April 14, 2009
Microsoft Security Bulletin: April 14 2009 Security Bulletin
Advisory Overview

April 14, 2009 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 8 vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Vulnerability Details

Microsoft has released 8 security patches to fix newly discovered flaws in Microsoft Windows.

Qualys has released the following checks for these new vulnerabilities:


WordPad and Office Text Converters Remote Code Execution Vulnerability
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90474
VENDOR REFERENCE: MS09-010
CVE REFERENCE: CVE-2008-4841, CVE-2009-0087, CVE-2009-0088, CVE-2009-0235
CVSS SCORES: Base 7.6/ Temporal 6.5
THREAT: WordPad is a default component of Microsoft Windows operating systems. Text converters in WordPad allow users who do not have Microsoft Office Word installed to open documents in various Microsoft Windows file formats. The Microsoft Office WordPerfect 6.x Converter helps users convert documents from Corel WordPerfect 6.x file formats to Microsoft Office Word file formats.

Multiple vulnerabilities listed below have been identified in WordPad and Office Text Converters:

- A memory corruption vulnerability in WordPad and Office Text Converter exists in the way the applications process memory when a user opens a specially crafted Word 6 file that includes malformed data. A remote attacker can exploit this flaw to execute arbitrary code. (CVE-2009-0087)

- A stack-based buffer overflow vulnerability exists when parsing a specially crafted Word 97 document. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed list structure. (CVE-2008-4841)

- A stack corruption vulnerability in Word 2000 WordPerfect 6.x Converter exists in the way that the converter processes memory when parsing a specially crafted WordPerfect document. (CVE-2009-0088)

- A stack-based buffer overflow vulnerability exists in WordPad as a result of memory corruption when a user opens a specially crafted Word file. This can be exploited by a remote attacker to execute arbitrary code. (CVE-2009-0235)

Microsoft has released a security update to address these vulnerabilities by modifying the way that Microsoft Office Word and Office text converters handle opening specially crafted Word 6.0, Windows Write, and WordPerfect documents. It also addresses the vulnerabilities by implementing fixes to WordPad and by preventing WordPad on affected platforms from opening Word 6.0 and Windows Write files.

IMPACT: Successful exploitation of this vulnerability allows an attacker to run arbitrary code as the logged-on user if a specially crafted file is opened in WordPad or Microsoft Office Word. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Workarounds:
1) Avoid opening or saving Microsoft Office files received from untrusted sources

2) Disable the Word 6 converter by restricting access by applying an access control list to affected converters to ensure that the converter is no longer loaded by WordPad and Office.

Impact of the workaround: Conversion of Word 6 documents to WordPad RTF or Word 2003 documents will no longer work.

3) Disable the Office text converter by restricting access by applying an access list to the affected converter to ensure it is no longer loaded by Microsoft Office Word.

Impact of the workaround: Microsoft Office Word will no longer load WordPerfect documents.

Detailed information on applying access lists to disable Word 6 and Office text converter can be found in Microsoft Security Bulletin MS09-010.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft Office 2000 Service Pack 3 (Microsoft Office Word 2000 Service Pack 3)

Microsoft Office XP Service Pack 3 (Microsoft Office Word 2002 Service Pack 3)

Microsoft Office Converter Pack

Refer to Microsoft Security Bulletin MS09-010 for further details.


Microsoft DirectShow Could Allow Remote Code Execution
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90488
VENDOR REFERENCE: MS09-011
CVE REFERENCE: CVE-2009-0084
CVSS SCORES: Base 9.3/ Temporal 7.9
THREAT: Microsoft DirectX consists of a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support. The DirectShow technology performs client-side audio and video sourcing, manipulation and rendering.

A remote code execution vulnerability exists in the way Microsoft DirectShow handles supported format files. An error occurs when decompressing MJPEG content. This vulnerability could allow code execution if a user opens a specially crafted MJPEG file. (CVE-2009-0084)

Microsoft has released a security update to addresses the vulnerability by correcting the way that DirectShow decompresses media files.

IMPACT: If this vulnerability is successfully exploited, it allows attackers to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Workaround A:
- Disable the decoding of MJPEG content in Quartz.dll

Steps to disable decoding of MJPEG content using the Interactive Method:
1. Click Start, click Run, type Regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey: HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)
3. Click the File menu and select Export.
4. In the Export Registry File dialog box, enter MJPEG_Decoder_Backup.reg and click Save.
5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.

Steps to disable decoding of MJPEG content using a Managed Deployment Script:
1. Create a backup copy of the registry keys by using a managed deployment script that contains the following commands:
Regedit.exe /e MJPEG_Decoder_Backup.reg HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)
2. Next, save the following to a file with a .REG extension, such as Disable_MJPEG_Decoder.reg:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)]
3. Run the above registry script on the target machine with the following command from an elevated command prompt:
Regedit.exe /s Disable_MJPEG_Decoder.reg

Impact of the workaround: MJPEG content playback will be disabled.

Workaround B:
- Unregister quartz.dll using the following command from an elevated command prompt:
For 32-bit Windows systems: Regsvr32.exe -u %WINDIR%\system32\quartz.dll
For 64-bit Windows systems: Regsvr32.exe -u %WINDIR%\syswow64\quartz.dll

Impact of workaround. Windows Media Player will not be able to play ".AVI" or ".WAV" files.

For additional details on applying the workarounds, please refer to Microsoft Security Bulletin MS09-011.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4 (DirectX 8.1)

Microsoft Windows 2000 Service Pack 4 (DirectX 9.0)

Windows XP Service Pack 2 and Windows XP Service Pack 3 (DirectX 9.0)

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (DirectX 9.0)

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (DirectX 9.0)

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (DirectX 9.0)

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (DirectX 9.0)

Refer to Microsoft Security Bulletin MS09-011 for further details.


Vulnerabilities in Windows Could Allow Elevation of Privilege
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90490
VENDOR REFERENCE: MS09-012
CVE REFERENCE: CVE-2008-1436, CVE-2009-0078, CVE-2009-0079, CVE-2009-0080
CVSS SCORES: Base 10/ Temporal 7.8
THREAT: The Microsoft Distributed Transaction Coordinator (MSDTC) is a distributed transaction facility for Microsoft Windows platforms. Windows Management Instrumentation (WMI) is the primary management technology for Microsoft Windows operating systems used for monitoring of systems.

The following vulnerabilities exist affecting MSDTC and WMI have been identified:

- An elevation of privilege vulnerability exists due to the MSDTC facility allowing the NetworkService token to be obtained and used when making an RPC call. This can be exploited by a process having the SeImpersonatePrivilege to run arbitrary code with NetworkService privileges. (CVE-2008-1436)

- The WMI provider improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to run arbitrary code with LocalSystem privileges by obtaining a SYSTEM token. (CVE-2009-0078)

- The RPCSS service improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to execute arbitrary code with LocalSystem privileges. (CVE-2009-0079)

- A vulnerability exists due to Windows placing incorrect access control lists (ACLs) on threads in the current ThreadPool. An attacker who successfully exploits this vulnerability could execute arbitrary code with LocalSystem privileges. (CVE-2009-0080)

Microsoft has released a security update to address these vulnerabilities by correcting the way that Windows addresses tokens requested by the Microsoft Distributed Transaction Coordinator (MSDTC), and by properly isolating WMI providers and processes that run under the NetworkService or LocalService accounts.

IMPACT: The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploits any of these vulnerabilities could take complete control over the affected system.
SOLUTION: Workarounds:

1) IIS 6.0: Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC.
2) IIS 7.0: Specify a WPI for an application pool in IIS Manager.
3) IIS 7.0: Specify a WPI for an application pool using the Command Line utility APPCMD.exe.

Detailed information on applying the workarounds is available at Microsoft Security Bulletin MS09-012.

Impact of the workarounds: Management of additional user accounts results in increased administrative overhead. Application functionality may be affected depending on the nature of applications running. Disabling MSDTC will prevent applications from using distributed transactions and will prevent configuration as well as running of COM+ applications.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

MSDTC Transaction Facility:
Microsoft Windows 2000 Service Pack 4

MSDTC Transaction Facility:
Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows Service Isolation:
Windows XP Service Pack 2

Windows Service Isolation:
Windows XP Service Pack 3

MSDTC Transaction Facility:
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Service Isolation:
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

MSDTC Transaction Facility:
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Service Isolation:
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

MSDTC Transaction Facility:
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Service Isolation:
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

MSDTC Transaction Facility:
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Windows Service Isolation:
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-012.


Windows HTTP Services Could Allow Remote Code Execution
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90493
VENDOR REFERENCE: MS09-013
CVE REFERENCE: CVE-2009-0086, CVE-2009-0089, CVE-2009-0550
CVSS SCORES: Base 10/ Temporal 7.4
THREAT: Windows HTTP Services (WinHTTP) provides developers with an HTTP client application programming interface (API) to send requests through the HTTP protocol to Web servers. WinHTTP can be used by both Microsoft Windows components and third-party software.

Windows HTTP Services is prone to the following vulnerabilities:

- A remote code execution vulnerability exists in the way that Windows HTTP Services handle specific values that are returned by a remote Web server. (CVE-2009-0086)

- A spoofing vulnerability exists in Windows HTTP Services as a result of the incomplete validation of the distinguished name in a digital certificate. When combined with specific other attacks, such as DNS spoofing, this may allow an attacker to successfully spoof the digital certificate of a Web site for any application that uses Windows HTTP Services. (CVE-2009-0089)

- A remote code execution vulnerability exists in the way that Windows HTTP Services handles NTLM credentials when a user connects to an attacker's Web server. (CVE-2009-0550)

Microsoft has released a security update that addresses these vulnerabilities by changing the way that Windows HTTP Services handles errors and validates certificates, and by ensuring that Windows HTTP Services correctly use NTLM credential reflection protection mechanisms.

IMPACT: If this vulnerability is successfully exploited, it will allow attackers to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Successful exploitation also allows an attacker to impersonate a secure Web site and offer malicious content to the application using Windows HTTP Services, which would trust it as if it originated from a secure Web site.

SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista and Windows Vista Service Pack 1

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Server 2008 for 32-bit Systems

Windows Server 2008 for x64-based Systems

Windows Server 2008 for Itanium-based Systems

Refer to Microsoft Security Bulletin MS09-013 for further details.


Microsoft Internet Explorer Cumulative Security Update
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 100071
VENDOR REFERENCE: MS09-014
CVE REFERENCE: CVE-2008-2540, CVE-2009-0550, CVE-2009-0551, CVE-2009-0552, CVE-2009-0553, CVE-2009-0554
CVSS SCORES: Base 10/ Temporal 7.8
THREAT: Microsoft Internet Explorer is a Web browser for Microsoft Windows. The browser is prone to the following vulnerabilities:

- A blended threat remote code execution vulnerability exists in the way that Internet Explorer locates and opens files on the system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. Internet Explorer could open a specially crafted file from the desktop allowing files be downloaded to the system without prompting. (CVE-2008-2540)

- WinINet does not correctly opt in to NTLM credential-reflection protections when a user connects to an attacker's server by way of the HTTP protocol. This vulnerability allows an attacker to replay the user's credentials back to the attacker and to execute code in the context of the logged-on user. (CVE-2009-0550)

- A memory corruption vulnerability exists in the way Internet Explorer handles transition when navigating between Web pages. As a result, system memory may be corrupted in such a way that an attacker could execute arbitrary code if a user visited a specially crafted Web site. (CVE-2009-0551)

- Multiple remote code execution vulnerabilities exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker can exploit this issue by constructing a specially crafted Web page. When Internet Explorer attempts to access an object that has not been initialized or has been deleted, it triggers memory corruption allowing arbitrary execution of code. (CVE-2009-0552, CVE-2009-0553, CVE-2009-0554)

Microsoft has released a security update to addresses these vulnerabilities by modifying the way that Internet Explorer searches the system for files to load, performs authentication reply validation, handles transition errors when navigating between Web pages, and handles memory objects.

IMPACT: If this vulnerability is successfully exploited, it will allow attackers to execute arbitrary code to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Workaround:
CVE-2009-0551, CVE-2009-0552, CVE-2009-0553, CVE-2009-0554:
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

Detailed steps on applying the workarounds can be found in Microsoft Security Bulletin MS09-014.

Impact of the Workaround:
On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 5.01 Service Pack 4)

Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 Service Pack 1)

Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Internet Explorer 6)

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Microsoft Internet Explorer 6)

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Explorer 6)

Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7)

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7)

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7)

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Windows Internet Explorer 7)

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Windows Internet Explorer 7)

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-014.


Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege
SEVERITY: Serious Serious-3 3
QUALYS ID: 90492
VENDOR REFERENCE: MS09-015
CVE REFERENCE: CVE-2008-2540
CVSS SCORES: Base 10/ Temporal 7.4
THREAT: A security vulnerability in the Windows "SearchPath" function could allow elevation of privileges due to the way the function locates and opens files on the system. By persuading an unsuspecting user to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code with privileges of the logged-on user. (CVE-2008-2540)

Microsoft has released a security update that addresses the vulnerability by modifying the way that Windows loads files from the desktop.

IMPACT: A privilege escalation can occur which could allow an attacker to install applications; view, change, or delete data, or create new accounts.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista and Windows Vista Service Pack 1

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Server 2008 for 32-bit Systems

Windows Server 2008 for x64-based Systems

Windows Server 2008 for Itanium-based Systems

Refer to Microsoft Security Bulletin MS09-015 for further details.


Microsoft ISA Server and Forefront Threat Management Gateway Denial of Service
SEVERITY: Serious Serious-3 3
QUALYS ID: 90491
VENDOR REFERENCE: MS09-016
CVE REFERENCE: CVE-2009-0077, CVE-2009-0237
CVSS SCORES: Base 5.4/ Temporal 4
THREAT: The following vulnerabilities have been identified in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG):

- A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. It can allow a remote user to send specially crafted network packets to the affected system and cause a Web listener to stop responding to new requests. (CVE-2009-0077)

- A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, "cookieauth.dll", due to improper input validation of the HTTP stream. This could allow malicious script code to run on the machine of another user under the guise of the server running "cookieauth.dll". (CVE-2009-0237)

Microsoft has released a security update to addresses these vulnerabilities by modifying the way that the firewall engine handles the TCP state and the way that HTTP forms authentication handles input.

IMPACT: CVE-2009-0077: A remote user can exploit this vulnerability to cause the affected system's Web listener to become non-responsive leading to denial of service conditions.

CVE-2009-0237: Successful exploitation of this vulnerability could allow injection of arbitrary script in the user's browser. This can lead to spoofing and information disclosure.

SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Forefront Threat Management Gateway, Medium Business Edition

Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3

Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3

Microsoft Internet Security and Acceleration Server 2006

Microsoft Internet Security and Acceleration Server 2006 Supportability Update

Microsoft Internet Security and Acceleration Server 2006 Service Pack 1

Refer to Microsoft Security Bulletin MS09-016 for further details.


Microsoft Excel Remote Code Execution Vulnerability
SEVERITY: Critical Critical-4 4
QUALYS ID: 110093
VENDOR REFERENCE: MS09-009
CVE REFERENCE: CVE-2009-0238, CVE-2009-0100
CVSS SCORES: Base 10/ Temporal 8.5
THREAT: Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X.

The following vulnerabilities exist in Microsoft Office Excel:

- A remote code execution vulnerability exists in the way the application parses the Excel spreadsheet file format. A remote attacker can exploit this flaw by enticing an unsuspecting user into opening a specially crafted spreadsheet to cause arbitrary execution of code. (CVE-2009-0100)

- A security vulnerability that could allow remote code execution exists in Excel if a user opens a specially crafted Excel file that includes a malformed object. (CVE-2009-0238)

IMPACT: Successful exploitation of this vulnerability allows an attacker to run arbitrary code as the logged-on user. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Workaround:
1) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.

Impact of the workaround:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.

2) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.

For Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

For 2007 Office system:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001

Impact of the workaround:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Office 2000 Service Pack 3 (Microsoft Office Excel 2000 Service Pack 3)

Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3)

Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3)

2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1)

Microsoft Office 2004 for Mac

Microsoft Office 2008 for Mac

Microsoft Office Excel Viewer 2003 Service Pack 3

Microsoft Office Excel Viewer

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1

Refer to Microsoft Security Bulletin MS09-009 for further details.

This new vulnerability check is included in Qualys vulnerability signatures v1.22.184-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 90474
    • 90488
    • 90490
    • 90493
    • 100071
    • 90492
    • 90491
    • 110093
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/