Microsoft Security Bulletin: Multiple Security Vulnerabilities

November 14, 2006 – Qualys^® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard^® to protect organizations against the 6 new vulnerabilities present in Microsoft Windows and Microsoft XML Core Services that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft has released 6 security patches to fix 8 newly discovered flaws in Microsoft Windows and Microsoft XML Core Services.

Qualys has released the following checks for these new vulnerabilities:

Client Service for NetWare Multiple Remote Code Execution Vulnerabilities
SEVERITY: Critical  4
QUALYS ID: 90363
VENDOR REFERENCE: MS06-066, 923980
CVE REFERENCE: CVE ID: CVE-2006-4689, CVE-2006-4688
CVSS SCORES: Base 4.5/ Temporal 3.3
THREAT: Client Service for NetWare (CSNW) on Windows is exposed to multiple security issues. There is a remote code execution vulnerability in CSNW that could allow an attacker who successfully exploits this vulnerability to take complete control of the affected system. There is also a denial of service vulnerability in CSNW that could allow an attacker to send a specially-crafted network message to an affected system running the Client Service for NetWare service. An attacker could cause the system to stop responding.
IMPACT: As a result, a remote attacker can gain complete control of a vulnerable machine.
SOLUTION: Refer to Microsoft Security Bulletin MS06-066 for further details and patches. Microsoft has rated this issue as Important.

Cumulative Security Update for Internet Explorer
SEVERITY: Urgent  5
QUALYS ID: 100038
VENDOR REFERENCE: MS06-067, 922760
CVE REFERENCE: CVE-2006-4777, CVE-2006-4446, CVE-2006-4687
CVSS SCORES: Base 8/ Temporal 7.6
THREAT: A vulnerability exists in Internet Explorer due to a memory corruption error in the Microsoft Multimedia Controls ActiveX control (daxctle.ocx) in the "CPathCtl::KeyFrame()" function. This issue can be exploited by tricking a user into viewing a malicious HTML document passing specially-crafted arguments to the ActiveX control's "KeyFrame()" method. Another vulnerability addressed in this update comes from the way Internet Explorer interprets HTML with certain layout combinations. Note: This QID was reported previously as a zero day vulnerability by the service.
IMPACT: Successful exploitation of these issues allows a complete compromise of the affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS06-067 for further details and patches. Microsoft has rated this issue as Critical.

Vulnerability in Microsoft Agent Could Allow Remote Code Execution
SEVERITY: Urgent  5
QUALYS ID: 90364
VENDOR REFERENCE: MS06-068, 920213
CVE REFERENCE: CVE ID: CVE-2006-3445
CVSS SCORES: Base 1.6/ Temporal 1.2
THREAT: Microsoft Agent is software technology that enables an enriched form of user interaction that can make using and learning to use a computer easier. A vulnerability exists in Microsoft Agent that could allow remote code to be executed via specially crafted .ACF files.
IMPACT: An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user viewed the Web page. An attacker who successfully exploited this vulnerability could take complete control of an affected.
SOLUTION: Refer to Microsoft Security Bulletin MS06-068 for further information and instructions on downloading the patch that fixes this issue. Microsoft has rated this issue as Critical.

Adobe Flash Player Multiple Remote Code Execution Vulnerabilities (APSB06-11)
SEVERITY: Urgent  5
QUALYS ID: 115409
VENDOR REFERENCE: MS06-069, 923789
CVE REFERENCE: CVE-2006-3014, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640
CVSS SCORES: Base 8/ Temporal 5.9
THREAT: Adobe Flash Player is prone to multiple remote code execution vulnerabilities. The application fails to properly check user-supplied input before copying the input into insufficiently-sized memory buffers. An attacker could exploit this issue by creating a media file containing large, dynamically-generated string data and then submitting it to be processed by the media player. This will cause the application to overwrite system memory at an explicit location. Adobe Flash Player 8.0.24.0 and earlier versions are vulnerable. Vulnerable versions of Flash Player are also redistributed with Microsoft Windows XP Service Pack 2 and Microsoft Windows XP Professional x64 Edition.
IMPACT: The successful exploitation of these remote code execution vulnerabilities could lead to race conditions, heap overflow vulnerabilities and stack overflow vulnerabilities. These issues allow remote attackers to execute arbitrary machine code in the context of the user running the application. Other attacks are also possible.
SOLUTION: Adobe released security bulletin APSB06-11APSB06-11 to address this issue. Customers who installed Flash Player through Adobe should read this bulletin and follow the Solution instructions. Users with a redistributed version of Flash Player from Microsoft Windows XP Service Pack 2 or Microsoft Windows XP Professional x64 Edition should read Microsoft Security Bulletin MS06-069 for vulnerability details and software update services. You may also refer to the Adobe security bulletin referenced above. Microsoft has rated this issue as Critical.

Vulnerability in Workstation Service Could Allow Remote Code Execution
SEVERITY: Urgent  5
QUALYS ID: 90365
VENDOR REFERENCE: MS06-070, 924270
CVE REFERENCE: CVE-2006-4691
CVSS SCORES: Base 10/ Temporal 7.4
THREAT: A remote code execution vulnerability exists in the Workstation service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.
IMPACT: An attacker who successfully exploits this vulnerability could gain complete control of the affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS06-070 for further details and patches. Microsoft has rated this issue as Critical.

Microsoft XML Core Services Remote Code Execution Vulnerability
SEVERITY: Critical  4
QUALYS ID: 90361
VENDOR REFERENCE: MS06-071, 928088
CVE REFERENCE: CVE-2006-5745
CVSS SCORES: Base 10/ Temporal 9
THREAT: Microsoft XML Core Services (MSXML) allows developers who use applications such as JScript, Visual Basic Scripting Edition (VBScript), and Microsoft Visual Studio to create XML-based applications. MSXML includes the XMLHTTP ActiveX control, which allows Web pages to transmit or receive XML data via HTTP operations. A vulnerability exists in the XMLHTTP ActiveX control within Microsoft XML Core Services that could allow for remote code execution. An attacker could exploit the vulnerability by constructing a specially-crafted Web page that could potentially allow remote code execution if a user visits that page or clicks a link in an email message. Microsoft XML Core Services Versions 4.0 and 6.0 installed on all versions of Windows are affected. Note: This QID was reported previously as a zero day vulnerability by the service.
IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS06-071 for more information and instructions on downloading the patch that fixes this issue. Microsoft has rated this issue as Critical.

This new vulnerability check is included in Qualys vulnerability signatures v1.16.5-5. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

1. Ensure access to TCP ports 135 and 139 are available.
2. Enable Windows Authentication (specify Authentication Records).
3. Enable the following Qualys IDs:
   • 90363
   • 100038
   • 90364
   • 115409
   • 90365
   • 90361
4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/