September 14, 2010
Microsoft Security Bulletin: September 2010
Advisory Overview

September 14, 2010 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against vulnerabilities for which patches were released today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Vulnerability Details

Microsoft has released 9 security patches to fix newly discovered flaws in Microsoft Windows.

Qualys has released the following checks for these new vulnerabilities:


Microsoft Windows Print Spooler Remote Code Execution Vulnerability (MS10-061)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90636
VENDOR REFERENCE: MS10-061
CVE REFERENCE: CVE-2010-2729
CVSS SCORES: Base 10/ Temporal 7.8
THREAT: The Print Spooler service manages the printing process. A remote code execution vulnerability exists in the Windows Print Spooler service that could allow an unauthenticated attacker to execute arbitrary code on an affected Windows XP system. This is an elevation of privilege vulnerability on all other supported Microsoft Windows systems.

Microsoft has released a security update that addresses the vulnerability by correcting the manner in which the Printer Spooler service validates user permissions.

This security update is rated Critical for all supported editions of Windows XP, and Important for all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

IMPACT: The vulnerability could allow remote code execution if an attacker sends a specially crafted print request to a vulnerable system that has a print spooler interface exposed over RPC.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 1 and Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for Itanium-based Systems

Refer to Microsoft Security Bulletin MS10-061 for further details.

Workarounds:
1) Block ports associated with RPC at the firewall

Impact of workaround #1: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function.

2) Disable printer sharing

Impact of workaround #2: Remote users will not be able to print to the affected printer.

Refer to Microsoft Security Bulletin MS10-061 to obtain detailed instructions on applying the workarounds.


Microsoft Windows MPEG-4 Codec Remote Code Execution Vulnerability (MS10-062)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90641
VENDOR REFERENCE: MS10-062
CVE REFERENCE: CVE-2010-0818
CVSS SCORES: Base 4.4/ Temporal 3.4
THREAT: MPEG-4 is an International Standards Organization (ISO) specification that covers many aspects of multimedia presentation, including compression, authoring and delivery.

A remote code execution vulnerability exists in the way that the MPEG-4 codec handles supported format files. The MPEG-4 codec included with Windows Media codec does not properly handle specially crafted media files that use MPEG-4 video encoding. (CVE-2010-0818)

The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content.

Microsoft has released a security update that addresses the vulnerability by modifying the way that the MPEG-4 codec handles specially crafted media content.

This security update is rated Critical for all supported editions of Windows XP, Windows Server 2003 (except Itanium-based editions), Windows Vista, and Windows Server 2008 (except Itanium-based editions). Itanium-based editions of Windows Server 2003 and Windows Server 2008, and all supported editions of Windows 7 and Windows Server 2008 R2, are not affected by the vulnerability.

IMPACT: An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Vista Service Pack 1 and Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Refer to Microsoft Security Bulletin MS10-062 for further details.

Workaround:
Restrict access to the MPEG-4 version 1 codec

Impact of the workaround: Files encoded in MPEG-4 version 1 format will not play in applications, such as Windows Media Player, that use the MPEG-4 codec.

Refer to Microsoft Security Bulletin MS10-062 for detailed instructions on applying the workarounds.


Microsoft Windows and Office Unicode Scripts Processor Remote Code Execution Vulnerability (MS10-063)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90640
VENDOR REFERENCE: MS10-063
CVE REFERENCE: CVE-2010-2738
CVSS SCORES: Base 9.3/ Temporal 7.3
THREAT: The new Unicode Script Processor (USP10.DLL), also known as Uniscribe, is a collection of APIs that enables a text layout client to format complex scripts. Unicode Scripts Processor is exposed to remote code execution vulnerability.

The vulnerability exists in affected versions of Microsoft Windows and Microsoft Office. The vulnerability exists because Windows and Office incorrectly parse specific font types. (CVE-2010-2738)

The vulnerability could allow remote code execution if a user views a specially crafted document or Web page with an application that supports embedded OpenType fonts.

Microsoft has released a security update that addresses the vulnerability by correcting the way that Windows parses specific characteristics of OpenType fonts.

This security update is rated Critical for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, and Important for Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2007.

IMPACT: An attacker who successfully exploits this vulnerability could run arbitrary code as the logged-on user.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 1 and Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Microsoft Office XP Service Pack 3

Microsoft Office 2003 Service Pack 3

Microsoft Office 2007 Service Pack 2

Refer to Microsoft Security Bulletin MS10-063 for further details.

Workaround:
1) Modify the Access Control List (ACL) on usp10.dll to be more restrictive.

Impact of workaround #1: FireFox may not load. Some fonts may not render properly.

2) Disable support for parsing embedded fonts in Internet Explorer

Impact of workaround #2: Web pages that make use of embedded font technology will fail to display properly.


Microsoft Outlook Remote Code Execution Vulnerability (MS10-064)
SEVERITY: Critical Critical-4 4
QUALYS ID: 110131
VENDOR REFERENCE: MS10-064
CVE REFERENCE: CVE-2010-2728
CVSS SCORES: Base 9.3/ Temporal 6.9
THREAT: Microsoft Outlook is prone to a remote code execution vulnerability because it does not properly parse a specially crafted email message.

Microsoft has released a security update that addresses the vulnerability by correcting the way that Microsoft Outlook parses content in a specially crafted email message.

This security update is rated Critical for all supported editions of Microsoft Outlook 2002 and is rated Important for all supported editions of Microsoft Outlook 2003 and Microsoft Outlook 2007.

IMPACT: An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Office XP Service Pack 3 (Microsoft Outlook 2002 Service Pack 3)

Microsoft Office 2003 Service Pack 3 (Microsoft Outlook 2003 Service Pack 3)

Microsoft Office 2007 Service Pack 2 (Microsoft Outlook 2007 Service Pack 2)

Refer to Microsoft Security Bulletin MS10-064 for further details.

Workaround:
To help protect yourself from the e-mail attack vector, read e-mail messages in plain text format.

Impact of the workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content.


Microsoft Internet Information Services (IIS) Remote Code Execution Vulnerabilities (MS10-065)
SEVERITY: Critical Critical-4 4
QUALYS ID: 86916
VENDOR REFERENCE: MS10-065
CVE REFERENCE: CVE-2010-1899,CVE-2010-2730,CVE-2010-2731
CVSS SCORES: Base 9.3/ Temporal 6.9
THREAT: Microsoft IIS is a Web server application with a set of feature extension modules that run on Windows operating systems.

A denial of service vulnerability exists in Internet Information Services (IIS) that could allow an attacker who successfully exploits this vulnerability to interrupt service, causing the server to become un-responsive. (CVE-2010-1899).

A remote code execution vulnerability exists in Internet Information Services (IIS) that an attacker could exploit by sending specially crafted HTTP requests to IIS servers with FastCGI enabled. (CVE-2010-2730)

An elevation of privilege vulnerability exists in Internet Information Services (IIS). An attacker who successfully exploits this vulnerability could bypass the need to authenticate to access restricted resources. (CVE-2010-2731).

Microsoft has released a security update that addresses the vulnerabilities by modifying the way that IIS handles specially crafted HTTP requests.

This security update is rated Important for IIS 5.1, IIS 6.0, IIS 7.0, and IIS 7.5.

IMPACT: Successfully exploiting these vulnerabilities might allow a remote attacker to cause denial-of-service conditions, execute arbitrary code, or gain escalated privileges.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3 (Internet Information Services 5.1)

Windows XP Professional x64 Edition Service Pack 2 (Internet Information Services 6.0)

Windows Server 2003 Service Pack 2 (Internet Information Services 6.0)

Windows Server 2003 x64 Edition Service Pack 2 (Internet Information Services 6.0)

Windows Server 2003 with SP2 for Itanium-based Systems (Internet Information Services 6.0)

Windows Vista Service Pack 1 and Windows Vista Service Pack 2 (Internet Information Services 7.0)

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2 (Internet Information Services 7.0)

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (Internet Information Services 7.0)

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (Internet Information Services 7.0)

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 (Internet Information Services 7.0)

Windows 7 for 32-bit Systems (Internet Information Services 7.5)

Windows 7 for x64-based Systems (Internet Information Services 7.5)

Windows Server 2008 R2 for x64-based Systems (Internet Information Services 7.5)

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS10-065.

Workarounds:
1) Temporarily disable ASP on the IIS server

Impact of workaround #1: ASP pages will no longer work.

2) Disable FastCGI

Impact of workaround #2: Modules that depend on FastCGI will no longer work.

3) Install the URL Rewrite module

4) Install and Use URLScan

Refer to Microsoft Security Bulletin MS10-065 to obtain detailed instructions on applying the workarounds.


Microsoft Windows Remote Procedure Call Remote Code Execution Vulnerability (MS10-066)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90637
VENDOR REFERENCE: MS10-066
CVE REFERENCE: CVE-2010-2567
CVSS SCORES: Base 9.3/ Temporal 6.9
THREAT: Microsoft Remote Procedure Call (RPC) is a network programming standard.

An unauthenticated remote code execution vulnerability exists in the way that the Remote Procedure Call (RPC) client implementation allocates memory when parsing specially crafted RPC responses.

Microsoft has released a security update that addresses the vulnerability by correcting the way that the RPC client allocates memory prior to loading RPC responses passed by a remote server.

This security update is rated Important for all supported editions of Windows XP and Windows Server 2003.

IMPACT: Successfully exploiting this vulnerability might allow a remote attacker to execute arbitrary code.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Refer to Microsoft Security Bulletin MS10-066 for further details. Workaround:
1) Block ports associated with RPC at the firewall

Impact of workaround #1: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function.


Microsoft WordPad Text Converters Remote Code Execution Vulnerability (MS10-067)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90601
VENDOR REFERENCE: MS10-067
CVE REFERENCE: CVE-2010-2563
CVSS SCORES: Base 9.3/ Temporal 7.3
THREAT: WordPad is a basic word processor that is included in Windows.

A remote code execution vulnerability exists in the way that Microsoft WordPad processes memory when parsing a specially crafted Word 97 document.

Microsoft has released a security update that addresses the vulnerability by changing the way that the WordPad Text Converters handle specially crafted files.

This security update is rated Important for all supported editions of Windows XP and Windows Server 2003.

Note: Previously this was an iDefense Exclusive vulnerability with ID:592979.

IMPACT: Successfully exploiting this vulnerability might allow an attacker to execute arbitrary code with the privileges of the current user.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Refer to Microsoft Security Bulletin MS10-067 for further details.

Workaround:
Disable the WordPad Word 97 text converter by restricting access to the converter file.

Impact of the workaround: Upon implementing the workaround, opening a Word document in WordPad results in WordPad displaying representations of binary data instead of formatted text.

Refer to Microsoft Security Bulletin MS10-067 to obtain additional instructions on applying the workaround.


Microsoft Local Security Authority Subsystem Service Privilege Elevation Vulnerability (MS10-068)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90639
VENDOR REFERENCE: MS10-068
CVE REFERENCE: CVE-2010-0820
CVSS SCORES: Base 8.5/ Temporal 6.3
THREAT: Active Directory provides central authentication and authorization services for Windows-based computers. Active Directory Lightweight Directory Services is an independent mode of Active Directory that provides dedicated directory services for applications.

An authenticated elevation of privilege vulnerability exists in Microsoft Windows because the Local Security Authority Subsystem Service improperly handles certain Lightweight Directory Access Protocol (LDAP) messages. The vulnerability exists in implementations of Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service.

Microsoft has released a security update that addresses the vulnerability by correcting the manner in which the Local Security Authority Subsystem Service handles certain LDAP messages.

This security update is rated Important for Active Directory, ADAM, and AD LDS when installed on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.

IMPACT: An attacker who successfully exploits this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3 (Active Directory Application Mode (ADAM))

Windows XP Professional x64 Edition Service Pack 2 (Active Directory Application Mode (ADAM))

Windows Server 2003 Service Pack 2 (Active Directory)

Windows Server 2003 Service Pack 2 (Active Directory Application Mode )

Windows Server 2003 x64 Edition Service Pack 2 (Active Directory)

Windows Server 2003 x64 Edition Service Pack 2 (Active Directory Application Mode )

Windows Server 2003 with SP2 for Itanium-based Systems (Active Directory)

Windows Vista Service Pack 2 (Active Directory Lightweight Directory Service (AD LDS))

Windows Vista x64 Edition Service Pack 2 (Active Directory Lightweight Directory Service (AD LDS))

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (Active Directory and Active Directory Lightweight Directory Service (AD LDS))

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (Active Directory and Active Directory Lightweight Directory Service (AD LDS))

Windows 7 for 32-bit Systems (Active Directory Lightweight Directory Service (AD LDS))

Windows 7 for x64-based Systems (Active Directory Lightweight Directory Service (AD LDS))

Windows Server 2008 R2 for x64-based Systems (Active Directory and Active Directory Lightweight Directory Service (AD LDS))

Refer to Microsoft Security Bulletin MS10-068 for further details.

Workaround:
Block TCP port 389 at the firewall. This port is used to initiate a connection with the affected component.


Microsoft Windows Client/Server Runtime Subsystem (CSRSS) Elevation of Privilege Vulnerability (MS10-069)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90642
VENDOR REFERENCE: MS10-069
CVE REFERENCE: CVE-2010-1891
CVSS SCORES: Base 4.3/ Temporal 3.2
THREAT: Microsoft CSRSS (Client/Server Runtime Subsystem) is an essential Windows subsystem. The CSRSS is responsible for console windows, creating and/or deleting threads.

An elevation of privilege vulnerability exists in the Windows CSRSS due to the way that the CSRSS assigns memory for specific user transactions.

Microsoft has released a security update that addresses the vulnerability by correcting the way that the Client/Server Runtime Subsystem (CSRSS) allocates memory when handling certain transactions.

This security update is rated Important for all supported editions of Windows XP and Windows Server 2003.

IMPACT: This issue can be exploited by malicious, local users to gain escalated privileges.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Refer to Microsoft Security Bulletin MS10-069 for further details.

This new vulnerability check is included in Qualys vulnerability signatures v1.27.44-4. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 90636
    • 90641
    • 90640
    • 110131
    • 86916
    • 90637
    • 90601
    • 90639
    • 90642
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/