August 12, 2008
Microsoft Security Bulletin: August 2008 Security Bulletin
Advisory Overview

August 12, 2008 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 11 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Listen to Podcast
Vulnerability Details

Microsoft has released 11 security patches to fix newly discovered flaws in Microsoft Windows.

Qualys has released the following checks for these new vulnerabilities:


Microsoft Access Snapshot Viewer ActiveX Control Vulnerability
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 110081
VENDOR REFERENCE: MS08-041, 955617
CVE REFERENCE: CVE-2008-2463
CVSS SCORES: Base 6.8/ Temporal 6.5
THREAT: This security update resolves a privately reported vulnerability in the ActiveX control for the Snapshot Viewer for Microsoft Access. This issue is caused by a design error in the "snapview.ocx" ActiveX control that does not restrict access to certain methods and allows files to be automatically downloaded to arbitrary locations on a user's system.
  • Affected products:
  • Snapshot Viewer for Microsoft Access
  • Microsoft Office Access 2000
  • Microsoft Office Access 2002
  • Microsoft Office Access 2003
IMPACT: An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

Note: The vulnerability is currently being actively exploited.
SOLUTION: Refer to Microsoft Security Bulletin MS08-041 for further details on this vulnerability and patch instructions.

Microsoft has rated this issue as Critical.

Microsoft Word Could Allow Remote Code Execution
SEVERITY: Critical Critical-4 4
QUALYS ID: 110082
VENDOR REFERENCE: MS08-042, 955048
CVE REFERENCE: CVE-2008-2244
CVSS SCORES: Base 9.3/ Temporal 7.3
THREAT: Microsoft Word versions 2002 and 2003 are vulnerable to a remote code execution issue when handling specially crafted Word files with a malformed record value.

Previously this was a Zero Day.
IMPACT: If the vulnerability is successfully exploited, this could result in the execution of arbitrary code.
SOLUTION: Refer to Microsoft Security Bulletin MS08-042 for further details on this vulnerability and patch instructions.

Microsoft has rated this issue as Important.

General recommendation: Do not open or save Microsoft Office files that you receive from untrusted sources.

Microsoft Excel Could Allow Remote Code Execution
SEVERITY: Critical Critical-4 4
QUALYS ID: 110084
VENDOR REFERENCE: MS08-043, 954066
CVE REFERENCE: CVE-2008-3003, CVE-2008-3004,CVE-2008-3005,CVE-2008-3006
CVSS SCORES: Base 9.3/ Temporal 8.1
THREAT: Microsoft Excel is prone to multiple remote code execution vulnerabilities. The security update addresses the following issues:
  • Excel Credential Caching Vulnerability (CVE-2008-3003)
  • Excel Indexing Validation Vulnerability (CVE-2008-3004)
  • Excel Index Array Vulnerability (CVE-2008-3005)
  • Excel Record Parsing Vulnerability (CVE-2008-3006)
IMPACT: An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Refer to Microsoft Security Bulletin MS08-043 for further details on this vulnerability, including a list of affected and non-affected software.

Microsoft has rated this issue as Critical.

Microsoft Office Filters Could Allow Remote Code Execution
SEVERITY: Critical Critical-4 4
QUALYS ID: 110085
VENDOR REFERENCE: MS08-044, 924090
CVE REFERENCE: CVE-2008-3019, CVE-2008-3018, CVE-2008-3020, CVE-2008-3021, CVE-2008-3460
CVSS SCORES: Base 7.6/ Temporal 5.6
THREAT: Microsoft Office Filters contain the following vulnerabilities:
  • A remote code execution vulnerability exists in the way that a Microsoft Office filter handles a malformed graphics image. (CVE-2008-3019)
  • A remote code execution vulnerability exists in the way that Microsoft Office handles a PICT-format image file. (CVE-2008-3018 and CVE-2008-3021)
  • A remote code execution vulnerability exists in the way that Microsoft Office handles a BMP format image file. (CVE-2008-3020)
  • A remote code execution vulnerability exists in the way that Microsoft Office handles a WordPerfect Graphics (WPG) format image file. (CVE-2008-3460)
IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. Significant user interaction is required to exploit this vulnerability.
SOLUTION: Microsoft has released security bulletin MS08-044 to address these issues.

Microsoft has rated this issue as Critical.

Microsoft Internet Explorer Cumulative Security Update
SEVERITY: Critical Critical-4 4
QUALYS ID: 100059
VENDOR REFERENCE: MS08-045, 953838
CVE REFERENCE: CVE-2008-2254,CVE-2008-2255,CVE-2008-2256,CVE-2008-2257,CVE-2008-2258
CVSS SCORES: Base 8.3/ Temporal 6.5
THREAT: This critical security update resolves vulnerabilities existing in Microsoft Internet Explorer which are present due to HTML Objects Memory Corruption, Uninitialized Memory Corruption and Html Component Handling.
IMPACT: These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: Refer to Microsoft Security Bulletin MS08-045 for further details on this vulnerability, including a list of affected and non-affected software.

Microsoft has rated this issue as Critical.

Microsoft Windows Image Color Management System Could Allow Remote Code Execution
SEVERITY: Critical Critical-4 4
QUALYS ID: 90450
VENDOR REFERENCE: MS08-046, 952954
CVE REFERENCE: CVE-2008-2245
CVSS SCORES: Base 6.6/ Temporal 5.1
THREAT: This update resolves a privately reported vulnerability in the Microsoft Image Color Management (ICM) system that could allow remote code execution in the context of the current user.
IMPACT: If a user is logged on with administrative user rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Refer to Microsoft Security Bulletin MS08-046 for further details on these vulnerabilities and patch instructions.

This security update addresses the vulnerabilities by modifying the way that the Microsoft Color Management System (MSCMS) module of the Microsoft ICM component parses malformed image files and allocates memory.

Microsoft has rated this issue as Critical.

Microsoft IPsec Policy Processing Information Disclosure Vulnerability
SEVERITY: Serious Serious-3 3
QUALYS ID: 90447
VENDOR REFERENCE: MS08-047, 953733
CVE REFERENCE: CVE-2008-2246
CVSS SCORES: Base 6.4/ Temporal 5
THREAT: This security update resolves a vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied.
IMPACT: An attacker who successfully exploits these vulnerabilities could cause systems to ignore IPsec policies and transmit network traffic in clear text, disclosing information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the contents of the traffic. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system(s) or network(s).
SOLUTION: Refer to Microsoft Security Bulletin MS08-047 for further details on this vulnerability and patch instructions.

Microsoft has rated this issue as Important.

Security Update for Outlook Express and Windows Mail
SEVERITY: Serious Serious-3 3
QUALYS ID: 90451
VENDOR REFERENCE: MS08-048, 951066
CVE REFERENCE: CVE-2008-1448
CVSS SCORES: Base 4/ Temporal 3
THREAT: An information disclosure vulnerability exists in Outlook Express and Windows Mail because the MHTML protocol handler incorrectly interprets MHTML URL redirections that could potentially bypass Internet Explorer domain restrictions when returning MHTML content.
IMPACT: An attacker who successfully exploits this vulnerability could read data from another Internet Explorer domain or the local computer.
SOLUTION: Refer to Microsoft Security Bulletin MS08-048 for further details on this vulnerability and patch instructions.

Microsoft has rated this issue as Critical.

Microsoft Event System Could Allow Remote Code Execution
SEVERITY: Critical Critical-4 4
QUALYS ID: 90448
VENDOR REFERENCE: MS08-049, 950974
CVE REFERENCE: CVE-2008-1457, CVE-2008-1456
CVSS SCORES: Base 6.2/ Temporal 4.9
THREAT: This update resolves two privately reported vulnerabilities in Microsoft Windows Event System that could allow remote code execution.
IMPACT: An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.
SOLUTION: Refer to Microsoft Security Bulletin MS08-049 for further details on these vulnerabilities and patch instructions.

This security update addresses the vulnerabilities by changing the way that Event System handles per-user subscriptions.

Microsoft has rated this issue as Important.

Microsoft Windows Messenger Information Disclosure Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 90449
VENDOR REFERENCE: MS08-050, 955702
CVE REFERENCE: CVE-2008-0082
CVSS SCORES: Base 8.5/ Temporal 6.6
THREAT: An information disclosure vulnerability exists in Windows Messenger which occurs due to scripting of a particular ActiveX control (Messenger.UIAutomation.1).
IMPACT: An attacker could change state, get contact information and initiate audio and video chat sessions without the knowledge of the logged on user. An attacker could also impersonate the user by capturing the user's logon ID and remotely log on to the user's Messenger client.
SOLUTION: Microsoft released security bulletin MS08-050 to address this issue.

Microsoft has rated this issue as Important.

Microsoft PowerPoint Could Allow Remote Code Execution
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 110083
VENDOR REFERENCE: MS08-051, 949785
CVE REFERENCE: CVE-2008-0120,CVE-2008-0121,CVE-2008-1455
CVSS SCORES: Base 9.7/ Temporal 7.6
THREAT: Three vulnerabilities exist in Microsoft Office PowerPoint and Microsoft Office PowerPoint Viewer that could allow remote code execution.

The security update addresses the following issues
  • Memory Allocation Vulnerability (CVE-2008-0120)
  • Memory Calculation Vulnerability (CVE-2008-0121)
  • Parsing Overflow Vulnerability (CVE-2008-1455)
IMPACT: An attacker who successfully exploits any of these vulnerabilities could take complete control of an affected system.
SOLUTION: Refer to Microsoft Security Bulletin MS08-051 for further details on these vulnerabilities and patch instructions.

Microsoft has rated this issue as Critical.

This new vulnerability check is included in Qualys vulnerability signatures v1.20.12-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 110081
    • 110082
    • 110084
    • 110085
    • 100059
    • 90450
    • 90447
    • 90451
    • 90448
    • 90449
    • 110083
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/solutions/free/trials
On Demand Security