July 14, 2009 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 6 vulnerabilities present in Microsoft Windows that were announced today. In addition one detection for Oracle July 2009 Security Update as well as one detection for a zero day in Mozilla Firefox was also released. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Microsoft has released 6 security patches to fix newly discovered flaws in Microsoft Windows.
Qualys has released the following checks for these new vulnerabilities:
| Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 90503 |
| VENDOR REFERENCE: MS09-028 |
| CVE REFERENCE: CVE-2009-1537, CVE-2009-1538, CVE-2009-1539 |
| CVSS SCORES: Base 7.6/ Temporal 5.6 |
| THREAT:
Microsoft DirectX consists of a set of low-level Application
Programming Interfaces (APIs) used by Windows programs for multimedia
support. The DirectShow technology performs client-side audio and video
sourcing, manipulation and rendering.
DirectX is prone to the following vulnerabilities: - A remote code execution vulnerability exists in the way that Microsoft DirectShow parses QuickTime media file. (CVE-2009-1537) - A remote code execution vulnerability exists in the way that Microsoft DirectShow validates certain values when updating a pointer. This vulnerability could allow code execution if a user opened a specially crafted QuickTime file. (CVE-2009-1538) - A remote code execution vulnerability exists in the way that Microsoft DirectShow validates specific fields in QuickTime media files. This vulnerability could allow code execution if a user opened a specially crafted QuickTime file. (CVE-2009-1539)
Affected Software: |
| IMPACT: Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running the application that uses DirectX. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 (DirectX 7.0) Microsoft Windows 2000 Service Pack 4 (DirectX 8.1) Microsoft Windows 2000 Service Pack 4 (DirectX 9.0) Windows XP Service Pack 2 and Windows XP Service Pack 3 (DirectX 9.0) Windows XP Professional x64 Edition Service Pack 2 (DirectX 9.0) Windows Server 2003 Service Pack 2 (DirectX 9.0) Windows Server 2003 x64 Edition Service Pack 2 (DirectX 9.0) Windows Server 2003 with SP2 for Itanium-based Systems (DirectX 9.0) Refer to Microsoft Security Bulletin MS09-028 for further details.
Workarounds: Impact of workaround #1: QuickTime content playback will be disabled.
2) Modify the Access Control List (ACL) on quartz.dll using the following steps.
For 32-bit Windows systems: Impact of workaround #2: Windows Media Player will not be able to play .AVI or .WAV files.
3) Unregister quartz.dll by running the following command from an elevated command prompt: Impact of workaround #3: Windows Media Player will not be able to play .AVI or .WAV files. 4) For non-multimedia folder types, the Windows shell attack vector can be mitigated by using Windows Classic Folders. Folder options can be changed as follows: - Click Start, click Control Panel, click Appearance and
Themes, and then click Folder Options. Or, open any folder, such as My
Documents, and on the Tools menu, click Folder Options. For detailed steps on enabling and disabling the workarounds, please refer to Microsoft Security Bulletin MS09-028. |
| Microsoft Embedded OpenType Font Engine Remote Code Execution Vulnerabilities |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 90511 |
| VENDOR REFERENCE: MS09-029 |
| CVE REFERENCE: CVE-2009-0231, CVE-2009-0232 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT: Embedded OpenType Font Engine is a Microsoft Windows Component. It is prone to the following vulnerabilities:
A remote code execution vulnerability exists in the way that Microsoft Windows Embedded OpenType (EOT) font technology parses data records in specially crafted embedded fonts. (CVE-2009-0231) A remote code execution vulnerability exists in the way that Microsoft Windows Embedded OpenType (EOT) font technology parses name tables in specially crafted embedded fonts. (CVE-2009-0232) Microsoft has released an update that addresses the vulnerability by correcting the way that the Microsoft Windows EOT component parses files and content containing embedded fonts. |
| IMPACT: Successful exploitation allows execution of arbitrary code. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Refer to Microsoft Security Bulletin MS09-029 for further details.
Workaround: Impact of workaround: Web sites making use of embedded font technology will fail to display properly. 2) Deny Access to T2EMBED.DLL Impact of workaround: Applications that rely on embedded font technology will fail to display properly. For detailed steps on enabling and disabling the workarounds, please refer to Microsoft Security Bulletin MS09-029. |
| Microsoft Office Publisher 2007 Could Allow Remote Code Execution |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110095 |
| VENDOR REFERENCE: MS09-030 |
| CVE REFERENCE: CVE-2009-0566 |
| CVSS SCORES: Base 7.6/ Temporal 5.6 |
| THREAT: Microsoft Office Publisher is a desktop publishing application. The
"PUBCONV.DLL" module in Publisher is responsible for converting legacy
format Publisher files (.pub) created by older versions of Publisher
into the Publisher 2007 format.
A vulnerability exists in PUBCONV.DLL module in Microsoft Publisher 2007. A programming error in the module causes it to dereference an arbitrary attacker-controlled value as the address of a table of function pointers. An attacker can exploit this issue by persuading an unsuspecting user into opening a malicious file. This vulnerability allows attackers to execute arbitrary code on the user's system. Microsoft Office Publisher 2007 is vulnerable.
Previously this was an iDefense private detection. |
| IMPACT: A malicious user can execute arbitrary code on the affected system within the security context of the local user running Publisher. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: 2007 Microsoft Office System Service Pack 1 (Microsoft Office Publisher 2007 Service Pack 1) Refer to Microsoft Security Bulletin MS09-030 for further details.
Workaround:
For Windows XP, run the following command from a command prompt:
For 64-bit editions of Windows XP, run the following command, using the appropriate Windows path for your system:
For Windows Vista and Windows Server 2008, run the following commands: For 64-bit editions of Windows Vista and Windows Server 2008,
run the following commands, using the appropriate Windows path for your
system: Impact of the workaround: Users who have disabled the Publisher Converter DLL will not be able to open Microsoft Office Publisher files created in versions earlier than Publisher 2007. |
| Microsoft ISA Server 2006 Elevation of Privilege Vulnerability |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90512 |
| VENDOR REFERENCE: MS09-031 |
| CVE REFERENCE: CVE-2009-1135 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT:
Microsoft Internet Security and Acceleration Server (ISA Server) is a
firewalling and security product based on Microsoft Windows primarily
designed to securely publish Web servers and other server systems.
An elevation of privilege vulnerability exists in ISA Server 2006 authentication when configured with Radius OTP. The vulnerability could allow an unauthenticated user access to any Web published resource. (CVE-2009-1135)
Affected Software: |
| IMPACT: An attacker who successfully exploits this vulnerability may be able to impersonate user accounts. If an attacker is able to successfully impersonate a user account, they may have access to resources the impersonated user has. If an attacker is impersonating an administrative account, the attacker might be able to install programs; view, change, or delete data; or create new accounts with full user rights on systems behind the ISA Server 2006 security boundary. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Internet Security and Acceleration Server 2006 Microsoft Internet Security and Acceleration Server 2006 Supportability Update Microsoft Internet Security and Acceleration Server 2006 Service Pack 1 Refer to Microsoft Security Bulletin MS09-031 for further details.
Workaround: 1. For customers running the original release version of Microsoft Internet Security and Acceleration Server 2006, install the hotfix available from Microsoft Knowledge Base Article 938966. Customers running Microsoft Internet Security and Acceleration Server 2006 Supportability Update and Microsoft Internet Security and Acceleration Server 2006 Service Pack 1 do not need to apply the hotfix. 2. Run the Microsoft Visual Basic script available from the Post-hotfix installation information section of Microsoft Knowledge Base Article 938966 according to the instructions in the article. Impact of workaround: ISA server will not allow basic authentication from clients served by that Web Listener. |
| Microsoft Video ActiveX Control Remote Code Execution Vulnerability |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90510 |
| VENDOR REFERENCE: MS09-032 |
| CVE REFERENCE: CVE-2008-0015, CVE-2008-0020 |
| CVSS SCORES: Base 9.3/ Temporal 8 |
| THREAT:
The Microsoft Video Control object is a Microsoft ActiveX control that
connects Microsoft DirectShow filters for use in capturing, recording,
and playing video.
A buffer overflow vulnerability exists in DirectShow that is caused due to a boundary error in the ActiveX control for streaming video (msvidctl.dll) and can be exploited to cause a stack-based buffer overflow via specially crafted image content. (CVE-2008-0015) Microsoft has released a security update that addresses the vulnerability by setting a kill bit so that the vulnerable control does not run in Internet Explorer. |
| IMPACT: Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running the application that uses DirectX. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Refer to Microsoft Security Bulletin MS09-032 for further details.
Workaround: Disable attempts to instantiate a COM object in Internet Explorer by setting the kill bit for the control in the registry. Setting the kill-bit associated with Class Identifiers (CLSID) related to the control will prevent it from being loaded within Internet Explorer. Refer to Microsoft article KB240797 for further information. Impact of Workaround: There is no impact as long as the object is not intended to be used in Internet Explorer. |
| Microsoft Virtual PC and Virtual Server Elevation of Privilege Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 116509 |
| VENDOR REFERENCE: MS09-033 |
| CVE REFERENCE: CVE-2009-1542 |
| CVSS SCORES: Base 9.3/ Temporal 7.3 |
| THREAT:
Microsoft Virtual PC allows customers to create and run one or more
virtual machines, each with its own operating system, on a single
computer. Microsoft Virtual Server is a similar solution for server
operating systems.
An elevation of privilege vulnerability exists in Virtual PC and Virtual Server because they do not correctly validate whether specific machine instructions require a minimum CPU privilege level in order to run within the guest operating system environment. This may allow user mode applications to execute instructions which should only be issued in kernel mode. (CVE-2009-1542) Microsoft has released an update that addresses the vulnerability by enforcing validation of privilege levels when executing machine instructions. |
| IMPACT: An attacker who successfully exploits this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Virtual PC 2004 Service Pack 1 Microsoft Virtual PC 2007 Service Pack 1 Microsoft Virtual PC 2007 x64 Edition Microsoft Virtual PC 2007 x64 Edition Service Pack 1 Microsoft Virtual Server 2005 R2 Service Pack 1 Microsoft Virtual Server 2005 R2 x64 Edition Service Pack 1 Refer to Microsoft Security Bulletin MS09-033 for further details. |
| Oracle July 2009 Security Update Multiple Vulnerabilities |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 19484 |
| VENDOR REFERENCE: CPUJUL2009 |
| CVE REFERENCE: CVE-2009-1020, CVE-2009-1019, CVE-2009-1963, CVE-2009-1021, CVE-2009-1966 (ORACLE ENTERPRISE MANAGER),CVE-2009-1967 (ORACLE ENTERPRISE MANAGER),CVE-2009-0987,CVE-2009-1973,CVE-2009-1970,CVE-2009-1968,CVE-2009-1015,CVE-2009-1969 |
| CVSS SCORES: Base 6/ Temporal 5.1 |
| THREAT: Oracle released a Critical Patch Update advisory for April 2009 that addresses 16 security vulnerabilities. These are the Oracle database components affected: - Oracle Net - HTTP |
| IMPACT: A remote attacker could affect the confidentiality and integrity of data on the target system. |
| SOLUTION: Workaround: Until the Critical Patch Update (CPU) fixes are applied, network protocols required to launch the attacks should be restricted to reduce the possibility of successful attacks. For attacks requiring access to certain packages, restriction of privileges can help reduce the chances of an attack. Impact of workaround: The above approaches can break certain application functionality. These workarounds should not be used as long-term solutions. Oracle recommends that customers upgrade to the latest supported version of Oracle products in order to obtain the patches. Read Oracle Critical Patch Update Advisory - July 2009 for further information about the products affected and issues addressed. |
| Mozilla Firefox 3.5 "Tracemonkey" Component Remote Code Execution Vulnerability - Zero Day |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 116510 |
| VENDOR REFERENCE: |
| CVE REFERENCE: |
| CVSS SCORES: Base 6.8/ Temporal 6.1 |
| THREAT: Firefox is a Web browser application available for multiple platforms. The application is prone to a remote code-execution vulnerability in the Tracemonkey components of Firefox's JavaScript rendering engine. This issue arises during the processing of JavaScript and may present itself when certain string characters are escaped and subsequently copied to a buffer. Firefox Version 3.5 is affected with this issue. |
| IMPACT: Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts may result in denial of service. |
| SOLUTION: There are no vendor-suppled patches available at this time. |
This new vulnerability check is included in Qualys vulnerability signatures v1.23.28-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 90503
- 90511
- 110095
- 90512
- 90510
- 116509
- 116510
- 19484
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
