Microsoft Security Bulletin: December 2007 Security Bulletin

December 11, 2007 - Qualys^® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard^® to protect organizations against the 7 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft has released 7 security patches to fix 11 newly discovered flaws in Microsoft Windows.

Qualys has released the following checks for these new vulnerabilities:

Vulnerability in SMBv2 Could Allow Remote Code Execution
SEVERITY: Critical  4
QUALYS ID: 90417
VENDOR REFERENCE: MS07-063, 942624
CVE REFERENCE: CVE-2007-5351
CVSS SCORES: Base 5.1/ Temporal 3.8
THREAT: A remote code execution vulnerability exists in the SMBv2 protocol that could allow a remote anonymous attacker to run code with the privileges of the logged on user.
IMPACT: An attacker who successfully exploits this vulnerability could gain the same user rights as the local user.
SOLUTION: Refer to Microsoft Security Bulletin MS07-063 for further details, including a list of affected and non-affected software. Microsoft has rated this issue as Important.

DirectX Could Allow Remote Code Execution
SEVERITY: Critical  4
QUALYS ID: 90419
VENDOR REFERENCE: MS07-064, 941568
CVE REFERENCE: CVE-2007-3901, CVE-2007-3895
CVSS SCORES: Base 7.5/ Temporal 5.9
THREAT: Microsoft DirectX is used for streaming media on Microsoft Windows systems. Microsoft DirectX is vulnerable to a remote code execution due to insufficient parsing of the parameters of Synchronized Accessible Media Interchange (SAMI) file types and does not perform sufficient validation of WAV and AVI file parameters.
IMPACT: This could allow code execution if a user visits a specially-crafted Web site or opens a crafted file.
SOLUTION: Refer to Microsoft Security Bulletin MS07-064 for further details on this vulnerability and patch instructions. Microsoft has rated this issue as Critical.

Message Queuing Could Allow Remote Code Execution
SEVERITY: Serious  3
QUALYS ID: 70047
VENDOR REFERENCE: MS07-065, 937894
CVE REFERENCE: CVE-2007-3039
CVSS SCORES: Base 6.8/ Temporal 5.3
THREAT: The Message Queuing Service (MSMQ) is a messaging infrastructure and development tool for creating distributed messaging applications. A remote code execution vulnerability exists in the Message Queuing Service when it incorrectly validates input strings before passing the strings to a buffer.
IMPACT: An attacker who successfully exploits this vulnerability could gain local system rights which could allow remote code execution.
SOLUTION: Refer to Microsoft Security Bulletin MS07-065 for further details on this vulnerability and patch instructions. Microsoft has rated this issue as Important.

Windows Kernel Vulnerability Could Allow Elevation of Privilege
SEVERITY: Critical  4
QUALYS ID: 90420
VENDOR REFERENCE: MS07-066, 943078
CVE REFERENCE: CVE-2007-5350
CVSS SCORES: Base 7.5/ Temporal 5.9
THREAT: This security update addresses a privilege escalation vulnerability existing in Windows Kernel. An attacker who exploits this vulnerability can be allowed to gain complete control of the affected system.
IMPACT: An attacker may exploit this vulnerability to install programs; view, change, or delete data; or create new accounts with full administrative rights.
SOLUTION: Refer to Microsoft Security Bulletin MS07-066 for further details on this vulnerability and patch instructions. Microsoft has rated this issue as Critical.

Macrovision SECDRV.SYS Driver Vulnerability on Windows Could Allow Elevation of Privilege
SEVERITY: Serious  3
QUALYS ID: 115657
VENDOR REFERENCE: MS07-067, 944653
CVE REFERENCE: CVE-2007-5587
CVSS SCORES: Base 6.9/ Temporal 5.6
THREAT: The Macrovision secdrv.sys driver is vulnerable to a buffer overflow due to incorrectly handling the configuration parameters. Windows XP and 2003 hosts are vulnerable.
IMPACT: An attacker can exploit this vulnerability by overwriting arbitrary memory locations, thus gaining privileges or executing code.
SOLUTION: Refer to Microsoft Security Bulletin MS07-067 for further details on this vulnerability and patch instructions. Microsoft has rated this issue as Important.

Windows Media File Format Could Allow Remote Code Execution
SEVERITY: Urgent  5
QUALYS ID: 90418
VENDOR REFERENCE: MS07-068, 941569/944275
CVE REFERENCE: CVE-2007-0064
CVSS SCORES: Base 7.6/ Temporal 5.6
THREAT: A remote code execution vulnerability exists in Windows Media Format Runtime due to the way it handles Advanced Systems Format (ASF) files.
IMPACT: In client and server applications, an attacker who successfully exploits this vulnerability could take complete control of an affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS07-068 for further details, including a list of affected and non-affected software. Microsoft has rated this issue as Critical.

Cumulative Security Update for Internet Explorer
SEVERITY: Urgent  5
QUALYS ID: 100054
VENDOR REFERENCE: MS07-069, 942615
CVE REFERENCE: CVE-2007-3902,CVE-2007-3903,CVE-2007-5344,CVE-2007-5347
CVSS SCORES: Base 7.5/ Temporal 5.9
THREAT: A critical remote code execution vulnerability exists in Internet Explorer. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles access to freed memory. Users whose accounts have fewer rights could be less impacted as compared to users having administrative rights.
IMPACT: This vulnerability can be exploited using a specially-crafted Web page using Internet Explorer which may result in remote code execution.
SOLUTION: Refer to Microsoft Security Bulletin MS07-069 for further details on this vulnerability, including a list of affected and non-affected software. Microsoft has rated this issue as Critical.

This new vulnerability check is included in Qualys vulnerability signatures v1.19.15-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

1. Ensure access to TCP ports 135 and 139 are available.
2. Enable Windows Authentication (specify Authentication Records).
3. Enable the following Qualys IDs:
   • 90417
   • 90419
   • 70047
   • 90420
   • 115657
   • 90418
   • 100054
4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/solutions/free/trials