: 110034
VENDOR REFERENCE: MS06-037, 917285
CVE REFERENCE: CVE-2006-1301, CVE-2006-1302, CVE-2006-1304, CVE-2006-1306, CVE-2006-1308, CVE-2006-1309, CVE-2006-2388, CVE-2006-3059
CVSS SCORES: Base: 3.4 / Temporal: 3
THREAT: This update resolves several newly discovered vulnerabilities in Microsoft Excel. At least one of these issues is being actively exploited. Vulnerabilities include: - Microsoft Excel Malformed SELECTION record Vulnerability - CVE-2006-1301 - Microsoft Excel Malformed SELECTION record Vulnerability - CVE-2006-1302 - Microsoft Excel Malformed COLINFO record Vulnerability - CVE-2006-1304 - Microsoft Excel Malformed OBJECT Record Vulnerability - CVE-2006-1306 - Microsoft Excel Malformed FNGROUPCOUNT Value Vulnerability - CVE-2006-1308 - Microsoft Excel Malformed LABEL record Vulnerability - CVE-2006-1309 - Microsoft Excel Rebuilding Vulnerability - CVE-2006-2388 - Microsoft Excel Malformed File Vulnerability - CVE-2006-3059
IMPACT: An attacker who successfully exploits these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
SOLUTION: Microsoft has released MS06-037 to address this issue. Microsoft rates this update as Important.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
SEVERITY: Critical  4
QUALYS ID: 110035
VENDOR REFERENCE: MS06-038, 917284
CVE REFERENCE: CVE-2006-1316, CVE-2006-1540, CVE-2006-2389
CVSS SCORES: Base: 8 / Temporal: 5.9
THREAT: This update resolves several newly discovered, privately reported and public vulnerabilities. Vulnerabilities include: - Microsoft Office Parsing Vulnerability -- CVE-2006-1316 - Microsoft Office Malformed String Parsing Vulnerability -- CVE-2006-1540 - Microsoft Office Property Vulnerability -- CVE-2006-2389
IMPACT: An attacker could take complete control of the client workstation if the user is logged in to a vulnerable version of Microsoft Office with administrative rights.
SOLUTION: Microsoft has released security bulletin MS06-038 to address these issues. Microsoft has rated these vulnerabilities as Important.

Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution
SEVERITY: Critical  4
QUALYS ID: 110036
VENDOR REFERENCE: MS06-039, 915384
CVE REFERENCE: CVE-2006-0007, CVE-2006-0033
CVSS SCORES: Base: 8 / Temporal: 5.9
THREAT: This update resolves two recently discovered vulnerabilities related to the handling of malformed image files. Vulnerabilities include: - Microsoft Office Remote Code Execution Using a Malformed PNG Vulnerability -- CVE-2006-0033 - Microsoft Office Remote Code Execution Using a Malformed GIF Vulnerability -- CVE-2006-0007
IMPACT: An attacker could take complete control of the client workstation if the user is logged in to a vulnerable version of Microsoft Office with administrative rights.
SOLUTION: Microsoft has released security bulletin MS06-038 to address these issues. Microsoft has rated these issues as Important.

This new vulnerability check is included in Qualys vulnerability signatures v1.14.96-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

1. Ensure access to TCP ports 135 and 139 are available.
2. Enable Windows Authentication (specify Authentication Records).
3. Enable the following Qualys IDs:
   • 90330
   • 90328
   • 90329
   • 90327
   • 110034
   • 110035
   • 110036
4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/