August 08, 2006
Qualys has released the following checks for these new vulnerabilities:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
Microsoft Security Bulletin: August 2006 Security Bulletin
Advisory Overview
August 8, 2006 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 12 new vulnerabilities present in Microsoft Windows and Microsoft Office that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 12 security patches to fix 23 newly discovered flaws in Microsoft Windows and Microsoft Office.Qualys has released the following checks for these new vulnerabilities:
| Vulnerability in Server Service Could Allow Remote Code Execution |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 90336 |
| VENDOR REFERENCE: MS06-040, 921883 |
| CVE REFERENCE: CVE-2006-3439 |
| CVSS SCORES: Base: 10 / Temporal: 7.4 |
| THREAT: An unchecked buffer in the Server service is responsible for a remote code execution vulnerability. Any anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.
The Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC. Microsoft rates this update as critical. |
| IMPACT: An attacker who successfully exploited this vulnerability could take complete control of the affected system. |
| SOLUTION: Microsoft has released MS06-040 to address this issue. |
| Vulnerability in DNS Resolution Could Allow Remote Code Execution |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90337 |
| VENDOR REFERENCE: MS06-041, 920683 |
| CVE REFERENCE: CVE-2006-3440, CVE-2006-3441 |
| CVSS SCORES: Base: 8 / Temporal: 5.9 |
| THREAT: This update resolves two vulnerabilities in DNS and Winsock. Information available about the Winsock vulnerability indicates that for an attack to be successful the attacker would have to force the user to open a file or visit a website that is specially crafted to call the affected Winsock API.
Microsoft rates this update as critical. |
| IMPACT: An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. |
| SOLUTION: Microsoft has released MS06-041 to address this issue. |
| Cumulative Security Update for Internet Explorer |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 100036 |
| VENDOR REFERENCE: MS06-042, 918899 |
| CVE REFERENCE: CVE-2006-3280, CVE-2006-3450, CVE-2006-3451, CVE-2006-3637, CVE-2006-3638, CVE-2006-3639, CVE-2006-3640, CVE-2004-1166 |
| CVSS SCORES: Base: 8 / Temporal: 6.3 |
| THREAT: This update resolves several newly discovered vulnerabilities. They are: - Redirect Cross-Domain Information Disclosure Vulnerability - HTML Layout and Positioning Memory Corruption Vulnerability - CSS Memory Corruption Vulnerability - HTML Rendering Memory Corruption Vulnerability - COM Object Instantiation Memory Corruption Vulnerability - Source Element Cross-Domain Vulnerability - Window Location Information Disclosure Vulnerability - FTP Server Command Injection Vulnerability Microsoft rates this update as critical. |
| IMPACT: An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. |
| SOLUTION: Microsoft has released MS06-042 to address this issue. |
| Vulnerability in Microsoft Windows Could Allow Remote Code Execution |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90340 |
| VENDOR REFERENCE: MS06-043, 920214 |
| CVE REFERENCE: CVE-2006-2766 |
| CVSS SCORES: Base: 8 / Temporal: 6.6 |
| THREAT: This update resolves a newly-discovered, publicly-reported vulnerability. Microsoft has rated this update as critical. The vulnerability results from incorrect parsing of the MHTML protocol. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially lead to remote code execution if a user visited a specially crafted Web site or clicked a link in a specially crafted e-mail message. |
| IMPACT: An attacker who successfully exploited this vulnerability could take complete control of an affected system. |
| SOLUTION: Microsoft has released MS06-043 to address this issue. |
| Vulnerability in Microsoft Management Console Could Allow Remote Code Execution |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90345 |
| VENDOR REFERENCE: MS06-044, 917008 |
| CVE REFERENCE: CVE-2006-3643 |
| CVSS SCORES: Base: 8 / Temporal: 5.9 |
| THREAT: Microsoft Management console (MMC) is an integrated administration user interface and administration model for Windows based environments. It is vulnerable to a remote code execution.
HTML embedded resource files in the Microsoft Management Console library can be directly referenced from the Internet or Intranet zone via Internet Explorer. Microsoft has rated this vulnerability as Critical. |
| IMPACT: If successfully exploited, an attacker could take complete control of an affected system. |
| SOLUTION: Microsoft released security bulletin MS06-044 to address this issue. Refer to the bulletin for further details. |
| Vulnerability in Windows Explorer Could Allow Remote Code Execution |
|---|
SEVERITY: Serious  3 |
| QUALYS ID: 90344 |
| VENDOR REFERENCE: MS06-045, 921398 |
| CVE REFERENCE: CVE-2006-3281 |
| CVSS SCORES: Base: 8 / Temporal: 5.9 |
| THREAT: A remote code execution vulnerability exists in Windows Explorer because of the way that Windows Explorer handles Drag and Drop events. An attacker could exploit the vulnerability by constructing a malicious web page that could allow an attacker to save a file on the user's system if a user visited a malicious web site or viewed a malicious e-mail message.
Microsoft has rated this vulnerability as Important. |
| IMPACT: If successfully exploited, an attacker could take complete control of an affected system. |
| SOLUTION: Microsoft released security bulletin MS06-045 to address this issue. Refer to the bulletin for further details. |
| Vulnerability in HTML Help Could Allow Remote Code Execution |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90343 |
| VENDOR REFERENCE: MS06-046, 922616 |
| CVE REFERENCE: CVE-2006-3357 |
| CVSS SCORES: Base: 8 / Temporal: 5.9 |
| THREAT: Microsoft HTML Help is the help system for the Windows platform. The HTML Help ActiveX control is a program that is used to insert help navigation and secondary window functionality into an HTML file.
There is a string buffer issue within the HTML Help ActiveX control. Microsoft has rated this vulnerability as Critical. |
| IMPACT: If successfully exploited, an attacker could take complete control of an affected system. |
| SOLUTION: Microsoft released security bulletin MS06-046 to address this issue. Refer to the bulletin for further details. |
| Microsoft Visual Basic for Applications Remote Code Execution Vulnerability |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90341 |
| VENDOR REFERENCE: MS06-047, 921645 |
| CVE REFERENCE: CVE-2006-3649 |
| CVSS SCORES: Base: 6.8 / Temporal: 5 |
| THREAT: A remote code execution vulnerability exists in the way that Visual Basic for Applications (VBA) checks the document properties that a host application passes to it when opening a document. This vulnerability could allow an attacker who successfully exploited the vulnerability to take complete control of the affected system.
Microsoft has rated this vulnerability as Critical. |
| IMPACT: An attacker who successfully exploits this vulnerability could execute arbitrary code remotely and possibly take complete control of an affected system. |
| SOLUTION: Microsoft released security bulletin MS06-047 to address this issue. Refer to the bulletin for further details. |
| Microsoft PowerPoint Remote Code Execution Vulnerabilities |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 110038 |
| VENDOR REFERENCE: MS06-048, 922968 |
| CVE REFERENCE: CVE-2006-3449 |
| CVSS SCORES: Base: 8 / Temporal: 8 |
| THREAT: Power point is exposed to multiple remote code execution vulnerabilities.
PowerPoint is exposed to remote code execution vulnerability which could be exploited when a file containing a malformed shape container is parsed by PowerPoint. A remote code execution vulnerability exists in PowerPoint and could be exploited when a file containing a malformed record is parsed by PowerPoint. Such files might be included in an e-mail attachment or hosted on a malicious web site. An attacker could exploit the vulnerability by constructing a specially crafted PowerPoint file that could allow remote code execution. |
| IMPACT: An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. |
| SOLUTION: Refer to Microsoft Security Advisory 922970 for further details and patches. |
| Windows Kernel Privilege Escalation Vulnerability |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90339 |
| VENDOR REFERENCE: MS06-049, 920958 |
| CVE REFERENCE: CVE-2006-3444 |
| CVSS SCORES: Base: 2.9 / Temporal: 2.1 |
| THREAT: There is a privilege elevation vulnerability in Windows 2000 caused by improper validation of system inputs. This vulnerability could allow a logged on user to take complete control of the system.
Microsoft has rated this vulnerability as Critical. |
| IMPACT: If this vulnerability is successfully exploited, an attacker could remotely take complete control of the affected system or cause the affected system to stop responding. |
| SOLUTION: Microsoft released security bulletin MS06-049 to address this issue. Refer to the bulletin for further details. |
| Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90338 |
| VENDOR REFERENCE: MS06-050, 920670 |
| CVE REFERENCE: CVE-2006-3086 |
| CVSS SCORES: Base: 8 / Temporal: 5.9 |
| THREAT: This update resolves two vulnerabilities in the Windows Hyperlink Object Library that allow remote code execution.
Microsoft rates this update as Important. |
| IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| SOLUTION: Microsoft has released MS06-050 to address this issue.
Please note that this update supersedes MS05-015. |
| Vulnerability in Windows Kernel Could Result in Remote Code Execution |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90342 |
| VENDOR REFERENCE: MS06-051, 917422 |
| CVE REFERENCE: CVE-2006-3443, CVE-2006-3648 |
| CVSS SCORES: Base: 4.8 / Temporal: 3.5 |
| THREAT: This update resolves multiple vulnerabilities in the Windows kernel.
Microsoft has rated this vulnerability as Critical. |
| IMPACT: An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Microsoft has released MS06-051 to address this issue. |
This new vulnerability check is included in Qualys vulnerability signatures v1.15.21-5. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 90336
- 90337
- 100036
- 90340
- 90345
- 90344
- 90343
- 90341
- 110038
- 90339
- 90338
- 90342
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
