May 08, 2007
Microsoft Security Bulletin: May 2007 Security Bulletin
Advisory Overview
May 8, 2007 – Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 7 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 7 security patches to fix 19 newly discovered flaws in Microsoft Windows.

Qualys has released the following checks for these new vulnerabilities:
Microsoft Excel Remote Code Execution Vulnerability
SEVERITY: Serious Serious-3 3
QUALYS ID: 110058
VENDOR REFERENCE: MS07-023, 934233
CVE REFERENCE: CVE-2007-0215, CVE-2007-1203, CVE-2007-1214
CVSS SCORES: Base 4.9/ Temporal 3.8
THREAT: Microsoft Excel has a vulnerability that exists when Excel handles files using malformed BIFF records, specially crafted set font values, and filter records.
IMPACT: This vulnerability may be exploited with the use of specially-crafted Excel files. If successfully exploited, this vulnerability could lead to remote code execution.
SOLUTION: Refer to Microsoft Security Bulletin MS07-023 for more information and patch instructions.

Microsoft has rated this issue as Critical.

Microsoft Word Remote Code Execution Vulnerabilities
SEVERITY: Critical Critical-4 4
QUALYS ID: 110055
VENDOR REFERENCE: MS07-024, 934232
CVE REFERENCE: CVE-2007-0035, CVE-2007-0870, CVE-2007-1202
CVSS SCORES: Base 8/ Temporal 6.8
THREAT: Microsoft Word is susceptible to the following vulnerabilities:
  • A remote code execution vulnerability exists in the way Microsoft Word handles data within an array.
  • A remote code execution vulnerability exists in the way Microsoft Word handles a specially crafted Word Document stream.
  • A remote code execution vulnerability exists in the way Microsoft Word parses certain rich text properties within a file.
IMPACT: If these vulnerabilities are successfully exploited, a remote attacker can execute arbitrary code on vulnerable machines.
SOLUTION: Refer to Microsoft Security Bulletin MS07-024 for further details on this vulnerability and patch instructions.

Microsoft has rated this issue as Critical.

Microsoft Office Remote Code Execution Vulnerability
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 110059
VENDOR REFERENCE: MS07-025, 934873
CVE REFERENCE: CVE-2007-1747
CVSS SCORES: Base 1.6/ Temporal 1.2
THREAT: A remote code execution vulnerability exists in the way Microsoft Office handles specially-crafted drawing objects. An attacker could exploit this vulnerability when Office parses a file and processes a malformed drawing object.
IMPACT: An attacker who successfully exploits this vulnerability could run arbitrary code on the affected system, which could lead to complete control of the affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS07-025 for further details on this vulnerability and patch instructions.

Microsoft has rated these issues as Critical.

Microsoft Exchange Multiple Remote Code Execution Vulnerabilities
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90395
VENDOR REFERENCE: MS07-026, 931832
CVE REFERENCE: CVE-2007-0220, CVE-2007-0039, CVE-2007-0213, CVE-2007-0221
CVSS SCORES: Base 8/ Temporal 5.9
THREAT: Microsoft Exchange is susceptible to the following vulnerabilities:
  • An information disclosure vulnerability because of the way Outlook Web Access (OWA) handles script-based attachments.
  • A denial of service vulnerability because of the way it handles calendar content requests.
  • A remote code execution vulnerability because of the way it decodes specially-crafted email messages.
  • A denial of service vulnerability because of the way it handles invalid IMAP requests.
IMPACT: An attacker who successfully exploits these vulnerabilities could take complete control of the affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS07-026 for more information on affected versions and security updates.

Microsoft has rated these issues as Critical.

Microsoft Internet Explorer Cumulative Security Update
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 100046
VENDOR REFERENCE: MS07-027, 931768
CVE REFERENCE: CVE-2007-0942, CVE-2007-0944, CVE-2007-0945, CVE-2007-0946, CVE-2007-0947, CVE-2007-2221
CVSS SCORES: Base 1.6/ Temporal 1.3
THREAT: Multiple vulnerabilities exist in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution.
IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploits the most severe of these vulnerabilities could take complete control of an affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS07-027 for further details on this vulnerability and patch instructions.

Microsoft has rated this issue as Important.

CAPICOM Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 115550
VENDOR REFERENCE: MS07-028, 931906
CVE REFERENCE: CVE-2007-0940
CVSS SCORES: Base 6.7/ Temporal 5
THREAT: CAPICOM (Cryptographic API Component Object Model) is a Microsoft ActiveX control that provides a COM interface to Microsoft CryptoAPI. It exposes a select set of CryptoAPI functions to enable application developers to easily incorporate digital signing and encryption functionality into their applications.

A remote code execution vulnerability exists in CAPICOM Certificates because of the way certain data inputs are handled. CAPICOM Certificates is an ActiveX control that provides scripters (VBS, ASP, ASP.NET, etc.) with a method for encrypting data based on secure underlying Windows CryptoAPI functionality.
IMPACT: An attacker who successfully exploits this vulnerability could take complete control of the affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS07-028 for further details on this vulnerability and patch instructions.

Microsoft has rated this issue as Important.

Windows DNS RPC Interface Remote Code Execution Vulnerability
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90394
VENDOR REFERENCE: MS07-029, 935966
CVE REFERENCE: CVE-2007-1748
CVSS SCORES: Base 10/ Temporal 8.1
THREAT: Remote Procedure Call (RPC) is a protocol that programs can use to request a service from a program located on another computer in a network.

A stack-based buffer overrun exists in the Remote Procedure Call (RPC) Management Interface in the Windows Domain Name System (DNS) Server service. A remote attacker could exploit the vulnerability by sending a specially-crafted RPC packet to an affected system.

Windows 2000 Server and Windows Server 2003 are affected.

Previously this was a zero day detection.
IMPACT: An attacker who successfully exploits this vulnerability is able to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.
SOLUTION: Refer to Microsoft Security Bulletin MS07-029 for further details on this vulnerability and patch instructions.

Microsoft has rated this issue as Critical.

This new vulnerability check is included in Qualys vulnerability signatures v1.17.47-5. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 110058
    • 110055
    • 110059
    • 90395
    • 100046
    • 115550
    • 90394
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/solutions/free/trials
On Demand Security