December 09, 2008
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
Microsoft Security Bulletin: December 9 2008 Security Bulletin
Advisory Overview
December 9, 2008 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 9 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Vulnerability Details
Microsoft has released 8 security patches to fix newly discovered flaws in Microsoft Windows. Microsoft has also released 1 advisory that currenlty does not have a patch.
Qualys has released the following checks for these new vulnerabilities:
| Microsoft Wordpad Text Converter Vulnerability |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 90474 |
| VENDOR REFERENCE: |
| CVE REFERENCE: |
| CVSS SCORES: Base 7.6/ Temporal 6.5 |
| THREAT: A remote code execution vulnerability has been identified in Microsoft Wordpad. The issues is exposed when WordPad text converter for Word 97 file format is used. WordPad Text Converters are a default component of Microsoft Windows operating systems. WordPad Text Converters allow users who do not have Microsoft Office Word installed to open documents in Microsoft Windows Write (.wri) and Microsoft Office Word 6.0, Microsoft Office Word 97, Microsoft Office Word 2000, and Microsoft Office Word 2002 (.doc) file formats. These text converters also allow users to save documents in the Word 6.0 file format. |
| IMPACT: An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights. |
| SOLUTION: Prevent WordPad from loading Word 97 files by applying an access control list to the specific converter file. You will no longer be able to open Word 97 files using WordPad. In addition, you will not be able to convert Word 97 documents to WordPad rich text format (.rtf) or Word 2003 (.doc) files. Microsoft Office Word 2003 will return an error that states that "the file appears to be corrupted". This is done by running the following command: echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd8.wpc" /E /P everyone:N Refer to Microsoft KB 960906 for further details |
| Microsoft Visual Basic Runtime Extended Files Remote Code Execution Vulnerability |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 90473 |
| VENDOR REFERENCE: MS08-070 |
| CVE REFERENCE: CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, CVE-2008-3704 |
| CVSS SCORES: Base 5.1/ Temporal 3.8 |
| THREAT: A remote code execution vulnerability exists in DataGrid, FlexGrid, Hierarchical Flexgrid, Windows Common, Charts and Masked Edit ActiveX controls for Visual Basic 6. An attacker can exploit this vulnerability by constructing a specially crafted web page and making the user visit this page. |
| IMPACT: An attacker who successfully exploits this vulnerability could gain the same user rights as the logged-on user. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-070 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Windows GDI+ Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90469 |
| VENDOR REFERENCE: MS08-071 |
| CVE REFERENCE: CVE-2008-3465, CVE-2008-2249 |
| CVSS SCORES: Base 10/ Temporal 7.8 |
| THREAT: This security update resolves two vulnerabilities in GDI by modifying the way GDI validates file size parameters and performs integer calculations to prevent overflow conditions. |
| IMPACT: Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-071 for more information on this issue.
Microsoft has rated this vulnerability as Critical. |
| Microsoft Word Multiple Remote Code Execution Vulnerabilities |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110092 |
| VENDOR REFERENCE: MS08-072 |
| CVE REFERENCE: CVE-2008-4024,CVE-2008-4025,CVE-2008-4026,CVE-2008-4027,CVE-2008-4028,CVE-2008-4030,CVE-2008-4031,CVE-2008-4837 |
| CVSS SCORES: Base 9.3/ Temporal 6.9 |
THREAT: Microsoft Word is prone to multiple remote code execution vulnerabilities. The security update addresses the following issues:
|
| IMPACT: An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-072 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Internet Explorer Cumulative Security Update |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 100064 |
| VENDOR REFERENCE: MS08-073 |
| CVE REFERENCE: CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, CVE-2008-4261 |
| CVSS SCORES: Base 5.1/ Temporal 3.8 |
| THREAT: This critical security update resolves vulnerabilities existing in Microsoft Internet Explorer, including the following: parameter validation memory corruption vulnerability, HTML objects memory corruption vulnerability, uninitialized memory corruption, and HTML rendering memory corruption vulnerability. |
| IMPACT: An attacker who successfully exploits these vulnerabilities could gain the same user rights as the logged-on user. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-073 for further details, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Excel Multiple Remote Code Execution Vulnerabilities |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110090 |
| VENDOR REFERENCE: MS08-074 |
| CVE REFERENCE: CVE-2008-4264,CVE-2008-4265,CVE-2008-4266 |
| CVSS SCORES: Base 9.3/ Temporal 6.9 |
THREAT: Microsoft Excel is prone to multiple remote code execution vulnerabilities. The security update addresses the following issues:
|
| IMPACT: An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-074 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Windows Search Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90471 |
| VENDOR REFERENCE: MS08-075 |
| CVE REFERENCE: CVE-2008-4268,CVE-2008-4269 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT: Microsoft Windows Search allows instant search capabilities for data and files. Microsoft Windows Search is a standard component of Windows Vista and Windows Server 2008 that is enabled by default. Microsoft Search is prone to a remote code execution vulnerability if a user opens and saves a specially crafted saved search file within Windows Explorer or if a user clicks a specially crafted search URL. This is due to the Windows Explorer does not correctly free memory when saving Windows Search files and does not correctly interpret parameters when parsing the search-ms protocol. |
| IMPACT: An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-075 for further details on this vulnerability, including a list of affected and non-affected software.
Microsoft has rated this issue as Critical. |
| Microsoft Windows Media Components Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90470 |
| VENDOR REFERENCE: MS08-076 |
| CVE REFERENCE: CVE-2008-3009, CVE-2008-3010 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT: This security update addresses two vulnerabilities in the following Windows Media components: Windows Media Player, Windows Media Format Runtime, and Windows Media Services. The security update addresses the first vulnerability by modifying the way that Windows Media authentication replies are validated. The security update addresses the second vulnerability by ensuring that Windows Media clients treat servers using ISATAP addresses as external. |
| IMPACT: The most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights |
| SOLUTION: Refer to Microsoft Security Bulletin MS08-076 for further details on this vulnerability and patch instructions.
Microsoft has rated the most severe of these issues as Important. |
| Microsoft Office SharePoint Server Privilege Elevation Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90472 |
| VENDOR REFERENCE: MS08-077 |
| CVE REFERENCE: CVE-2008-4032 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT: This security update resolves a privately reported vulnerability in Microsoft Office SharePoint Server. |
| IMPACT: The vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure. |
| SOLUTION: Microsoft released security bulletin MS08-077 to address this issue. Refer to the bulletin for further details.
Microsoft has rated this vulnerability as Important. |
This new vulnerability check is included in Qualys vulnerability signatures v1.22.76-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 90474
- 90473
- 90469
- 110092
- 100064
- 110090
- 90471
- 90470
- 90472
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
