July 10, 2012
Microsoft Security Bulletin: July 10
Advisory Overview

July 10, 2012 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 16 vulnerabilities present in Microsoft products that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.Please visit our podcast page for patch tuesday prioritization and summary.

Vulnerability Details

Microsoft has released 9 security patches to fix newly discovered flaws in Microsoft Windows. Qualys has released the following checks for these new vulnerabilities:


Microsoft XML Core Services Remote Code Execution Vulnerability (MS12-043 and KB2719615)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90814
VENDOR REFERENCE: KB2719615
CVE REFERENCE: CVE-2012-1889
CVSS SCORES: Base 6.8 | Temporal 5.3
THREAT: Microsoft XML Core Services (MSXML) allows customers who use JScript, Visual Basic Scripting Edition and Microsoft Visual Studio 6.0 to develop XML-based applications that provide interoperability with other applications that adhere to the XML 1.0 standard.

A remote code execution vulnerability exists in the way that Microsoft XML Core Services handles objects in memory. The vulnerability could allow remote code execution if a user views a website that contains specially crafted content. (CVE-2012-1889)

Affected Software:
This security update is rated Critical for Microsoft XML Core Services 3.0, 4.0, and 6.0 on all supported editions of Windows XP, Windows Vista, and Windows 7 and is rated Moderate on all supported editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2; it is also rated Critical for Microsoft XML Core Services 5.0 for all supported editions of Microsoft Office 2003, Microsoft Office 2007, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack, Microsoft Expression Web, Microsoft Office SharePoint Server 2007, and Microsoft Groove Server 2007.

IMPACT: Successfully exploiting this vulnerability might allow a remote attacker to execute arbitrary code.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3 (Microsoft XML Core Services 3.0)

Windows XP Service Pack 3 (Microsoft XML Core Services 4.0)

Windows XP Service Pack 3 (Microsoft XML Core Services 6.0)

Windows XP Professional x64 Edition Service Pack 2 (Microsoft XML Core Services 3.0)

Windows XP Professional x64 Edition Service Pack 2 (Microsoft XML Core Services 4.0)

Windows XP Professional x64 Edition Service Pack 2 (Microsoft XML Core Services 6.0)

Windows Server 2003 Service Pack 2 (Microsoft XML Core Services 3.0)

Windows Server 2003 Service Pack 2 (Microsoft XML Core Services 4.0)

Windows Server 2003 Service Pack 2 (Microsoft XML Core Services 6.0)

Windows Server 2003 x64 Edition Service Pack 2 (Microsoft XML Core Services 3.0)

Windows Server 2003 x64 Edition Service Pack 2 (Microsoft XML Core Services 4.0)

Windows Server 2003 x64 Edition Service Pack 2 (Microsoft XML Core Services 6.0)

Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft XML Core Services 3.0)

Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft XML Core Services 4.0)

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-043.

Workaround:
1) Deploy the Enhanced Mitigation Experience Toolkit

2) Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone


Microsoft Internet Explorer Cumulative Security Update (MS12-044)
SEVERITY: Critical Critical-4 4
QUALYS ID: 100118
VENDOR REFERENCE: MS12-044
CVE REFERENCE: CVE-2012-1522 | CVE-2012-1524
CVSS SCORES: Base 9.3 | Temporal 6.9
THREAT: Microsoft Internet Explorer is a Web browser available for Microsoft Windows.

Internet Explorer is prone to multiple vulnerabilities that could allow remote code execution.

Microsoft has released a security update that addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.

This security update is rated Critical for Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 9 on Windows servers.

IMPACT: Successfully exploiting this vulnerability could cause execution of arbitrary code.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows Vista Service Pack 2 (Internet Explorer 9)

Windows Vista x64 Edition Service Pack 2 (Internet Explorer 9)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Internet Explorer 9)

Windows Server 2008 for x64-based Systems Service Pack 2 (Internet Explorer 9)

Windows 7 for 32-bit Systems (Internet Explorer 9)

Windows 7 for 32-bit Systems Service Pack 1 (Internet Explorer 9)

Windows 7 for x64-based Systems (Internet Explorer 9)

Windows 7 for x64-based Systems Service Pack 1 (Internet Explorer 9)

Windows Server 2008 R2 for x64-based Systems (Internet Explorer 9)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Internet Explorer 9)

Refer to Microsoft Security Bulletin MS12-044 for further details. Workaround:
Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.

Configure IE to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones; add trusted sites to the IE trusted sites zone.

Note: Disabling or restricting scripting can severely impact the usability of the browser.


Microsoft Data Access Components Remote Code Execution Vulnerability (MS12-045)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90817
VENDOR REFERENCE: MS12-045
CVE REFERENCE: CVE-2012-1891
CVSS SCORES: Base 10 | Temporal 7.4
THREAT: Microsoft Data Access Components (MDAC) is a collection of components that make it easy for programs to access databases and then to manipulate the data within them.

A remote code execution vulnerability exists in the way that Microsoft Data Access Components accesses an object in memory that has been improperly initialized. (CVE-2012-1891)

Affected Software:
Microsoft Data Access Components 2.8 Service Pack 1
- Windows XP Service Pack 3
Microsoft Data Access Components 2.8 Service Pack 2
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
Windows Data Access Components 6.0
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows 7 for 32-bit Systems
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

This security update is rated Critical.

IMPACT: An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: N/A

Microsoft Visual Basic for Applications Remote Code Execution Vulnerability (MS12-046)
SEVERITY: Critical Critical-4 4
QUALYS ID: 110184
VENDOR REFERENCE: MS12-046
CVE REFERENCE: CVE-2012-0003 | CVE-2012-0004
CVSS SCORES: Base 9.3 | Temporal 7.3
THREAT: Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. Microsoft VBA is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and make use of VBA to perform certain functions. VBA can also be used to build customized applications around an existing host application.

The security update addresses the vulnerability by correcting how Microsoft Visual Basic for Applications loads external libraries.
This security update is rated Important for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications.

IMPACT: The vulnerability could allow remote code execution if a user opens a legitimate Microsoft Office file (such as a .docx file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
SOLUTION: N/A

Microsoft Windows Kernel-Mode Drivers Elevation of Privilege Vulnerability (MS12-047)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90816
VENDOR REFERENCE: MS12-047
CVE REFERENCE: CVE-2012-1890 | CVE-2012-1893
CVSS SCORES: Base 10 | Temporal 7.4
THREAT: The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.

An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver handles specific keyboard layouts. (CVE-2012-1890)

An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly validates parameters when creating a hook procedure. (CVE-2012-1893)

Affected Software:
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

This security update is rated Important.

IMPACT: An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-047.


Microsoft Windows Shell Remote Code Execution Vulnerability (MS12-048)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90818
VENDOR REFERENCE: MS12-048
CVE REFERENCE: CVE-2012-0175
CVSS SCORES: Base 9.3 | Temporal 6.9
THREAT: Microsoft Windows is prone to a vulnerability that may allow remote code execution if a user opens a file or directory with a specially crafted name.

Microsoft has released a security update that addresses the vulnerabilities by modifying the way that Windows handles files and directories with specially crafted names.

This security update is rated Important for all supported releases of Microsoft Windows.

IMPACT: Successfully exploiting this vulnerability might allow an attacker to execute arbitrary code.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-048.


Microsoft Windows TLS Information Disclosure Vulnerability (MS12-049)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90815
VENDOR REFERENCE: MS12-049
CVE REFERENCE: CVE-2012-1870
CVSS SCORES: Base 4.3 | Temporal 3.4
THREAT: Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are cryptographic protocols that provide communication security over the Internet.

This security update resolves a publicly disclosed vulnerability in TLS. The security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) and the Cryptography API: Next Generation (CNG) components handle encrypted network packets.

Affected Versions:-
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7

This security update is rated Important for all supported releases of Microsoft Windows.

IMPACT: The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. All cipher suites that do not use CBC mode are not affected.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-049.


Microsoft SharePoint Privilege Escalation Vulnerability (MS12-050)
SEVERITY: Critical Critical-4 4
QUALYS ID: 110185
VENDOR REFERENCE: MS12-050
CVE REFERENCE: CVE-2012-1858 | CVE-2012-1859 | CVE-2012-1860 | CVE-2012-1861 | CVE-2012-1862 | CVE-2012-1863
CVSS SCORES: Base 9.3 | Temporal 7.7
THREAT: Microsoft SharePoint is prone to multiple vulnerabilities that could allow an attacker to conduct privilege escalation attacks.

Microsoft has released a security update that addresses the vulnerabilities by modifying the way that HTML strings are sanitized and by correcting the way that Microsoft SharePoint validates and sanitizes user input.

This security update is rated Important for supported editions of Microsoft InfoPath 2007, Microsoft InfoPath 2010, Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, and Microsoft Groove Server 2010; and for supported versions of Microsoft Windows SharePoint Services 3.0 and SharePoint Foundation 2010.

IMPACT: Exploitation could result in elevation of privilege or information disclosure.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft InfoPath 2007 Service Pack 2

Microsoft InfoPath 2007 Service Pack 2

Microsoft InfoPath 2007 Service Pack 3

Microsoft InfoPath 2007 Service Pack 3

Microsoft InfoPath 2010

Microsoft InfoPath 2010

Microsoft InfoPath 2010 Service Pack 1

Microsoft InfoPath 2010 Service Pack 1

Microsoft InfoPath 2010

Microsoft InfoPath 2010

Microsoft InfoPath 2010 Service Pack 1

Microsoft InfoPath 2010 Service Pack 1

Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) (Microsoft Office SharePoint Server 2007 Service Pack 2 )

Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) (Microsoft Office SharePoint Server 2007 Service Pack 2 )/a>

Microsoft Office SharePoint Server 2007 Service Pack 3 (32-bit editions) (Microsoft Office SharePoint Server 2007 Service Pack 3 )

Microsoft Office SharePoint Server 2007 Service Pack 3 (32-bit editions) (Microsoft Office SharePoint Server 2007 Service Pack 3 )

Microsoft Office SharePoint Server 2007 Service Pack 2 (64-bit editions) (Microsoft Office SharePoint Server 2007 Service Pack 2 )

Microsoft Office SharePoint Server 2007 Service Pack 2 (64-bit editions) (Microsoft Office SharePoint Server 2007 Service Pack 2 )

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-050.


Microsoft Office for Mac Could Allow Elevation of Privileges (MS12-051)
SEVERITY: Critical Critical-4 4
QUALYS ID: 110186
VENDOR REFERENCE: MS12-051
CVE REFERENCE: CVE-2012-1894
CVSS SCORES: Base 4.1 | Temporal 3
THREAT: Microsoft Office for Macintosh is a proprietary suite of Office applications.

An elevation of privilege vulnerability exists in the way that folder permissions are set in certain Microsoft Office for Mac installations.
This security update is rated Important

Affected Version:
Microsoft Office 2011 for Mac

IMPACT: Successful exploitation allows elevation of privilege or information disclosure.
SOLUTION: Patch:
Following link is a patch to fix the vulnerability:

Microsoft Office 2011 for Mac

Workaround:
The following workaround would not correct the underlying vulnerability but would help block known attack vectors before you apply the update.

Remove write permission from others in affected folders.

/usr/bin/sudo /bin/chmod -R -P o-w /Library/Internet\ Plug-Ins/ SharePointWebKitPlugin. webplugin/
/usr/bin/sudo /bin/chmod -R -P o-w /Library/Internet\ Plug-Ins/ SharePointBrowserPlugin. plugin/
/usr/bin/sudo /bin/chmod -R -P o-w /Library/Fonts/Microsoft/
/usr/bin/sudo /bin/chmod -R -P o-w /Library/Automator/
/usr/bin/sudo /bin/chmod -R -P o-w /Applications/Microsoft\ Office\ 2011/

This new vulnerability check is included in Qualys vulnerability signatures 2.2.169-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 90814
    • 100118
    • 90817
    • 110184
    • 90816
    • 90818
    • 90815
    • 110185
    • 110186
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/