February 12, 2008
Qualys has released the following checks for these new vulnerabilities:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/solutions/free/trials
Microsoft Security Bulletin: February 2008 Security Bulletin
Advisory Overview
February 12, 2008 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 11 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 11 security patches to fix 17 newly discovered flaws in Microsoft Windows.Qualys has released the following checks for these new vulnerabilities:
| Active Directory Denial of Service Vulnerability |
|---|
SEVERITY: Serious  3 |
| QUALYS ID: 90429 |
| VENDOR REFERENCE: MS08-003, 946538 |
| CVE REFERENCE: CVE-2008-0088 |
| CVSS SCORES: Base 6.8/ Temporal 5.3 |
| THREAT: This is an important security update which addresses a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) on Windows XP and Windows Server 2003. This update validates client LDAP requests. |
| IMPACT: This vulnerability may result in a denial of service condition. To exploit this vulnerability on Windows Server 2003 and Windows XP, the attacker may require login credentials. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-003 for further information and patch instructions.
Microsoft has rated this issue as Critical. |
| Windows TCP/IP Denial of Service Vulnerability |
|---|
| SEVERITY: Serious 3 |
| QUALYS ID: 90426 |
| VENDOR REFERENCE: MS08-004, 946456 |
| CVE REFERENCE: CVE-2008-0084 |
| CVSS SCORES: Base 6.6/ Temporal 5.2 |
| THREAT: The vulnerability exists in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. |
| IMPACT: An attacker who successfully exploits this vulnerability could cause the affected system to stop responding and automatically restart. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-004 for further details on this vulnerability and patch instructions.
Microsoft has rated this issue as Important. |
| Internet Information Services Elevation of Privilege Vulnerability |
|---|
| SEVERITY: Serious 3 |
| QUALYS ID: 90424 |
| VENDOR REFERENCE: MS08-005, 942831 |
| CVE REFERENCE: CVE-2008-0074 |
| CVSS SCORES: Base 3.7/ Temporal 2.7 |
| THREAT: A local elevation of privilege vulnerability exists in the way that the Internet Information Service handles file change notifications in the "FTPRoot", "NNTPFile\Root", and "WWWRoot" folders. |
| IMPACT: An attacker who successfully exploits this vulnerability could execute arbitrary code in the context of a local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-005 for further details on this vulnerability and patch instructions.
Microsoft has rated the most severe of these issues as Important. |
| Internet Information Services Remote Code Execution Vulnerability |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 90428 |
| VENDOR REFERENCE: MS08-006, 942830 |
| CVE REFERENCE: CVE-2008-0075 |
| CVSS SCORES: Base 5.1/ Temporal 3.8 |
| THREAT: A remote code execution vulnerability exists in the way that Internet Information Services (IIS) handles input to ASP Web pages. |
| IMPACT: An attacker who successfully exploits this vulnerability could perform actions on the IIS Server with the same rights as the Worker Process Identity (WPI), which by default is configured with Network Service account privileges. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-006 for updates and further details.
Microsoft has rated this issue as Important. |
| WebDAV Mini-Redirector Remote Code Execution Vulnerability |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 90425 |
| VENDOR REFERENCE: MS08-007, 946026 |
| CVE REFERENCE: CVE-2008-0080 |
| CVSS SCORES: Base 7.1/ Temporal 5.3 |
| THREAT: A remote code execution vulnerability exists in the way that the WebDAV Mini-Redirector handles responses. |
| IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-007 to address this issue.
Microsoft has rated this issue as Critical. |
| OLE Automation Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90427 |
| VENDOR REFERENCE: MS08-008, 947890 |
| CVE REFERENCE: CVE-2007-0065 |
| CVSS SCORES: Base 9.3/ Temporal 7.3 |
| THREAT: This is a critical security update that resolves a privately reported vulnerability. The vulnerability can be exploited when a user views a specially-crafted web page. This update adds a check on memory requests within OLE Automation. |
| IMPACT: The vulnerability could be exploited through attacks on Object Linking and Embedding (OLE) Automation. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-008 for further details on this vulnerability and patch instructions.
Microsoft has rated this issue as Critical. |
| Microsoft Word Remote Code Execution Vulnerability |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 110070 |
| VENDOR REFERENCE: MS08-009, 947077 |
| CVE REFERENCE: CVE-2008-0109 |
| CVSS SCORES: Base 7.6/ Temporal 5.6 |
| THREAT: Microsoft Word is susceptible to a remote code execution vulnerability due to a memory calculation error when parsing a specially-crafted Word file. The error may corrupt system memory in such a way that an attacker could execute arbitrary code. |
| IMPACT: If a user opens a specially-crafted Word file, then an attacker could take complete control of the affected system. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-009 for further details on this vulnerability and patch instructions.
Microsoft has rated this issue as Critical. |
| Internet Explorer Cumulative Security Update |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 100055 |
| VENDOR REFERENCE: MS08-010, 944533 |
| CVE REFERENCE: CVE-2008-0076, CVE-2008-0077, CVE-2008-0078, CVE-2007-4790 |
| CVSS SCORES: Base 7.5/ Temporal 5.9 |
| THREAT: This critical security update involves Internet Explorer. This update resolves three privately reported vulnerabilities and one publicly reported vulnerability. This update modifies the way that Internet Explorer handles HTML and validates data, as well as by setting the kill bit for an ActiveX control. |
| IMPACT: The attacker can execute remote code using a specially-crafted Web page by Internet Explorer. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-010 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Works File Converter Remote Code Execution Vulnerabilities |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 110071 |
| VENDOR REFERENCE: MS08-011, 947081 |
| CVE REFERENCE: CVE-2007-0216, CVE-2008-0105, CVE-2008-0108 |
| CVSS SCORES: Base 7.6/ Temporal 5.6 |
THREAT: Microsoft Works File Converter contains multiple remote code execution vulnerabilities as described below.
|
| IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-011 for further information and patch instructions.
Microsoft has rated this issue as Important. |
| Microsoft Office Publisher Remote Code Execution Vulnerability |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 110072 |
| VENDOR REFERENCE: MS08-012, 947085 |
| CVE REFERENCE: CVE-2008-0102, CVE-2008-0104 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT: Microsoft Office Publisher is susceptible to remote code execution due to a memory corruption and invalid memory reference issue when parsing a specially-crafted Publisher file. The error may corrupt system memory in such a way that an attacker could execute arbitrary code. |
| IMPACT: If a user opens a specially-crafted Publisher file, then an attacker could take complete control of the affected system. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-012 for further details on this vulnerability and patch instructions.
Microsoft has rated this issue as Critical. |
| Microsoft Office Remote Code Execution Vulnerability |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 110069 |
| VENDOR REFERENCE: MS08-013, 947108 |
| CVE REFERENCE: CVE-2008-0103 |
| CVSS SCORES: Base 6.3/ Temporal 4.7 |
| THREAT: This vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office document with a malformed object inserted into the document. |
| IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-013 to address this issue.
Microsoft has rated this issue as Critical. |
This new vulnerability check is included in Qualys vulnerability signatures v1.19.64-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 90429
- 90426
- 90424
- 90428
- 90425
- 90427
- 110070
- 100055
- 110071
- 110072
- 110069
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/solutions/free/trials
