Microsoft Security Bulletin: February 10 2009 Security Bulletin

February 10, 2009 - Qualys^® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard^® to protect organizations against 4 new vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft has released 4 security patches to fix newly discovered flaws in Microsoft Windows.

Qualys has released the following checks for these new vulnerabilities:

Microsoft Internet Explorer Cumulative Security Update
SEVERITY: Critical  4
QUALYS ID: 100070
VENDOR REFERENCE: MS09-002
CVE REFERENCE: CVE-2009-0075,CVE-2009-0076
CVSS SCORES: Base 6.4/ Temporal 5
THREAT: Microsoft Internet Explorer is a Web browser for Microsoft Windows. The following vulnerabilities have been identified in Internet Explorer: A remote code execution vulnerability exists when Internet Explorer attempts to access an object that has been deleted. (CVE-2009-0075) When Internet Explorer displays a maliciously crafted Cascading Style Sheets (CSS), memory could be corrupted that would allow execution of arbitrary code. (CVE-2009-0076) Internet Explorer Versions 7 and 8 are vulnerable. Microsoft has rated this issue as Critical.
IMPACT: These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: Workaround: CVE-2009-0075, CVE-2009-0076: Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone. Impact of the Workaround: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround. Patch: Following are links for downloading patches to fix the vulnerabilities: Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=8cd902ec-e018-4b61-80f9-825d973f998e Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=dd3e2236-9cc0-478e-a46c-981ef685c0e3 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=e52aa1fd-e694-4322-b3ff-6abc1b4a16fe Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=edbf1566-b96b-4c7d-98fe-b15f8e766792 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=5ce78797-d1c0-40d4-84e1-1004389833be Windows Vista and Windows Vista Service Pack 1 (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=5f9fa4b6-85a4-43bc-b84f-6bd847799650 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=e9a8c94b-b9d2-4d64-855f-b5f02ce3dfb5 Windows Server 2008 for 32-bit Systems (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=2491dbf2-7cd3-44f1-bfad-77e6f760a25c Windows Server 2008 for x64-based Systems (Windows Internet Explorer 7): http://www.microsoft.com/downloads/details.aspx?familyid=794373cc-2dce-4ef5-af50-7804c622c230 Refer to Micrsoft Security Bulletin MS09-002 for further details.

Microsoft Outlook Web Access for Exchange Server Elevation of Privilege
SEVERITY: Critical  4
QUALYS ID: 90478
VENDOR REFERENCE: MS09-003
CVE REFERENCE: CVE-2009-0099, CVE-2009-0098
CVSS SCORES: Base 9.7/ Temporal 7.1
THREAT: Microsoft Exchange Server is a messaging and collaborative software product that provides support for electronic mail, calendaring, contacts and tasks, mobile and Web-based access to information, and data storage. The following vulnerabilities have been reported in Microsoft Exchange Server: A vulnerability exists in the way the Exchange Server decodes the Transport Neutral Encapsulation Format (TNEF) data for a message. This flaw allows a remote attacker to execute arbitrary code by sending a specially crafted TNEF message to the Exchange Server. (CVE-2009-0098) EMSMDB2 (Electronic Messaging System Microsoft Data Base, 32 bit build) is prone to a denial of service vulnerability because it fails to appropriately handle MAPI commands. An attacker can exploit this flaw by sending a specially crafted MAPI command to the application using EMSMDB32 and cause the application to stop responding. (CVE-2009-0099) Microsoft has rated this issue as Critical.
IMPACT: Successful exploitation of these vulnerabilities allows an attacker to execute arbitrary code in the context of the application. An attacker could also take complete control of the affected system and could cause the application or any service using the EMSMDB32 provider (such as Microsoft Exchange System Attendant service) to stop responding.
SOLUTION: Workaround: CVE-2009-0098: The "application/ms-tnef" MIME content type should be blocked to help protect against attempts to exploit this vulnerability through SMTP email. Impact of workaround: Email messages that are formatted as RTF will not be received correctly if TNEF attachments are blocked. Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004: http://www.microsoft.com/downloads/details.aspx?familyid=805dc856-ea60-477d-be40-6ac535a7e7e5 Microsoft Exchange Server 2003 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=1d9f0956-88bd-4e13-a86b-b1c8d4782f71 Microsoft Exchange Server 2007 Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=93cb3f66-ae72-4356-bdbf-35029cff6df1 Refer to Microsoft Security Bulletin MS09-003 for further details.

Microsoft SQL Server Remote Memory Corruption Vulnerability
SEVERITY: Critical  4
QUALYS ID: 90475
VENDOR REFERENCE: MS09-004
CVE REFERENCE: CVE-2008-5416
CVSS SCORES: Base 6.1/ Temporal 5.2
THREAT: Microsoft SQL Server is prone to a remote memory corruption vulnerability because it fails to properly handle user-supplied input. The vulnerability is caused due to a boundary error in the implementation of the "sp_replwritetovarbin()" SQL procedure. It can be exploited to cause a heap-based buffer overflow via specially crafted arguments passed to the affected procedure. Microsoft SQL Server 2000 and 2005 are affected. Microsoft has rated this issue as Important.
IMPACT: Successful exploitation may allow execution of arbitrary code with escalated privileges.
SOLUTION: Workaround: Deny permissions on the "sp_replwritetovarbin" extended stored procedure. Patch: Following are links for downloading patches to fix the vulnerabilities: (GDR Software Update) SQL Server 2000 Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=d5bb816a-6e1a-47cb-92be-51c565ee184c (QFE Software Update) SQL Server 2000 Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=a93f3cfe-18c9-4218-a551-13bf415e418a (GDR Software Update) SQL Server 2000 Itanium-based Edition Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=d5bb816a-6e1a-47cb-92be-51c565ee184c (QFE Software Update) SQL Server 2000 Itanium-based Edition Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=a93f3cfe-18c9-4218-a551-13bf415e418a (GDR Software Update) SQL Server 2005 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=5dfb7998-0316-40e5-9fc5-7a1afc18e15e (QFE Software Update) SQL Server 2005 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=aa2b82ca-e94e-4491-8639-f0749b1a0f3a (GDR Software Update) SQL Server 2005 x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=5dfb7998-0316-40e5-9fc5-7a1afc18e15e (QFE Software Update) SQL Server 2005 x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=aa2b82ca-e94e-4491-8639-f0749b1a0f3a (GDR Software Update) SQL Server 2005 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=5dfb7998-0316-40e5-9fc5-7a1afc18e15e (QFE Software Update) SQL Server 2005 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=aa2b82ca-e94e-4491-8639-f0749b1a0f3a (GDR Software Update) Microsoft SQL Server 2000 Desktop Engine : http://www.microsoft.com/downloads/details.aspx?familyid=d5bb816a-6e1a-47cb-92be-51c565ee184c (QFE Software Update) Microsoft SQL Server 2000 Desktop Engine : http://www.microsoft.com/downloads/details.aspx?familyid=a93f3cfe-18c9-4218-a551-13bf415e418a Refer to Microsoft Security Bulletin MS09-004 for further details.

Microsoft Office Visio Could Allow Remote Code Execution
SEVERITY: Critical  4
QUALYS ID: 90479
VENDOR REFERENCE: MS09-005
CVE REFERENCE: CVE-2009-0095, CVE-2009-0096, CVE-2009-0097
CVSS SCORES: Base 9.3/ Temporal 6.9
THREAT: Microsoft Visio is diagramming software for Microsoft Windows. It uses vector graphics to create diverse diagrams. Microsoft Office Visio is prone to the following vulnerabilities that result in remote code execution: A vulnerability exists in the way Microsoft Office Visio validates object data while opening up Visio files which causes validation errors. (CVE-2009-0095) A memory corruption vulnerability exists when Microsoft Office Visio copies object data in memory. (CVE-2009-0096) A memory corruption vulnerability exists in the way Microsoft Office Visio handles memory when opening up Visio files. (CVE-2009-0097) All the above vulnerabilities can be exploited by attackers via a specially crafted file that is included as an email attachment, or hosted on a specially crafted Web site. Microsoft has rated this issue as Important.
IMPACT: Successful exploitation of these vulnerabilities allows an attacker to run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Workaround: CVE-2009-0095, CVE-2009-0096, CVE-2009-0097: Do not open Visio files that are received from untrusted sources or that are received unexpectedly from trusted sources. Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office Visio 2002 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=a30cef3f-9eaf-45bd-9a25-4b65302362cb Microsoft Office Visio 2003 Service Pack 3: http://www.microsoft.com/downloads/details.aspx?familyid=c9cb589e-1a37-485d-8402-7f42bcd7a1a9 Microsoft Office Visio 2007 Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=4b711e89-8de2-4f17-8afc-691e0604ff82 Refer to Microsoft Security Bulletin MS09-005 for further details.

This new vulnerability check is included in Qualys vulnerability signatures v1.22.129-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

1. Ensure access to TCP ports 135 and 139 are available.
2. Enable Windows Authentication (specify Authentication Records).
3. Enable the following Qualys IDs:
   • 100070
   • 90478
   • 90475
   • 90479
4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/