Microsoft Security Bulletin: March 10 2009 Security Bulletin

March 10, 2009 - Qualys^® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard^® to protect organizations against 3 vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Microsoft has released 3 security patches to fix newly discovered flaws in Microsoft Windows.

Qualys has released the following checks for these new vulnerabilities:

Windows Kernel Vulnerability Could Allow Remote Code Execution
SEVERITY: Urgent  5
QUALYS ID: 90484
VENDOR REFERENCE: MS09-006
CVE REFERENCE: CVE-2009-0081, CVE-2009-0082, CVE-2009-0083
CVSS SCORES: Base 10/ Temporal 7.8
THREAT: The Windows kernel is the core of the operating system that handles device management and memory management, allocates processor time to processes, and manages error handling. The following security vulnerabilities exist in the Windows kernel: The Windows kernel is prone to a remote code execution vulnerability that is caused due to improper input validation of data passed from user mode through the kernel component of GDI. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted EMF or WMF image file. (CVE-2009-0081) The Windows kernel is prone to a privilege elevation vulnerability that is caused because it does not correctly validate handles when performing certain actions. An attacker can exploit this issue to run arbitrary code in kernel mode. For successful exploitation, an attacker would first have to log on to the system. This issue cannot be exploited remotely or by anonymous users. (CVE-2009-0082) The Windows kernel is prone to a privilege elevation vulnerability that is caused due to improper handling of a specially crafted invalid pointer. An attacker can exploit this issue to run arbitrary code in kernel mode. For successful exploitation, an attacker would first have to log on to the system. This issue cannot be exploited remotely or by anonymous users.(CVE-2009-0083) Microsoft has rated these issues as Critical. A security update has been released by Microsoft to addresses the above vulnerabilities by validating input passed from user mode through the kernel component of GDI, correcting the way that the kernel validates handles, and changing the way that the Windows kernel handles specially crafted invalid pointers.
IMPACT: CVE-2009-0081: Successful exploitation could allow remote code execution if a user views a specially crafted EMF or WMF image file from an affected system. CVE-2009-0082, CVE-2009-0083: Successful exploitation allows arbitrary code execution in kernel mode. An attacker can gain elevated privileges and could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Workaround: CVE-2009-0081: Systems that have the update for Microsoft Security Bulletin MS07-017 applied, or systems running Windows Vista or Windows Server 2008 can disable metafile processing by modifying the registry. Impact of the workaround: Disabling metafile processing can cause the appearance of the output from software or system components to decrease in quality or cause software or system components to fail completely. Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=98bb7d40-89a0-470a-8eb7-06f15072a635 Windows XP Service Pack 2 and Windows XP Service Pack 3: http://www.microsoft.com/downloads/details.aspx?familyid=e09641ba-6cbe-4095-82b5-703d3a7dc33b Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=d0d704c6-48c2-4907-b6c3-2455d7cf21c8 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=f5cfb8da-e7cc-4183-8631-507c2a406500 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=ecf75c70-8489-41ad-9759-3a07e13957be Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=04be3d7e-7dda-4dca-887a-e7a8156ede1c Windows Vista and Windows Vista Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=4b1aaaba-f355-4265-83c0-50b901856ced Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=0fcac480-d6db-4a94-8c7d-b7319282cf56 Windows Server 2008 for 32-bit Systems: http://www.microsoft.com/downloads/details.aspx?familyid=38851df2-4fb5-4d28-9d15-181c260cf8cf Windows Server 2008 for x64-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=ec15acc4-3e0f-4414-9383-61c122ff1382 Windows Server 2008 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=eead6f93-10fd-4492-8137-481d9876a5fe Refer to Microsoft Security Bulletin MS09-006 for further details.

Windows Schannel Security Package Could Allow Spoofing Vulnerability
SEVERITY: Critical  4
QUALYS ID: 116281
VENDOR REFERENCE: MS09-007
CVE REFERENCE: CVE-2009-0085
CVSS SCORES: Base 9.3/ Temporal 6.9
THREAT: The Secure Channel (SChannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols. A spoofing vulnerability exists in the Microsoft Windows SChannel authentication component when using certificate based authentication because it fails to perform sufficient validation of certain Transport Layer Security (TLS) handshake messages to verify that the client has access to the private key linked to the certificate used for authentication. This issue can be exploited by an attacker with access to the public component of the certificate used for authentication by an end user to bypass the SChannel validation via a crafted TLS packet. (CVE-2009-0085) This vulnerability affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Microsoft has rated this issue as Important.
IMPACT: Successful exploitation of this vulnerability allows a malicious user to conduct spoofing attacks by authenticating against a protected server using the public component of the authentication credential of another user.
SOLUTION: Workaround: Implement Active Directory certificate mapping which enables a user with a trusted public key to access domain resources without typing a user name and a password. A client certificate can be directly mapped to an Active Directory user account. Impact of the workaround: Implementing the workaround will not fix the vulnerability, but will help in blocking attack vectors until the update is applied. Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=bf7065bc-c183-4a78-8d46-72fe7385c07c Windows XP Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=942d87f6-3cb1-4d36-a70a-70d9c34488f3 Windows XP Service Pack 3: http://www.microsoft.com/downloads/details.aspx?familyid=942d87f6-3cb1-4d36-a70a-70d9c34488f3 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=6d02306e-9e2e-4ae8-bd21-8a2c1a229472 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=0b3f6fdd-276e-4267-99d8-8f00d91ad6a2 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=ce98ff55-f565-469d-bbd2-32b681faf908 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=5ca3c72c-cadb-4b0a-b3a3-fb81d0bfd7b3 Windows Vista and Windows Vista Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=21086a04-402a-4940-8358-7fa63508102b Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=c75a2ea9-b42f-457b-be09-5c8fa0339388 Windows Server 2008 for 32-bit Systems: http://www.microsoft.com/downloads/details.aspx?familyid=47b361ce-624b-466c-b5c5-8703f6532615 Windows Server 2008 for x64-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=5c81ac45-60e6-4121-ab6b-d3b3179aacc4 For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-007 for further details.

Vulnerabilities in DNS and WINS Server Could Allow Spoofing
SEVERITY: Critical  4
QUALYS ID: 90481
VENDOR REFERENCE: MS09-008
CVE REFERENCE: CVE-2009-0233, CVE-2009-0234, CVE-2009-0093, CVE-2009-0094
CVSS SCORES: Base 10/ Temporal 7.4
THREAT: Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. Windows Internet Name Service (WINS) is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. The following security vulnerabilities have been identified in Windows DNS and WINS servers: An error in the Windows DNS server causes it to not properly reuse cached responses. An attacker can exploit this issue by sending specific queries to a vulnerable DNS server and at the same time responding back in a manner that allows insertion of false or misleading DNS data resulting in redirection of network traffic. (CVE-2009-0233) An error in the Windows DNS server causes it to incorrectly cache specifically crafted DNS responses. An attacker can exploit this vulnerability by sending multiple specifically crafted queries to the DNS server so that the server makes unnecessary lookups allowing a greater predictability of subsequent transaction IDs used by the server. (CVE-2009-0234) The Windows DNS server does not properly validate who can register WPAD entries on the DNS server when dynamic update is used and ISATAP and WPAD are not registered in DNS. This issue can be exploited to launch man-in-the-middle attacks against any browsers configured to use WPAD to discover proxy server settings if an attacker registers "WPAD" in the DNS database and points it to an IP address controlled by the attacker. (CVE-2009-0093) The Windows WINS server does not properly validate who can register WPAD or ISATAP entries on the WINS server. This issue can be exploited to launch man-in-the-middle attacks against any browsers configured to use WPAD to discover proxy server settings if an attacker registers WPAD or ISATP in the WINS database and points it to an IP address controlled by the attacker. (CVE-2009-0094) Microsoft has rated these issues as Important.
IMPACT: CVE-2009-0233, CVE-2009-0234: Successfully exploitation of this vulnerability allows an attacker to conduct spoofing attacks, insert arbitrary addresses into the DNS cache causing DNS cache poisoning and redirection of Internet traffic. CVE-2009-0093, CVE-2009-0094: Successful exploitation of this vulnerability allows a remote authenticated attacker to spoof a Web proxy and redirect Internet traffic to an IP controlled by the attacker.
SOLUTION: Workaround: CVE-2009-0093, CVE-2009-0094: Create a WPAD.DAT proxy auto configuration file: Create a WPAD.DAT file that adheres to the Proxy auto-config specification. Place the WPAD.DAT file in the root directory of a Web server in the organization and ensure the file can be requested anonymously. Create a MIME type for the WPAD.DAT file on the Web server of "application/x-ns-proxy-autoconfig". Create the appropriate entries in the DHCP or DNS server to allow discovery of the WPAD server. For detailed steps, please refer to the advisory. Patch: Following are links for downloading patches to fix the vulnerabilities: DNS server on Microsoft Windows 2000 Server Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=110354f7-5ece-4c4d-b563-3adba6ac0116 WINS server on Microsoft Windows 2000 Server Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=4319abb3-1ea2-466a-a815-c0b3b86b4462 DNS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=6cc42c9e-c34e-4577-8b23-9e07e2369878 WINS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=049e5db5-7315-4188-99fd-4a54833e6bf2 DNS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=b1f81fd2-0099-4450-8543-0459561d22d0 WINS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=4a393c63-eff5-4c8c-9c3f-33ce45c32428 DNS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=d3ed7d9a-d652-4bd0-aecc-5a415bec6c59 WINS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=37e3a75e-0a5d-4df0-881f-cdb87efa4dcf DNS server on Windows Server 2008 for 32-bit Systems: http://www.microsoft.com/downloads/details.aspx?familyid=92e89882-d656-4b61-a05c-3afb44895f08 DNS server on Windows Server 2008 for x64-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=be068d06-5939-4ad8-8191-e85931ed610f Refer to Microsoft Security Bulletin MS09-008 for further details.

This new vulnerability check is included in Qualys vulnerability signatures v1.22.153-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

1. Ensure access to TCP ports 135 and 139 are available.
2. Enable Windows Authentication (specify Authentication Records).
3. Enable the following Qualys IDs:
   • 90484
   • 116281
   • 90481
4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/