October 10, 2006
Microsoft Security Bulletin: Multiple Security Vulnerabilities
Advisory Overview
October 10, 2006 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 10 new vulnerabilities present in Microsoft Windows, Microsoft Office and Microsoft .Net that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 10 security patches to fix 26 newly discovered flaws in Microsoft Windows, Microsoft Office and Microsoft .Net.

Qualys has released the following checks for these new vulnerabilities:
ASP.NET 2.0 Could Allow Information Disclosure
SEVERITY: Medium Medium-2 2
QUALYS ID: 90357
VENDOR REFERENCE: MS06-056, 922770
CVE REFERENCE: CVE- 2006-3436
CVSS SCORES: Base 4.7/ Temporal 3.5
THREAT: ASP.NET is a collection of technologies within the .NET Framework that allows developers to build Web applications and XML Web services. ASP.NET 2.0 is vulnerable to an information disclosure vulnerability because it could inject a client side script in the user's browser.
IMPACT: An attacker could gain unauthorized access to information. This vulnerability would not allow an attacker to execute code, but it could be used to acquire information that could be used to further compromise the affected system.
SOLUTION: Microsoft released security bulletin MS06-056 to address this vulnerability.

Microsoft has rated this issue as Moderate.

Vulnerability in Windows Explorer Could Allow Remote Execution
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90352
VENDOR REFERENCE: MS06-057, 923191
CVE REFERENCE: CVE-2006-3730
CVSS SCORES: Base 8/ Temporal 7.6
THREAT: A vulnerability exists in Windows that is caused due to an error in the Windows Shell and is exposed via the "setSlice()" method in the WebViewFolderIcon ActiveX control (webvw.dll). This can be exploited, for example, via Internet Explorer by a malicious Web site to corrupt memory by passing specially crafted arguments to the "setSlice()" method. Microsoft has rated this update as critical.
IMPACT: Successful exploitation allows execution of arbitrary code.
SOLUTION: Microsoft has released security advisory MS06-057 detailing workarounds for this issue.

Microsoft has rated this issue as Critical.

Microsoft PowerPoint Multiple Remote Code Execution Vulnerabilities
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 110043
VENDOR REFERENCE: MS06-058, 924163
CVE REFERENCE: CVE-2006-3435, CVE-2006-3876, CVE-2006-3877, CVE-2006-4694
CVSS SCORES: Base 10/ Temporal 8.6
THREAT: Microsoft PowerPoint is prone to multiple remote code execution vulnerabilities. An attacker could exploit these vulnerabilities by constructing a specially-crafted PowerPoint file that could allow remote code execution. Such files might be included in e-mail attachments or hosted on malicious web sites.
IMPACT: If a user is logged in with administrative rights, then an attacker who successfully exploits this vulnerability could take complete control of an affected system. The attacker could then install programs; view, change, or delete data; and create new accounts with full user rights.
SOLUTION: Refer to Microsoft Security Bulletin MS06-058 for further details and patches.

Microsoft has rated this vulnerability as Critical.

Microsoft Excel Multiple Remote Code Execution Vulnerabilities
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 110045
VENDOR REFERENCE: MS06-059, 924164
CVE REFERENCE: CVE-2006-2387, CVE-2006-3431, CVE-2006-3867, CVE-2006-3875
CVSS SCORES: Base 10/ Temporal 7.8
THREAT: Microsoft Excel is prone to multiple remote code execution vulnerabilities. An attacker could exploit this vulnerability when Excel parses a Lotus 1-2-3 file or parses a file that involves processing a malformed DATETIME, STYLE or COLINFO record.
IMPACT: If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Refer to Microsoft Security Bulletin MS06-059 for further details and patches.

Microsoft has rated this vulnerability as Critical.

Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 110046
VENDOR REFERENCE: MS06-060, 924554
CVE REFERENCE: CVE-2006-3647, CVE-2006-3651, CVE-2006-4534
CVSS SCORES: Base 8/ Temporal 5.9
THREAT: This update patches the following vulnerabilities:
  • Microsoft Word Vulnerability
  • Triggered while reading a malformed file
  • Microsoft Word Mail Merge Vulnerability
  • Microsoft Word Malformed Stack Vulnerability
IMPACT: When using vulnerable versions of Office, if a user were logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take complete control of the client workstation.
SOLUTION: Refer to Microsoft Security Bulletin MS06-060 for further details and patches.

Microsoft has rated this update as Critical.

Microsoft XML Core Services Could Allow Remote Code Execution
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90356
VENDOR REFERENCE: MS06-061, 924191
CVE REFERENCE: CVE-2006-4685,CVE-2006-4686
CVSS SCORES: Base 4.7/ Temporal 3.5
THREAT: Microsoft XML Core Services, formerly known as the Microsoft XML Parser, allows customers to build XML-based applications that provide interoperability with other applications that adhere to the XML 1.0 standard. There exists an information disclosure vulnerability because the XMLHTTP ActiveX control incorrectly interprets an HTTP server-side redirect and an issue exists in XSLT processing that could allow remote code execution on the target host.
IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.
SOLUTION: Microsoft released security bulletin MS06-061 to address this vulnerability.

Microsoft has rated this issue as Critical.

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
SEVERITY: Critical Critical-4 4
QUALYS ID: 110044
VENDOR REFERENCE: MS06-062, 922581
CVE REFERENCE: CVE-2006-3434, CVE-2006-3650,CVE-2006-3864,CVE-2006-3868
CVSS SCORES: Base 4.3/ Temporal 3.2
THREAT: Office is exposed to following security issues:
  • Office Improper Memory Access Vulnerability
  • Office Malformed Chart Record Vulnerability
  • Office Malformed Record Memory Corruption Vulnerability
  • Microsoft Office Smart Tag Parsing Vulnerability
    IMPACT: If exploited, a remote attacker can gain complete control of the victim machine.
    SOLUTION: Microsoft has released MS06-062 to address this issue. Please refer to the advisory for further details.

    Microsoft has rated this issue as Critical.

    Vulnerability in Server Service Could Allow Denial of Service
    SEVERITY: Serious Serious-3 3
    QUALYS ID: 90354
    VENDOR REFERENCE: MS06-063, 923414
    CVE REFERENCE: CVE-2006-3942, CVE-2006-4696
    CVSS SCORES: Base 2.8/ Temporal 2.1
    THREAT: Microsoft Server Service is exposed to following denial of service issues:
    • Server Service Denial of Service Vulnerability
    • SMB Rename Vulnerability
        This is due to improper handling of certain network packets.
    IMPACT: An attacker could exploit the vulnerability by sending a specially crafted network message to a computer running the Server service. An attacker who successfully exploited this vulnerability could cause the computer to stop responding.
    SOLUTION: Microsoft has released MS06-063 to address this issue. Please refer to the advisory for further details.

    Microsoft has rated this issue as Important.

    Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service
    SEVERITY: Serious Serious-3 3
    QUALYS ID: 90353
    VENDOR REFERENCE: MS06-064, 922819
    CVE REFERENCE: CVE-2004-0790, CVE-2004-0230, CVE-2005-0688
    CVSS SCORES: Base 5/ Temporal 3.7
    THREAT: Multiple denial of service vulnerabilities exists in the IPv6 Windows implementation of TCP.
    IMPACT: Successful exploitation of this vulnerability could result in a denial of service by causing the affected system to drop existing TCP connections.
    SOLUTION: Microsoft has released MS06-064 to address this issue. Please refer to the advisory for further details.

    Microsoft has rated this issue as Low.

    Vulnerability in Windows Object Packager Could Allow Remote Execution
    SEVERITY: Urgent Urgent-5 5
    QUALYS ID: 90355
    VENDOR REFERENCE: MS06-065, 924496
    CVE REFERENCE: CVE-2006-4692
    CVSS SCORES: Base 3.6/ Temporal 2.7
    THREAT: A remote code execution vulnerability exists in Windows Object Packager because of the way that file extensions are handled. An attacker could exploit the vulnerability by constructing a specially crafted file that could potentially allow remote code execution if a user visited a specially crafted Web site.
    IMPACT: Successful exploitation of this vulnerability could result in a complete compromise of the affected system.
    SOLUTION: Microsoft has released MS06-065 to address this issue. Please refer to the advisory for further details.

    Microsoft has rated this issue as Moderate.

    This new vulnerability check is included in Qualys vulnerability signatures v1.15.76-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

    SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

    To perform a selective vulnerability scan, configure a scan profile to use the following options:

    1. Ensure access to TCP ports 135 and 139 are available.
    2. Enable Windows Authentication (specify Authentication Records).
    3. Enable the following Qualys IDs:
      • 90357
      • 90352
      • 110043
      • 110045
      • 110046
      • 90356
      • 110044
      • 90354
      • 90353
      • 90355
    4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
    5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

    In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


    Technical Support
    For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
    US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
    About QualysGuard
    QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

    Access for QualysGuard customers: https://qualysguard.qualys.com

    Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/