October 14, 2008
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
Microsoft Security Bulletin: October 14 2008 Security Bulletin
Advisory Overview
October 14, 2008 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the 11 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 11 security patches to fix newly discovered flaws in Microsoft Windows.
Qualys has released the following checks for these new vulnerabilities:
| Microsoft Office XP Information Disclosure Vulnerability |
|---|
SEVERITY: Serious  3 |
| QUALYS ID: 110089 |
| VENDOR REFERENCE: MS08-056 |
| CVE REFERENCE: CVE-2008-4020 |
| CVSS SCORES: Base 7.8/ Temporal 5.8 |
| THREAT: An information disclosure vulnerability exists in Microsoft Office XP Service Pack 3 when the Office application processes documents using the CDO Protocol and the Content-Disposition: Attachment header. |
| IMPACT: An attacker who successfully exploits this vulnerability could inject a client side script in the user's browser that could spoof content or disclose information. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-056 to address this issue.
Microsoft has rated this issue as Moderate. |
| Microsoft Excel Remote Code Execution Vulnerability |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 110088 |
| VENDOR REFERENCE: MS08-057 |
| CVE REFERENCE: CVE-2008-3477,CVE-2008-3471,CVE-2008-4019 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
THREAT: Microsoft Excel is prone to multiple remote code execution vulnerabilities. The security update addresses the following issues:
|
| IMPACT: An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-057 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Internet Explorer Cumulative Security Update |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 100063 |
| VENDOR REFERENCE: MS08-058 |
| CVE REFERENCE: CVE-2008-2947, CVE-2008-3472, CVE-2008-3473, CVE-2008-3474, CVE-2008-3475, CVE-2008-3476 |
| CVSS SCORES: Base 5.1/ Temporal 3.8 |
| THREAT: This critical security update resolves vulnerabilities existing in Microsoft Internet Explorer, including the following: Window location property cross-domain vulnerability, HTML element cross-domain vulnerability, event handling cross-domain vulnerability, uninitialized memory corruption and HTML objects memory corruption vulnerability. |
| IMPACT: These vulnerabilities could allow remote code execution if a user views a specially-crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-058 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Host Integration Server RPC Service Remote Code Execution Vulnerability |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 90457 |
| VENDOR REFERENCE: MS08-059 |
| CVE REFERENCE: CVE-2008-3466 |
| CVSS SCORES: Base 8.7/ Temporal 6.4 |
| THREAT: A remote code execution vulnerability exists in Microsoft Host Integration Server versions 2000, 2004 and 2006. |
| IMPACT: The vulnerability could allow remote code execution if an attacker sends a specially-crafted Remote Procedure Call (RPC) request to an affected system. Customers who follow best practices and configure the SNA RPC service account to have fewer user rights on the system could be less impacted than customers who configure the SNA RPC service account to have administrative user rights. |
| SOLUTION: The security update addresses the vulnerability by validating RPC requests. Refer to Microsoft Security Bulletin MS08-059 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Active Directory Remote Code Execution Vulnerability |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90461 |
| VENDOR REFERENCE: MS08-060 |
| CVE REFERENCE: CVE-2008-4023 |
| CVSS SCORES: Base 9.3/ Temporal 6.9 |
| THREAT: This security update resolves a privately reported vulnerability in implementations of Active Directory on Microsoft Windows 2000 Server. This vulnerability only affects Microsoft Windows 2000 servers configured to be domain controllers. If a Microsoft Windows 2000 server has not been promoted to a domain controller, it will not be listening to Lightweight Directory Access Protocol (LDAP) or LDAP over SSL (LDAPS) queries, and will not be exposed to this vulnerability. |
| IMPACT: The vulnerability could allow remote code execution if an attacker gains access to an affected network. |
| SOLUTION: This security update addresses the vulnerability by correctly allocating memory for client LDAP requests. Refer to Microsoft Security Bulletin MS08-060 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Windows Kernel Elevation of Privileges Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90463 |
| VENDOR REFERENCE: MS08-061 |
| CVE REFERENCE: CVE-2008-2250, CVE-2008-2251, CVE-2008-2252 |
| CVSS SCORES: Base 6.8/ Temporal 5.3 |
| THREAT: A security vulnerability exists in the Windows kernel. A local attacker who successfully exploits this vulnerability could take complete control of an affected system |
| IMPACT: An attacker may exploit this vulnerability to install programs; view, change, or delete data; or create new accounts. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-061 to address this issue.
Microsoft has rated this issue as Important. |
| Windows Internet Printing Service Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90460 |
| VENDOR REFERENCE: MS08-062 |
| CVE REFERENCE: CVE-2008-1446 |
| CVSS SCORES: Base 9/ Temporal 7.1 |
| THREAT: A vulnerability exists in the Windows Internet Printing Service that could allow remote code execution in the context of the current user. If a user is logged on with administrative user rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system. |
| IMPACT: An attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-062 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Important. |
| Microsoft SMB Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90458 |
| VENDOR REFERENCE: MS08-063 |
| CVE REFERENCE: CVE-2008-4038 |
| CVSS SCORES: Base 7.1/ Temporal 5.3 |
| THREAT: A remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol handles specially-crafted file names. An attempt to exploit the vulnerability would require authentication because the vulnerable function is only reachable when the share type is a disk, and by default, all disk shares require authentication. |
| IMPACT: An attacker who successfully exploits this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Microsoft released Microsoft Security Bulletin MS08-063 to address this issue. Please refer to the advisory for further details.
Microsoft has rated this issue as Important. |
| Microsoft Virtual Address Descriptor Manipulation Could Allow Elevation of Privileges |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90459 |
| VENDOR REFERENCE: MS08-064 |
| CVE REFERENCE: CVE-2008-4036 |
| CVSS SCORES: Base 8.7/ Temporal 6.4 |
| THREAT: This security update resolves a privately reported vulnerability in Virtual Address Descriptor. |
| IMPACT: The vulnerability may allow elevation of privileges if a user runs a specially-crafted application. An attacker could eventually install programs; view, change, or delete data; or create new accounts with full administrative rights. |
| SOLUTION: This security update addresses the vulnerability by modifying the way that Virtual Address Descriptor handles memory allocation variables. Refer to Microsoft Security Bulletin MS08-064 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Important. |
| Message Queuing Service Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 115989 |
| VENDOR REFERENCE: MS08-065 |
| CVE REFERENCE: CVE-2008-3479 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT: The Message Queuing Service (MSMQ) is a messaging infrastructure and development tool for creating distributed messaging applications. A remote code execution vulnerability exists in the Message Queuing Service when it incorrectly validates input strings before passing the strings to a buffer. |
| IMPACT: An attacker who successfully exploits this vulnerability could gain local system rights which could allow remote code execution. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-065 for further details on this vulnerability and patch instructions.
Microsoft has rated this issue as Important. |
| Microsoft Ancillary Function Driver Elevation of Privileges Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90462 |
| VENDOR REFERENCE: MS08-066 |
| CVE REFERENCE: CVE-2008-3464 |
| CVSS SCORES: Base 7.2/ Temporal 5.3 |
| THREAT: This security update resolves a privately reported vulnerability in the Microsoft Ancillary Function Driver. |
| IMPACT: A local attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: This security update addresses the vulnerability by correctly validating input passed to the Windows Kernel from user mode through the AFD component. Refer to Microsoft Security Bulletin MS08-066 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Important. |
This new vulnerability check is included in Qualys vulnerability signatures v1.22.31-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 110089
- 110088
- 100063
- 90457
- 90461
- 90463
- 90460
- 90458
- 90459
- 115989
- 90462
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
