November 10, 2009 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 6 vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Microsoft has released 6 security patches to fix newly discovered flaws in Microsoft Windows.
Qualys has released the following checks for these new vulnerabilities:
| Microsoft Web Services on Devices API Remote Code Execution Vulnerabilities |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 90565 |
| VENDOR REFERENCE: MS09-063 |
| CVE REFERENCE: CVE-2009-2512 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT: Microsoft Web Services on Devices allows a Windows client to discover and access remote devices.
A remote code execution vulnerability exists in the Web Services on Devices API (WSDAPI) on Windows systems. The vulnerability is caused by the WSDAPI, on both clients and servers, because it does not correctly validate specific headers of a received WSD message. (CVE-2009-2512) Microsoft has released a security update to addresses this vulnerability by correcting the processing of headers in WSD messages. This security update is rated Critical for all supported editions of Windows Vista and Windows Server 2008. |
| IMPACT: Successful exploitation of this vulnerability allows an attacker to take complete control of an affected system remotely. The attacker could then install programs or view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Refer to Microsoft Security Bulletin MS09-063 for further details.
Workaround:
Impact of the workaround: |
| Microsoft Windows License Logging Server Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90567 |
| VENDOR REFERENCE: MS09-064 |
| CVE REFERENCE: CVE-2009-2523 |
| CVSS SCORES: Base 7.1/ Temporal 5.3 |
| THREAT:
Microsoft's License Logging service is a tool that helps customers
manage licenses for the Microsoft server products within the Server
Client Access License model. The service is vulnerable to remote code execution since it fails to validate the length of a string passed through an RPC call. (CVE-2009-2523) Microsoft Windows 2000 is vulnerable. Microsoft has released a security update that addresses the vulnerability by changing the way the License Logging service validates a specific field inside the RPC packet. |
| IMPACT: An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Server Service Pack 4 Refer to Microsoft Security Bulletin MS09-064 for further details. Workarounds:
1) Disable the License Logging service. To do this, perform the following steps:
Impact of workaround #1: 2) TCP ports 139 and 445 should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability.
Impact of workaround #2: |
| Microsoft Windows Kernel-Mode Drivers Remote Code Execution Vulnerability |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 90566 |
| VENDOR REFERENCE: MS09-065 |
| CVE REFERENCE: CVE-2009-1127 | CVE-2009-2513 | CVE-2009-2514 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT:
The Windows kernel is the core of the operating system. It provides
system-level services such as device management and memory management,
allocates processor time to processes, and manages error handling.
Windows kernel is prone to the following vulnerabilities: - An elevation of privilege vulnerability exists in Windows kernel that is caused by the Windows kernel not properly validating an argument passed to a Windows kernel system call. (CVE-2009-1127) - An elevation of privilege vulnerability exists in Windows kernel-mode drivers due to improper validation of input passed from user mode through the kernel component of GDI. (CVE-2009-2513) - A remote code execution vulnerability exists in the Windows kernel-mode drivers due to the improper parsing of font code when building a table of directory entries. (CVE-2009-2514) Microsoft has released a security update that addresses these vulnerabilities by correcting the method used for validating the argument passed to the system call, validating input passed from user mode through the kernel component of GDI, and correcting the manner in which Windows kernel-mode drivers parse font code. |
| IMPACT: An attacker who successfully exploited these vulnerabilities could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Refer to Microsoft Security Bulletin MS09-065 for further details. Workarounds:
For CVE-2009-2514:
Impact of workaround #1: 2) Deny Access to T2EMBED.DLL
Impact of workaround #2: To obtain additional details on enabling and disabling the workarounds, please refer to Microsoft Security Bulletin MS09-065. |
| Microsoft Active Directory Denial of Service Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 90568 |
| VENDOR REFERENCE: MS09-066 |
| CVE REFERENCE: CVE-2009-1928 |
| CVSS SCORES: Base 7.1/ Temporal 5.3 |
| THREAT:
Active Directory provides central authentication and authorization
services for Windows-based computers. Active Directory Lightweight
Directory Services (AD LDS) is an independent mode of Active Directory
that provides dedicated directory services for applications. AD LDS is
available in Windows Server 2008 and later, and replaces Active
Directory Application Mode (ADAM), which was available in Windows XP
and Windows Server 2003.
- A denial of service vulnerability exists in implementations of Active Directory on Microsoft Windows 2000 Server, Windows Server 2003, and Windows Server 2008. The vulnerability also exists in implementations of ADAM when installed on Windows XP and Windows Server 2003, and AD LDS on Windows Server 2008. The vulnerability is due to stack space exhaustion during execution of certain types of LDAP or LDAPS requests. (CVE-2009-1928) Microsoft has released a security update that addresses the vulnerability by changing the way Active Directory, ADAM, and AD LDS process malformed LDAP or LDAPS requests. |
| IMPACT: An attacker who successfully exploited this vulnerability could cause the affected system to stop responding. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Server Service Pack 4 (Active Directory) Windows XP Service Pack 2 and Windows XP Service Pack 3 (Active Directory Application Mode (ADAM)) Windows XP Professional x64 Edition Service Pack 2 (Active Directory Application Mode (ADAM)) Windows Server 2003 Service Pack 2 (Active Directory) Windows Server 2003 Service Pack 2 (Active Directory Application Mode ) Windows Server 2003 x64 Edition Service Pack 2 (Active Directory) Windows Server 2003 x64 Edition Service Pack 2 (Active Directory Application Mode ) Windows Server 2003 with SP2 for Itanium-based Systems (Active Directory) Refer to Microsoft Security Bulletin MS09-066 for further details.
Workaround: |
| Microsoft Office Excel Remote Code Execution Vulnerabilities |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110096 |
| VENDOR REFERENCE: MS09-067 |
| CVE REFERENCE: CVE-2009-3127 | CVE-2009-3128 | CVE-2009-3129 | CVE-2009-3130 | CVE-2009-3131 | CVE-2009-3132 | CVE-2009-3133 | CVE-2009-3134 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT:
Microsoft Excel is a proprietary spreadsheet application written and
distributed by Microsoft for Microsoft Windows and Mac OS X. Excel is
prone to the following vulnerabilities:
A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-3127). A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-3128) A remote code execution vulnerability exists in the way that Microsoft Office Excel handles specially crafted Excel files that include a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-3129) A remote code execution vulnerability exists in the way Microsoft Office Excel handles specially crafted Excel files with malformed BIFF records. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-3130) A remote code execution vulnerability exists in the way that Microsoft Office Excel parses documents containing a specially crafted formula embedded inside a cell. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-3131) A remote code execution vulnerability exists in Microsoft Office Excel as a result of pointer corruption when loading Excel formulas. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed formula. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-3132) A remote code execution vulnerability exists in Microsoft Office Excel as a result of memory corruption when loading Excel records. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system.(CVE-2009-3133) A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system.(CVE-2009-3134) Microsoft has released a security update that addresses these vulnerabilities by modifying the way that Excel opens and parses Excel files, and by modifying the way that Excel handles malformed records. |
| IMPACT: Successful exploitation of these vulnerabilities will allow a remote attacker to run arbitrary code as the logged on user. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3) Open XML File Format Converter for Mac Microsoft Office Excel Viewer 2003 Service Pack 3 Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2 Refer to Microsoft Security Bulletin MS09-067 for further details.
Workarounds: 2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2: 3) Microsoft Office File Block policy should be used to block
the opening of Office 2003 and earlier documents from unknown or
untrusted sources. The following registry scripts can be used to set
the File Block policy.
For Office 2003:
For 2007 Office system:
Impact of workaround #3: |
| Microsoft Office Word Remote Code Execution Vulnerabilities |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110111 |
| VENDOR REFERENCE: MS09-068 |
| CVE REFERENCE: CVE-2009-3135 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT:
Microsoft Word is a proprietary word processing application written and
distributed by Microsoft for Microsoft Windows and Mac OS X.
A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker can entice an unsuspecting user into opening a maliciously crafted Word file which may corrupt system memory in such a way that arbitrary code can be executed. (CVE-2009-3135) Microsoft has released an update that addresses the vulnerabilities by modifying the way that Word opens files. |
| IMPACT: An attacker who successfully exploits these vulnerabilities can execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office XP Service Pack 3 (Microsoft Office Word 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office Word 2003 Service Pack 3) Open XML File Format Converter for Mac Microsoft Office Word Viewer 2003 Service Pack 3 Refer to Microsoft Security Bulletin MS09-068 for further details.
Workarounds: 2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2: |
This new vulnerability check is included in Qualys vulnerability signatures v1.24.47-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 90565
- 90567
- 90566
- 90568
- 110096
- 110111
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
