October 13, 2009 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 13 vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Microsoft has released 13 security patches to fix newly discovered flaws in Microsoft Windows.
Qualys has released the following checks for these new vulnerabilities:
| Microsoft Server Message Block (SMBv2) Remote Code Execution Vulnerability (MS09-050) |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 90527 |
| VENDOR REFERENCE: MS09-050 |
| CVE REFERENCE: CVE-2009-2526, CVE-2009-2532, CVE-2009-3103 |
| CVSS SCORES: Base 10/ Temporal 8.1 |
| THREAT:
The Microsoft Server Message Block (SMBv2) Protocol is a network file
sharing protocol used to provide shared access to files, printers,
serial ports, and miscellaneous communications between nodes on a
network. It is a client-server implementation and consists of a set of
data packets, each containing a request sent by the client or a
response sent by the server.
A remote code execution and denial of service vulnerability has been identified in the Microsoft SMB implementation because it does not appropriately parse SMB negotiation requests. An attacker can exploit this issue by sending specially crafted SMB packets.
Affected Software: |
| IMPACT: Successful exploitation of this vulnerability could allow an attacker to take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Refer to Microsoft Security Bulletin MS09-050 for further details.
Workarounds: Microsoft has provided a capability of enabling and disabling the workarounds automatically. Refer to Microsoft Knowledge Base Article 975497 for further details. The workarounds can also be applied manually. Details are listed below: 1) Disable SMB v2. To modify the registry key, perform the following steps:
- Click Start, click Run, type Regedit in the Open box, and then click OK.
1. Open up the computer management MMC, navigate to Services and
Applications, click Services, right-click the Server service name and
click Restart. Impact of the workaround: The host will not be able to communicate using SMB2. Instead, the host will communicate using SMB 1.0. This should not impact basic services such as file and printer sharing. These will continue to function as normal. Two TCP ports, 139 and 445, should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability. Impact of the workaround: Blocking the ports can cause several windows services or applications using those ports to stop functioning. Also, refer to Security Bulletin MS09-050 and Microsoft Security Advisory (975497) to obtain additional details on applying the workarounds. |
| Microsoft Windows Media Runtime Remote Code Execution Vulnerability (MS09-051) |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90546 |
| VENDOR REFERENCE: MS09-051 |
| CVE REFERENCE: CVE-2009-0555, CVE-2009-2525 |
| CVSS SCORES: Base 9.3/ Temporal 7.3 |
| THREAT:
The Microsoft Windows Media Format Runtime provides information and
tools for applications that use Windows Media content.
- A remote code execution vulnerability exists in Windows Media Player due to the improper processing of specially crafted Advanced Systems Format (ASF) files. (CVE-2009-0555) - A remote code execution vulnerability exists in the Microsoft Windows Media Runtime because it does not properly initialize certain functions in compressed audio files. (CVE-2009-2525) Microsoft has released a security update that addresses these vulnerabilities by changing the manner in which the Windows Media Runtime processes ASF files and initializes functions in compressed audio files. This security update is rated Critical for DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager on supported editions of Microsoft Windows 2000; Windows XP; Windows Server 2003, except for Itanium-based editions; Windows Vista; and Windows Server 2008, except for Itanium-based editions. |
| IMPACT: An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 (DirectShow WMA Voice Codec) Microsoft Windows 2000 Service Pack 4 (Windows Media Audio Voice Decoder) Microsoft Windows 2000 Service Pack 4 (Audio Compression Manager) Windows XP Service Pack 2 (DirectShow WMA Voice Codec) Windows XP Service Pack 2 (Windows Media Audio Voice Decoder) Windows XP Service Pack 2 (Audio Compression Manager) Windows XP Service Pack 3 (DirectShow WMA Voice Codec) Windows XP Service Pack 3 (Windows Media Audio Voice Decoder) Windows XP Service Pack 3 (Audio Compression Manager) Windows XP Professional x64 Edition Service Pack 2 (DirectShow WMA Voice Codec) Windows XP Professional x64 Edition Service Pack 2 (Windows Media Audio Voice Decoder) Windows XP Professional x64 Edition Service Pack 2 (Audio Compression Manager) Windows Server 2003 Service Pack 2 (DirectShow WMA Voice Codec) Windows Server 2003 Service Pack 2 (Windows Media Audio Voice Decoder) For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-051.
Workarounds: Refer to Microsoft Security Bulletin MS09-051 to obtain additional details on the workarounds. |
| Microsoft Windows Media Player Remote Code Execution Vulnerability (MS09-052) |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 90544 |
| VENDOR REFERENCE: MS09-052 |
| CVE REFERENCE: CVE-2009-2527 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT: Microsoft Windows Media Player is a multimedia application available for the Windows operating system.
The application is prone to remote code execution vulnerability if a specially crafted ASF file is played using Windows Media Player 6.4. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2009-2527) Microsoft Windows Media Player 6.4 when installed on all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 are affected by this issue. Microsoft has released a security update that addresses the vulnerability by correcting the manner in which Windows Media Player 6.4 handles specially crafted ASF files. |
| IMPACT: Successful exploitation of this vulnerability may allow and attacker to take complete control of an affected system. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 (Microsoft Windows Media Player 6.4) Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Windows Media Player 6.4) Windows XP Professional x64 Edition Service Pack 2 (Microsoft Windows Media Player 6.4) Windows Server 2003 Service Pack 2 (Microsoft Windows Media Player 6.4) Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Windows Media Player 6.4) Refer to Microsoft Security Bulletin MS09-052 for further details.
Workarounds: Impact of workaround #1: Windows Media Player 6.4 will not be able to play media files. 2) For Windows 2000, upgrade to the latest version of Windows Media Player 9 3) For non-multimedia folder types, the Windows shell attack vector can be mitigated by using Windows Classic Folders. Additional details on the workarounds can be obtained at Microsoft Security Bulletin MS09-052. |
| Microsoft FTP Service for Internet Information Services Remote Code Execution Vulnerability (MS09-053 and KB97519) |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 27302 |
| VENDOR REFERENCE: KB975191 |
| CVE REFERENCE: CVE-2009-3023, CVE-2009-2521 |
| CVSS SCORES: Base 10/ Temporal 8.5 |
| THREAT:
Internet Information Services (IIS) is a set of Internet-based services
for servers created by Microsoft for use with Microsoft Windows.
The application is prone to the following vulnerabilities: - A denial of service vulnerability exists in the FTP Service in Microsoft Internet Information Services 5.0, Microsoft Internet Information Services 5.1, and Microsoft Internet Information Services 6.0. The vulnerability could allow remote code execution on systems running FTP Service on IIS 5.0, or denial of service on systems running FTP Service on IIS 5.1, IIS 6.0. (CVE-2009-3023) - A denial of service is caused by the way that the Microsoft FTP service in IIS handles list commands. (CVE-2009-2521) Note: There is malicious code circulating that actively exploits this issue.
Affected Software and Components: |
| IMPACT:
If this vulnerability is successfully exploited, it will allow an
unauthenticated attacker to execute arbitrary code with system-level
privileges.
Attacks against Microsoft Internet Information Server 6.0 targets may result in a denial of service. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Refer to Microsoft Security Bulletin MS09-053 for further details.
Workarounds:
- Browse to the root directory of your FTP site. By default this is in %systemroot%\inetpub\ftproot. Impact of workaround #1: FTP users will not be able to create directories through the FTP service. FTP users will still be able to upload files to existing directories through the FTP service. 2) Do not allow FTP write access to untrusted anonymous users. To modify IIS permissions to prevent FTP write access, perform the following steps:
- Launch IIS Manager. Impact of workaround #2: Users will not be able to transfer files using FTP, but can do so using WebDAV. 3) Disable the FTP service. Impact of workaround #3: Users will no longer be able to use the FTP service. Refer to the advisory to obtain detailed instructions on the workarounds. |
| Microsoft Internet Explorer Cumulative Security Update (MS09-054) |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90545 |
| VENDOR REFERENCE: MS09-054 |
| CVE REFERENCE: CVE-2009-1547, CVE-2009-2529, CVE-2009-2530, CVE-2009-2531 |
| CVSS SCORES: Base 9.3/ Temporal 7.7 |
| THREAT: Microsoft Internet Explorer (IE) is a Web browser for Microsoft Windows. The following vulnerabilities exists in IE:
- When Internet Explorer processes a specially crafted data stream header, Internet Explorer may corrupt system memory in such a way that an attacker could execute arbitrary code. (CVE-2009-1547) - Internet Explorer validates arguments incorrectly under specific circumstances. As a result, a specially crafted Web page could be displayed in such a way that an attacker could execute arbitrary code in the context of the logged on user. (CVE-2009-2529) - A remote code execution vulnerability exists when Internet Explorer attempts to access an object that has not been initialized or has been deleted. (CVE-2009-2530, CVE-2009-2531) Microsoft has released a security update that addresses these vulnerabilities by modifying the way that Internet Explorer processes data stream headers, validates arguments, and handles objects in memory. The security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. |
| IMPACT: Successful exploitation allows arbitrary execution of code. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 5.01 Service Pack 4) Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 Service Pack 1) Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Internet Explorer 6) Windows XP Professional x64 Edition Service Pack 2 (Microsoft Internet Explorer 6) Windows Server 2003 Service Pack 2 (Microsoft Internet Explorer 6) Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Explorer 6) Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Explorer 6) Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7) Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7) Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7) Windows Server 2003 x64 Edition Service Pack 2 (Windows Internet Explorer 7) Windows Server 2003 with SP2 for Itanium-based Systems (Windows Internet Explorer 7) For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-054.
Workarounds:
Impact of the Workaround: |
| Microsoft Cumulative Security Update for ActiveX Kill Bits (MS09-055) |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90549 |
| VENDOR REFERENCE: MS09-055 |
| CVE REFERENCE: CVE-2009-2493 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT:
A remote code execution vulnerability exists in a few of the Microsoft
ActiveX controls, which were compiled using the vulnerable Microsoft
Active Template Library described in Microsoft Security Bulletin
MS09-035. The vulnerability is due to issues in the ATL headers that
handle instantiation of an object from data streams. For components and
controls built using ATL, unsafe usage of OleLoadFromStream could allow
the instantiation of arbitrary objects in Internet Explorer that can
bypass certain related security policies. When the Microsoft ActiveX
Control is instantiated in Internet Explorer, the control may corrupt
the system state in such a way that an attacker could run arbitrary
code. (CVE-2009-2493)
Microsoft has released a security update to address this vulnerability by setting a kill bit so that the vulnerable controls do not run in Internet Explorer. |
| IMPACT: Successful exploitation of this vulnerability allows remote code execution. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Refer to Microsoft Security Bulletin MS09-055 for further details.
Workaround:
Impact of the workaround: |
| Microsoft Windows CryptoAPI Could Allow Spoofing (MS09-056) |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90552 |
| VENDOR REFERENCE: MS09-056 |
| CVE REFERENCE: CVE-2009-2510, CVE-2009-2511 |
| CVSS SCORES: Base 6.4/ Temporal 4.7 |
| THREAT:
The Windows CryptoAPI is an application programming interface that
allows developers to secure applications using cryptography.
The Windows CryptioAPI is vulnerable to a spoofing issue due to incorrectly parsing a null terminator at the end of any values identified by an Object Identifier. (CVE-2009-2510, CVE-2009-2511) Microsoft has released a security update that addresses the vulnerabilities by modifying the CryptoAPI to reject certificate names that contain null terminators, and to correctly validate ASN.1 object identifiers. Microsoft rated this issue as Important for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7. |
| IMPACT: An attacker who successfully exploits this vulnerability could spoof a digital certificate of a Web Site or any application that uses the CryptoAPI. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Refer to Microsoft Security Bulletin MS09-056 for further details. |
| Microsoft Windows Indexing Service Remote Code Execution Vulnerability (MS09-057) |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90554 |
| VENDOR REFERENCE: MS09-057 |
| CVE REFERENCE: CVE-2009-2507 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT: The Indexing Service catalogs data to facilitate efficient and rapid searching.
It is vulnerable to a remote code execution due to the ActiveX component that is included with the Indexing service which fails to properly handle Web content. (CVE-2009-2507) Microsoft has released a security update that addresses the vulnerability by modifying the way that the Indexing Service ActiveX control processes URLs. Microsoft rated this issue as Important for Windows 2000, Windows XP, Windows Server 2003. |
| IMPACT: An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Refer to Microsoft Security Bulletin MS09-057 for further details.
Workarounds: Impact of workaround #1: The Windows Indexing Service will not be able to construct an indexed catalog to facilitate efficient and rapid searching. Searches may take longer to complete. 2) Prevent the Indexing Service ActiveX control COM object from running in Internet Explorer. Refer to Microsoft article KB240797 for information on setting the kill bit. Impact of workaround #2: Internet Explorer will no longer be able to invoke the Indexing Service ActiveX control. 3) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting 4) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone Impact of workarounds #3 and #4: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround. |
| Microsoft Windows Kernel Privilege Escalation Vulnerability (MS09-058) |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90550 |
| VENDOR REFERENCE: MS09-062 |
| CVE REFERENCE: CVE-2009-2515, CVE-2009-2516, CVE-2009-2517 |
| CVSS SCORES: Base 9.3/ Temporal 6.9 |
| THREAT:
The Windows kernel is the core of the operating system that handles
device management and memory management, allocates processor time to
processes, and manages error handling.
The following security vulnerabilities exist in the Windows kernel: - The Windows kernel does not correctly truncate a 64-bit value to a 32-bit value. This results in an integer underflow when the value is later subtracted from another value. (CVE-2009-2515) - An elevation of privilege vulnerability exists in the Windows kernel because it does not properly validate certain data passed from user mode. (CVE-2009-2516) - A denial of service vulnerability exists in the Windows kernel because of the way the kernel handles certain exceptions. An attacker could exploit the vulnerability by running a specially crafted application causing the system to restart. (CVE-2009-2517) Microsoft has released a security update that addresses these vulnerabilities by ensuring that the Windows kernel truncates 64-bit values properly, ensuring that the Windows kernel properly validates data within an executable, and ensuring that the Windows kernel cleans up exceptions under error conditions. |
| IMPACT: Successful exploitation of these vulnerabilities can allow an attacker to conduct privilege escalation attacks. Exploitation can also result in denial of service conditions. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista and Windows Vista Service Pack 1 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Windows Server 2008 for Itanium-based Systems Service Pack 2 Refer to Microsoft Security Bulletin MS09-058 for further details. |
| Microsoft Windows Local Security Authority Subsystem Service Could Allow Denial of Service (MS09-059) |
|---|
SEVERITY: Serious  3 |
| QUALYS ID: 90553 |
| VENDOR REFERENCE: MS09-059 |
| CVE REFERENCE: CVE-2009-2524 |
| CVSS SCORES: Base 7.8/ Temporal 5.8 |
| THREAT:
The Local Security Authority Subsystem Service (LSASS) manages local
security, domain authentication and Active Directory service processes.
The Windows NTLM implentation in LSASS is vulnerable to a denial of service issue when processing malformed packets during the authentication process. (CVE-2009-2524) Microsoft released a security update that addresses the vulnerability by implementing additional validation of specific value sets used in the authentication process. Microsoft rated this issue as Important for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7. |
| IMPACT: Successful exploitation results in denial of service which causes the affected system to reboot. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Windows Server 2008 R2 for Itanium-based Systems Refer to Microsoft Security Bulletin MS09-059 for further details.
Workarounds: Impact of workaround #1: Windows XP and Windows Server 2003 computers will not benefit from Extended Protection for Authentication while this KB is disabled. 2) Enable advanced TCP/IP filtering on systems that support this feature 3) Use a personal firewall, such as the Internet Connection Firewall Refer to Microsoft Security Bulletin MS09-059 to obtain additional details on the workarounds. |
| Microsoft Active Template Library (ATL) for Microsoft Office Remote Code Execution Vulnerability (MS09-060) |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90543 |
| VENDOR REFERENCE: MS09-060 |
| CVE REFERENCE: CVE-2009-0901, CVE-2009-2493, CVE-2009-2495 |
| CVSS SCORES: Base 9.3/ Temporal 7.7 |
| THREAT:
Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft
Office are prone to the following vulnerabilities:
- A remote code execution vulnerability exists in the Microsoft Active Template Library (ATL) due to an issue in the ATL headers that could allow an attacker to force VariantClear to be called on a VARIANT that has not been correctly initialized. (CVE-2009-0901) - A vulnerability exists due to issues in the ATL headers that handle instantiation of an object from data streams. For components and controls built using ATL, unsafe usage of OleLoadFromStream could allow the instantiation of arbitrary objects which can bypass certain related security policies. (CVE-2009-2493) - An information disclosure vulnerability exists in the Microsoft Active Template Library (ATL) that could allow a string to be read without a terminating NULL character. An attacker could manipulate this string to read extra data beyond the end of the string and thus disclose information in memory. (CVE-2009-2495) Microsoft has released a security update that addresses these vulnerabilities by correcting the manner in which ATL handles the instantiation of objects from data streams, providing updated versions of the affected components and controls built using corrected ATL headers. It is rated Critical for all supported editions of Microsoft Outlook 2002, Microsoft Office Outlook 2003, Microsoft Office Outlook 2007, Microsoft Visio 2002 Viewer, Microsoft Office Visio 2003 Viewer, and Microsoft Office Visio Viewer 2007. |
| IMPACT: The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office XP Service Pack 3 (Microsoft Outlook 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office Outlook 2003 Service Pack 3) Refer to Microsoft Security Bulletin MS09-060 for further details. Workarounds: |
| Microsoft .NET Common Language Runtime Multiple Vulnerabilities (MS09-061) |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90547 |
| VENDOR REFERENCE: MS09-053 |
| CVE REFERENCE: CVE-2009-0090, CVE-2009-0091, CVE-2009-2497 |
| CVSS SCORES: Base 9/ Temporal 6.7 |
| THREAT:
Three vulnerabilities exist in the Microsoft .NET Framework (Versions
1.1 and 2) that allow maliciously crafted .NET applications, XAML
Browser Applications, or Silverlight applications to evade managed code
checks and execute arbitrary code with the permissions of the logged in
user.
Microsoft has released a security update that addresses these vulnerabilities by modifying the way in which the Microsoft .NET verifies and enforces the rules of Microsoft .NET verifiable code and by modifying the way in which the Microsoft .NET Common Language Runtime handles interfaces. |
| IMPACT: Successful exploitation of this vulnerability allows an attacker to execute arbitrary code. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 1.1 Service Pack 1) Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 2.0 Service Pack 1) Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 2.0 Service Pack 2) Windows XP Professional x64 Edition Service Pack 2 (Microsoft .NET Framework 1.1 Service Pack 1) Windows Server 2003 Service Pack 2 (Microsoft .NET Framework 1.1 Service Pack 1) For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-061.
Workarounds: Impact of workaround #1: Some Microsoft .NET applications will not run. 2) Disable XAML browser applications in Internet Explorer Impact of workaround #2: Microsoft .NET code will not run in Internet Explorer or will not run without a prompt. Disabling Microsoft .NET applications and components in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. Additional workaround details available at Microsoft Security Bulletin MS09-061. |
| Microsoft Windows GDI+ Could Allow Remote Code Execution (MS09-062) |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 90551 |
| VENDOR REFERENCE: MS09-062 |
| CVE REFERENCE: CVE-2009-2500, CVE-2009-2501, CVE-2009-2502, CVE-2009-2503, CVE-2009-2504, CVE-2009-3126, CVE-2009-2528, CVE-2009-2518 |
| CVSS SCORES: Base 9.3/ Temporal 6.9 |
| THREAT:
GDI+ is a graphics device interface that provides two-dimensional
vector graphics, imaging, and typography to applications and
programmers.
Microsoft has released updates to address the following issues: - A remote code execution vulnerability exists in the way that GDI+ allocates buffer size when handling WMF image files. The vulnerability could allow remote code execution if a user opens a specially crafted WMF image file or browses to a Web site that contains specially crafted content. (CVE-2009-2500) - A remote code execution vulnerability exists in the way that GDI+ allocates memory. The vulnerability could allow remote code execution if a user opens a specially crafted PNG image file. (CVE-2009-2501) - A remote code execution vulnerability exists in the way that GDI+ allocates memory. The vulnerability could allow remote code execution if a user opens a specially crafted TIFF file. (CVE-2009-2502, CVE-2009-2503) - A remote code execution vulnerability exists in GDI+ that can allow a malicious Microsoft .NET application to gain unmanaged code execution privileges, this vulnerability is caused by an integer overflow in certain GDI+ APIs that are accessible from .NET Framework applications. (CVE-2009-2504) - A remote code execution vulnerability exists in the way that GDI+ allocates memory. The vulnerability could allow remote code execution if a user opens a specially crafted PNG image file. (CVE-2009-3126) - A remote code execution vulnerability exists in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file that includes a malformed object. (CVE-2009-2528) - A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted Office Documents containing BMP images. The vulnerability could allow remote code execution if an Outlook user opens a specially crafted e-mail or opens an Office Document with a malformed Bitmap file. (CVE-2009-2518) |
| IMPACT: An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista and Windows Vista Service Pack 1 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 Windows Server 2008 for 32-bit Systems Windows Server 2008 for x64-based Systems Windows Server 2008 for Itanium-based Systems Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 Service Pack 1) Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 1.1 Service Pack 1) Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 2.0 Service Pack 1) Microsoft Windows 2000 Service Pack 4 (Microsoft .NET Framework 2.0 Service Pack 2) Microsoft Office XP Service Pack 3 Microsoft Office 2003 Service Pack 3 2007 Microsoft Office System Service Pack 1 2007 Microsoft Office System Service Pack 2 Microsoft Office Project 2002 Service Pack 1 Microsoft Office Visio 2002 Service Pack 2 For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-062. A list of workarounds with details on enabling and disabling them is also available in the Bulletin |
This new vulnerability check is included in Qualys vulnerability signatures v1.24.23-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 90527
- 90546
- 90544
- 27302
- 90545
- 90549
- 90552
- 90554
- 90550
- 90553
- 90543
- 90547
- 90551
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
