April 13, 2010
Microsoft Security Bulletin: April 2010
Advisory Overview

April 13, 2010 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 25 vulnerabilities that were fixed today by 11 bulletins. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Vulnerability Details

Microsoft has released 11 security patches to fix newly discovered flaws.

Qualys has released the following checks for these new vulnerabilities:


Microsoft Windows Remote Code Execution Vulnerability
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90596
VENDOR REFERENCE: MS10-019
CVE REFERENCE: CVE-2010-0486 | CVE-2010-0487
CVSS SCORES: Base 9.3/ Temporal 6.9
THREAT: The Windows Authenticode Signature Verification function, or WinVerifyTrust, performs a trust verification action on a specified object. A cabinet is a single file, usually suffixed with .CAB, that stores compressed files in a file library. A compressed file can be spread over several cabinet files. During installation, the setup application decompresses the files stored in a cabinet and copies them to the user's system.

These Windows components are prone to the following vulnerabilities:

A remote code execution vulnerability exists in the Windows Authenticode Signature Verification function used for portable executable (PE) and cabinet file formats. The vulnerability is caused when the Windows Authenticode Signature Verification function omits fields from the file digest when signing and verifying a PE or cabinet file. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to manipulate unverified portions of the signature and file in such a way as to add malicious code to the file without invalidating the signature. (CVE-2010-0486)

A remote code execution vulnerability exists in the Windows Authenticode Signature verification for cabinet (.cab) file formats. The vulnerability is caused when the Windows Cabinet File Viewer omits fields from the file digest when signing and verifying a cabinet file. An anonymous attacker could exploit the vulnerability by modifying an existing signed cabinet file to point the unverified portions of the signature to malicious code, and then convincing a user to open or view the specially crafted cabinet file. (CVE-2010-0487)

Microsoft has released a security update that addresses the vulnerabilities by correcting validations, the creation of symbolic links, the resolution of virtual registry key paths, and exceptions handling.

IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4 (Authenticode Signature Verification 5.1)

Microsoft Windows 2000 Service Pack 4 (Cabinet File Viewer Shell Extension 5.1)

Windows XP Service Pack 2 and Windows XP Service Pack 3 (Authenticode Signature Verification 5.1)

Windows XP Service Pack 2 and Windows XP Service Pack 3 (Cabinet File Viewer Shell Extension 6.0)

Windows XP Professional x64 Edition Service Pack 2 (Authenticode Signature Verification 5.1)

Windows XP Professional x64 Edition Service Pack 2 (Cabinet File Viewer Shell Extension 6.0)

Windows Server 2003 Service Pack 2 (Authenticode Signature Verification 5.1)

Windows Server 2003 Service Pack 2 (Cabinet File Viewer Shell Extension 6.0)

Windows Server 2003 x64 Edition Service Pack 2 (Authenticode Signature Verification 5.1)

Windows Server 2003 x64 Edition Service Pack 2 (Cabinet File Viewer Shell Extension 6.0)

Windows Server 2003 with SP2 for Itanium-based Systems (Authenticode Signature Verification 5.1)

Windows Server 2003 with SP2 for Itanium-based Systems (Cabinet File Viewer Shell Extension 6.0)

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (Authenticode Signature Verification 6.0)

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (Cabinet File Viewer Shell Extension 6.0)

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 (Authenticode Signature Verification 6.0)

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 (Cabinet File Viewer Shell Extension 6.0)

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS10-019.


Microsoft SMB Client Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 90592
VENDOR REFERENCE: MS10-020
CVE REFERENCE: CVE-2009-3676 | CVE-2010-0269 | CVE-2010-0270 | CVE-2010-0476 | CVE-2010-0477
CVSS SCORES: Base 10/ Temporal 7.8
THREAT: Microsoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol used in Microsoft Windows.

Microsoft SMB Server is prone to the following vulnerabilities:

A denial of service vulnerability exists in the way that the Microsoft Server Message Block client implementation handles specially crafted SMB responses. (CVE-2009-3676)

An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block client implementation allocates memory when parsing specially crafted SMB responses. (CVE-2010-0269)

An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block client implementation handles specially crafted SMB transaction responses. (CVE-2010-0270)

An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block client implementation parses specially crafted SMB transaction responses. (CVE-2010-0476)

An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block client implementation handles specially crafted SMB responses. (CVE-2010-0477)

Microsoft has released a security update to address these issues.

IMPACT: The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for Itanium-based Systems

Refer to Microsoft Security Bulletin MS10-020 for further details.

Workaround:
Block TCP ports 139 and 445 at the firewall. These ports are used to initiate a connection with the affected component. Blocking them at the enterprise firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability.


Microsoft Windows Kernel Elevation Privilege Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 90594
VENDOR REFERENCE: MS10-021
CVE REFERENCE: CVE-2010-0234 | CVE-2010-0235 | CVE-2010-0236 | CVE-2010-0237 | CVE-2010-0238 | CVE-2010-0810 | CVE-2010-0481 | CVE-2010-0482
CVSS SCORES: Base 6.6/ Temporal 4.9
THREAT: Windows Kernel is the core of the operating system. It provides system level services such as device management and memory management, allocates processor time to processes, and manages error handling.

The kernel is prone to multiple elevation of privilege vulnerabilities. An attacker who successfully exploits this vulnerability could execute arbitrary code and take complete control of an affected system.

Affected Software:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows Server 2003 Service Pack 2
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems and x64-based Systems
Windows Server 2008 R2 for x64-and Itanium-based Systems

IMPACT: A successful exploit will allow arbitrary attacker-supplied code to run with kernel-level privileges.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista

Windows Vista Service Pack 1 and Windows Vista Service Pack 2

Windows Vista x64 Edition

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for Itanium-based Systems

Refer to Microsoft Security Bulletin MS10-021 for further details.


Microsoft VBScript Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 90587
VENDOR REFERENCE: KB981169
CVE REFERENCE: CVE-2010-0483
CVSS SCORES: Base 7.6/ Temporal 6
THREAT: Microsoft Internet Explorer is a Web browser for Microsoft Windows. Windows Help (winhlp32.exe) is a help program included with Microsoft Windows. A vulnerability affecting VBScript on some versions of the Windows operating system has been reported.

The vulnerability exists in the way that VBScript interacts with Windows Help files (winhlp32.exe) when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.

Microsoft has released a security update that addresses this vulnerability by modifying the way that the VBScript engine processes help files in protected mode.

This security update addresses the vulnerability first described in Microsoft Security Advisory 981169.

IMPACT: Successful exploitation allows an attacker to execute arbitrary code.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4 (VBScript 5.1)

Microsoft Windows 2000 Service Pack 4 (VBScript 5.6)

Microsoft Windows 2000 Service Pack 4 (VBScript 5.7)

Windows XP Service Pack 2 (VBScript 5.6)

Windows XP Service Pack 2 and Windows XP Service Pack 3 (VBScript 5.7)

Windows XP Service Pack 2 and Windows XP Service Pack 3 (VBScript 5.8)

Windows XP Professional x64 Edition Service Pack 2 (VBScript 5.6)

Windows XP Professional x64 Edition Service Pack 2 (VBScript 5.7)

Windows XP Professional x64 Edition Service Pack 2 (VBScript 5.8)

Windows Server 2003 Service Pack 2 (VBScript 5.6)

Windows Server 2003 Service Pack 2 (VBScript 5.7)

Windows Server 2003 Service Pack 2 (VBScript 5.8)

Windows Server 2003 x64 Edition Service Pack 2 (VBScript 5.6)

Windows Server 2003 x64 Edition Service Pack 2 (VBScript 5.7)

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS10-022.

Workarounds:
1) Avoid pressing F1 on untrusted Web sites.

2) Restrict access to the Windows Help System.

Impact of workaround #2: The Windows Help System will be unavailable, and users may not be able to invoke the help function in applications. The attempt to open the help function in applications may lead to an error message.

3) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting

4) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Impact of workaround #3 and #4: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.

Detailed instructions on applying the workarounds can be found at Microsoft Security Bulletin MS10-022.


Microsoft Office Publisher Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 110114
VENDOR REFERENCE: MS10-023
CVE REFERENCE: CVE-2010-0479
CVSS SCORES: Base 7.5/ Temporal 5.5
THREAT: Microsoft Office Publisher is a desktop publishing application.

A vulnerability exists in the file parsing code when Microsoft Office Publisher opens Publisher files.

Microsoft Office Publisher 2002 is vulnerable.
Microsoft Office Publisher 2003 is vulnerable.
Microsoft Office Publisher 2007 is vulnerable.

Microsoft has released a security update that addresses the vulnerability by correcting the way that Microsoft Office Publisher opens specially crafted Publisher files.

IMPACT: An attacker can exploit this issue by persuading an unsuspecting user into opening a malicious file. This vulnerability allows attackers to execute arbitrary code on the user's system.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Office XP Service Pack 3 (Microsoft Office Publisher 2002 Service Pack 3)

Microsoft Office 2003 Service Pack 3 (Microsoft Office Publisher 2003 Service Pack 3)

2007 Microsoft Office System Service Pack 1 (Microsoft Office Publisher 2007 Service Pack 1)

2007 Microsoft Office System Service Pack 2 (Microsoft Office Publisher 2007 Service Pack 2)

Please refer to Microsoft Security Bulletin MS10-023 for further details.

Workaround:
Do not open Publisher files from untrusted sources.


Microsoft Exchange and Windows SMTP Service Denial of Service and Information Disclosure Vulnerability
SEVERITY: Serious Serious-3 3
QUALYS ID: 90598
VENDOR REFERENCE: MS10-024
CVE REFERENCE: CVE-2010-0024 | CVE-2010-0025
CVSS SCORES: Base 8.8/ Temporal 6.5
THREAT: The Simple Mail Transfer Protocol (SMTP) is a service that transfers email, is installed as part of E-mail Services or Internet Information Services (IIS).

Microsoft Exchange and Windows SMTP Service are exposed to the following vulnerabilities:

1) A denial of service vulnerability exists in the way that the Microsoft Windows Simple Mail Transfer Protocol (SMTP) component handles specially crafted DNS Mail Exchanger (MX) resource records. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the SMTP service. (CVE-2010-0024)

2) An information disclosure vulnerability exists in the Microsoft Windows Simple Mail Transfer Protocol (SMTP) component due to the manner in which the SMTP component handles memory allocation. An attacker could exploit the vulnerability by sending invalid commands, followed by the STARTTLS command, to an affected server. An attacker who successfully exploits this vulnerability could read random email message fragments stored on the affected server.(CVE-2010-0025)

Microsoft has released a security update that addresses the vulnerabilities by correcting the manner in which SMTP parses MX records and the manner in which SMTP allocates memory for interpreting SMTP command responses.

IMPACT: Successfully exploiting this vulnerabilities might allow a remote attacker to cause denial of service conditions or get exposure to sensitive information.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 R2 for x64-based Systems

Microsoft Exchange Server 2000 Service Pack 3

Microsoft Exchange Server 2003 Service Pack 2

Microsoft Exchange Server 2007 Service Pack 1 for x64-based Systems

Microsoft Exchange Server 2007 Service Pack 2 for x64-based Systems

Microsoft Exchange Server 2010 for x64-based Systems

Refer to Microsoft Security Bulletin MS10-024 for further details.


Microsoft Windows Media Services Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 90591
VENDOR REFERENCE: MS10-025
CVE REFERENCE: CVE-2010-0478
CVSS SCORES: Base 10/ Temporal 7.8
THREAT: Microsoft Windows Media Services is a platform for streaming live or on-demand audio and video content over the Internet or an intranet.

A remote code execution vulnerability exists in Microsoft Windows 2000 Server Service Pack 4 running the optional Windows Media Services component due to the way the Windows Media Unicast Service handles specially crafted transport information packets. On Microsoft Windows 2000 Server Service Pack 4, Windows Media Services is an optional component and is not installed by default. Only Microsoft Windows 2000 Server systems that have enabled Windows Media Services are affected by this vulnerability. (CVE-2010-0478)

Microsoft has released a security update that addresses the vulnerability by modifying the way that the Windows Media Unicast Service (nsum.exe) handles transport info network packets.

IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Server Service Pack 4

Refer to Microsoft Security Bulletin MS10-025 for further details.

Workaround:
1) Stop and disable Windows Media Unicast Service.

Impact of workaround #1: Connections to the streaming media server via the Windows Media Unicast Service will not be allowed.

2) Uninstall the Windows Media Services component using Windows Component Wizard.

Impact of workaround #2: The server will no longer be configured as a streaming media server using Windows Media Services.

Additional details on the workarounds can be obtained from the Microsoft Security Bulletin MS10-025.


Microsoft MPEG Layer-3 Codecs Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 90593
VENDOR REFERENCE: MS10-026
CVE REFERENCE: CVE-2010-0480
CVSS SCORES: Base 9/ Temporal 6.6
THREAT: A vulnerability exists in Microsoft MPEG Layer-3 audio codecs.The vulnerable MPEG Layer-3 audio codecs are the MPEG Layer-3 Audio Codec for Microsoft DirectShow (l3codecx.ax) and the Fraunhofer IIS MPEG Layer-3 ACM codecs (L3codeca.acm and L3codecp.acm). These MPEG Layer-3 audio codecs are delivered as part of Windows Media.

The Microsoft MPEG Layer-3 audio codecs do not properly handle specially crafted AVI files containing an MPEG Layer-3 audio stream allowing an attacker to execute remote code. (CVE-2010-0480)

Microsoft has released a security update that addresses this vulnerability by correcting the way that the Microsoft MPEG Layer-3 audio codecs decode the MPEG Layer-3 audio stream in specially crafted AVI files.

IMPACT: Successful exploitation of this vulnerability allows remote code execution.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4 (MPEG Layer-3 codecs)

Windows XP Service Pack 2 and Windows XP Service Pack 3 (MPEG Layer-3 codecs)

Windows XP Professional x64 Edition Service Pack 2 (MPEG Layer-3 codecs)

Windows Server 2003 Service Pack 2 (MPEG Layer-3 codecs)

Windows Server 2003 x64 Edition Service Pack 2 (MPEG Layer-3 codecs)

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (MPEG Layer-3 codecs)

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 (MPEG Layer-3 codecs)

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (MPEG Layer-3 codecs)

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (MPEG Layer-3 codecs)

Refer to Microsoft Security Bulletin MS10-026 for further details.

Workaround:
Restrict Access to the MPEG Layer-3 audio codecs to ensure that they can no longer be loaded. This effectively prevents exploitation of the vulnerability using this attack vector.

Impact of the workaround: MPEG Layer-3 audio encoded files will not play.


Microsoft Windows Media Player Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 90597
VENDOR REFERENCE: MS10-027
CVE REFERENCE: CVE-2010-0478
CVSS SCORES: Base 7.9/ Temporal 5.8
THREAT: Windows Media Player is a feature of the Windows operating system for personal computers. It is used for playing audio and video.

A remote code execution vulnerability exists in the Windows Media Player ActiveX control. This vulnerability exists because the Windows Media Player ActiveX control incorrectly handles specially crafted media content hosted on a malicious Web site. (CVE-2010-0268)

Microsoft has released a security update that addresses the vulnerability by modifying the way the Windows Media Player ActiveX control handles specially crafted media content hosted on a malicious Web site.

IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs or view, change, or delete data with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4 (Windows Media Player 9 Series)

Windows XP Service Pack 2 (Windows Media Player 9 Series)

Windows XP Service Pack 3 (Windows Media Player 9 Series)

Refer to Microsoft Security Bulletin MS10-027 for further details.

Workarounds:
1) Prevent the Windows Media Player ActiveX control from running in Internet Explorer. Attempts to instantiate the Windows Media Player ActiveX control in Internet Explorer can be disabled by setting the kill bit for the control in the registry.

Impact of workaround #1: Users will not be able to start the Windows Media Player ActiveX control from within Web pages. As a result, Windows Media Player content will not render inside a Web page.

2) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting

3) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Impact of workaround #2 and #3: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.

Further details on applying the workarounds are available at Microsoft Security Bulletin MS10-027.


Microsoft Visio Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 90590
VENDOR REFERENCE: MS10-028
CVE REFERENCE: CVE-2010-0254 | CVE-2010-0256
CVSS SCORES: Base 9.3/ Temporal 6.9
THREAT: Microsoft Visio is diagramming software for Microsoft Windows. It uses vector graphics to create diverse diagrams.

Microsoft Office Visio is prone to the following vulnerabilities that result in remote code execution:

A remote code execution vulnerability exists in the way that Microsoft Office Visio validates attributes when handling specially crafted Visio files. (CVE-2010-0254)

A remote code execution vulnerability exists in the way that Microsoft Office Visio calculates indexes when handling specially crafted Visio files. (CVE-2010-0256)

Affected Software:
Microsoft Office Visio 2002 Service Pack 2
Microsoft Office Visio 2003 Service Pack 3
Microsoft Office Visio 2007 Service Pack 1
Microsoft Office Visio 2007 Service Pack 2

IMPACT: An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Office Visio 2002 Service Pack 2

Microsoft Office Visio 2003 Service Pack 3

Microsoft Office Visio 2007 Service Pack 1

Microsoft Office Visio 2007 Service Pack 2

Refer to Microsoft Security Bulletin MS10-028 for further details.

Workaround:
Do not open Visio files from untrusted sources.


Microsoft Windows ISATAP Component Spoofing Vulnerability
SEVERITY: Serious Serious-3 3
QUALYS ID: 90595
VENDOR REFERENCE: MS10-029
CVE REFERENCE: CVE-2010-0812
CVSS SCORES: Base 6.4/ Temporal 4.7
THREAT: The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) provides IPv6 connectivity within an IPv4 Intranet.

ISATAP is prone to an address spoofing vulnerability. The vulnerability exists because the Windows TCP/IP stack does not properly check the source IPv6 address in a tunneled ISATAP packet. (CVE-2010-0812)

An attacker could try to exploit the vulnerability by creating specially crafted network packets with a specially crafted IPv6 source address in an ISATAP connection that does not match the corresponding IPv4 source address.

Micrososft has released a security update that addresses this vulnerability by changing the manner in which the Windows TCP/IP stack checks the source IPv6 address in a tunneled ISATAP packet.

IMPACT: An attacker may be able to impersonate another user or system which could allow source address filters, such as edge or host firewalls, to be bypassed.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Refer to Microsoft Security Bulletin MS10-029 for further details.

Workaround:
1) Block IP Protocol Type 41 (ISATAP) at the firewall. Blocking them at the enterprise firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability.

2) Disable the ISATAP IPv6 interface.

Impact of workaround #2: Disabling the ISATAP interface will prevent the system from using ISATAP as an IPv6 tunneling mechanism.

This new vulnerability check is included in Qualys vulnerability signatures v1.26.39-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 90596
    • 90592
    • 90594
    • 90587
    • 110114
    • 90598
    • 90591
    • 90593
    • 90597
    • 90590
    • 90595
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/