February 12, 2013
Microsoft Security Bulletin: February 12
Advisory Overview

February 12, 2013 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 45 vulnerabilities that were fixed in 12 bulletin(s) announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription. Please visit our podcast page for patch tuesday prioritization and summary.

Vulnerability Details

Microsoft has released 12 security bulletins to fix newly discovered flaws in Microsoft Windows. Qualys has released the following checks for these new vulnerabilities:


Microsoft Internet Explorer Remote Code Execution Vulnerability (MS13-009)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 100136
VENDOR REFERENCE: MS13-009
CVE REFERENCE: CVE-2013-0015
CVSS SCORES: Base 9.3 | Temporal 7.3
THREAT: Internet Explorer is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows operating systems.

Microsoft Internet Explorer is prone to a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted. These vulnerabilities may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Microsoft has released a security update that addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory.

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows servers.

IMPACT: The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3 (Internet Explorer 6)

Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 6)

Windows Server 2003 Service Pack 2 (Internet Explorer 6)

Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 6)

Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 6)

Windows XP Service Pack 3 (Internet Explorer 7)

Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 7)

Windows Server 2003 Service Pack 2 (Internet Explorer 7)

Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 7)

Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 7)

Windows Vista Service Pack 2 (Internet Explorer 7)

Windows Vista x64 Edition Service Pack 2 (Internet Explorer 7)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Internet Explorer 7)

Windows Server 2008 for x64-based Systems Service Pack 2 (Internet Explorer 7)

Windows Server 2008 for Itanium-based Systems Service Pack 2 (Internet Explorer 7)

Windows XP Service Pack 3 (Internet Explorer 8)

Workaround:
1. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone


Microsoft Vector Markup Language Remote Code Execution Vulnerability (MS13-010)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 100137
VENDOR REFERENCE: MS13-010
CVE REFERENCE: CVE-2013-0030
CVSS SCORES: Base 9.3 | Temporal 6.9
THREAT: A remote code execution vulnerability exists in the way that Internet Explorer handles objects in memory. When VML buffers are allocated, specially crafted data may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. (CVE-2013-0030)
Affected Software:
Internet Explorer 6:
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems

Internet Explorer 7:
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2

Internet Explorer 8:
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Internet Explorer 9:
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1

Internet Explorer 10:
Windows 8 for 32-bit Systems
Windows 8 for 64-bit Systems
Windows Server 2012
Windows RT
IMPACT: An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3 (Internet Explorer 6)

Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 6)

Windows Server 2003 Service Pack 2 (Internet Explorer 6)

Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 6)

Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 6)

Windows XP Service Pack 3 (Internet Explorer 7)

Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 7)

Windows Server 2003 Service Pack 2 (Internet Explorer 7)

Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 7)

Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 7)

Windows Vista Service Pack 2 (Internet Explorer 7)

Windows Vista x64 Edition Service Pack 2 (Internet Explorer 7)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Internet Explorer 7)

Windows Server 2008 for x64-based Systems Service Pack 2 (Internet Explorer 7)

Windows Server 2008 for Itanium-based Systems Service Pack 2 (Internet Explorer 7)

Windows XP Service Pack 3 (Internet Explorer 8)

Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 8)

Windows Server 2003 Service Pack 2 (Internet Explorer 8)

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-010.


Microsoft Windows Media Decompression Remote Code Execution Vulnerability (MS13-011)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90860
VENDOR REFERENCE: MS13-011
CVE REFERENCE: CVE-2013-0077
CVSS SCORES: Base 9.3 | Temporal 7.3
THREAT: Microsoft DirectShow is used for streaming media on Microsoft Windows operating systems. Microsoft DirectX is a feature of the Windows operating system used for streaming media to enable graphics and sound when playing games or watching video.

A vulnerability exists when Microsoft DirectShow fails to handle specially crafted media content.

Microsoft has released a security update that addresses the vulnerability by correcting the way that DirectShow handles specially crafted media content.

This security update is rated Critical for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

IMPACT: Exploitation could lead to remote code execution.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3 (Quartz.dll (DirectShow))

Windows XP Professional x64 Edition Service Pack 2 (Quartz.dll (DirectShow))

Windows Server 2003 Service Pack 2 (Quartz.dll (DirectShow))

Windows Server 2003 x64 Edition Service Pack 2 (Quartz.dll (DirectShow))

Windows Server 2003 with SP2 for Itanium-based Systems (Quartz.dll (DirectShow))

Windows Vista Service Pack 2 (Quartz.dll (DirectShow))

Windows Vista x64 Edition Service Pack 2 (Quartz.dll (DirectShow))

Windows Server 2008 for 32-bit Systems Service Pack 2 (Quartz.dll (DirectShow))

Windows Server 2008 for x64-based Systems Service Pack 2 (Quartz.dll (DirectShow))

Windows Server 2008 for Itanium-based Systems Service Pack 2 (Quartz.dll (DirectShow))

Refer to Microsoft Security Bulletin MS13-011 for further details.

Workaround:
1) Modify the Access Control List (ACL) on quartz.dll

Impact of workaround #1 - Windows Media Player will not be able to play .avi or .wav files.

2) Unregister quartz.dll

Impact of workaround #2: Windows Media Player will not be able to play .avi or .wav files.


Microsoft Exchange Server Remote Code Execution Vulnerability (MS13-012)
SEVERITY: Critical Critical-4 4
QUALYS ID: 74264
VENDOR REFERENCE: MS13-012
CVE REFERENCE: CVE-2013-0418,CVE-2013-0393
CVSS SCORES: Base 6.8 | Temporal 5.3
THREAT: Microsoft Exchange Server is a messaging and collaborative software product that provides support for electronic mail, calendaring, contacts and tasks, mobile and Web-based access to information, and data storage.

This security update resolves publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe vulnerabilities are in Microsoft Exchange Server WebReady Document Viewing and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA).

Two vulnerabilities exist in Microsoft Exchange Server through the WebReady Document Viewing feature. The WebReady service parses files using the Oracle Outside In libraries in order to provide a preview of the document in the browser. The vulnerabilities are caused when WebReady Document Viewer is used to preview a specially crafted file.

This security update is rated Critical for Microsoft Exchange Server 2007 Service Pack 3, and Microsoft Exchange Server 2010 Service Pack 2.

IMPACT: An attacker could send an email message containing a specially crafted file to a user on an affected version of Exchange. The vulnerabilities could be exploited when the user previews the specially crafted file in the browser.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft Exchange Server 2007 Service Pack 3

Microsoft Exchange Server 2010 Service Pack 2

Refer to Microsoft Security Bulletin MS13-012 for further details.

Workaround:
1. Disable WebReady document view
Log in to the Exchange Management Shell as an Exchange Organization Administrator.
Issue the following PowerShell command:
Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

Impact of workaround. OWA users may not be able to preview the content of email attachments.


Microsoft FAST Search Server 2010 for SharePoint Remote Code Execution Vulnerability (MS13-013)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90863
VENDOR REFERENCE: MS13-013
CVE REFERENCE: CVE-2012-3214,CVE-2012-3217
CVSS SCORES: Base 6.8 | Temporal 5
THREAT: Advanced Filter Pack is a FAST Search Server 2010 for SharePoint feature that enables text and metadata extraction from several hundred file formats, complementing the document formats that are supported by the Microsoft Filter Pack.

Remote code execution vulnerabilities exist in FAST Search Server 2010 for SharePoint with the Advanced Filter Pack enabled. The vulnerabilities exist in the way that the Oracle Outside In libraries, used by the Advanced Filter Pack, parse specially crafted files.

By default, Advanced Filter Pack in FAST is disabled.

Microsoft has released a security update that addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version.

This security update is rated Important for supported editions of FAST Search Server 2010 for SharePoint.

IMPACT: An attacker who successfully exploited these vulnerabilities could run arbitrary code in the context of a user account with a restricted token.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Microsoft FAST Search Server 2010 for SharePoint Service Pack 1

Refer to Microsoft Security Bulletin MS13-013 for further details.

Workaround:
1) Disable the Advanced Filter Pack for FAST Search Server 2010 for SharePoint


Microsoft NFS Server Denial of Service Vulnerability (MS13-014)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90861
VENDOR REFERENCE: MS13-014
CVE REFERENCE: CVE-2013-1281
CVSS SCORES: Base 7.1 | Temporal 5.3
THREAT: Network File System (NFS) is an industry standard protocol, defined in RFC 1094, that provides transparent, remote access to shared files across networks.

A denial of service vulnerability exists when the Windows NFS server fails to properly handle a file operation on a read-only share. (CVE-2013-1281)

Affected Software:
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012 (Server Core installation)
IMPACT: An attacker who exploited this vulnerability could cause the affected system to stop responding and restart.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2012

Refer to Microsoft Security Bulletin MS13-014 for further details.


Microsoft .Net Framework Elevation of Privilege Vulnerability (MS13-015)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90868
VENDOR REFERENCE: MS13-015
CVE REFERENCE: CVE-2013-0073
CVSS SCORES: Base 9 | Temporal 6.7
THREAT: The Microsoft .NET Framework is a software framework for computers running Microsoft Windows operating systems.

An elevation of privilege vulnerability exists in the way that the .NET Framework elevates the permissions of a callback function when a particular Windows Forms object is created (CVE-2013-0073).

This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5 on affected editions of Microsoft Windows.

IMPACT: Successfully exploiting this vulnerability might allow an attacker to gain escalated privileges
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3 (Microsoft .NET Framework 2.0 Service Pack 2)

Windows XP Service Pack 3 (Microsoft .NET Framework 4)

Windows XP Professional x64 Edition Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 2)

Windows XP Professional x64 Edition Service Pack 2 (Microsoft .NET Framework 4)

Windows Server 2003 Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 2)

Windows Server 2003 Service Pack 2 (Microsoft .NET Framework 4)

Windows Server 2003 x64 Edition Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 2)

Windows Server 2003 x64 Edition Service Pack 2 (Microsoft .NET Framework 4)

Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft .NET Framework 2.0 Service Pack 2)

Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft .NET Framework 4)

Windows Vista Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 2)

Windows Vista Service Pack 2 (Microsoft .NET Framework 4)

Windows Vista Service Pack 2 (Microsoft .NET Framework 4.5)

Windows Vista x64 Edition Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 2)

Windows Vista x64 Edition Service Pack 2 (Microsoft .NET Framework 4)

Windows Vista x64 Edition Service Pack 2 (Microsoft .NET Framework 4.5)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Microsoft .NET Framework 2.0 Service Pack 2)

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-015.


Microsoft Windows Kernel-Mode Driver Elevation of Privilege Vulnerability (MS13-016)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90867
VENDOR REFERENCE: MS13-016
CVE REFERENCE: CVE-2013-1248,CVE-2013-1249,CVE-2013-1250,CVE-2013-1251,CVE-2013-1252,CVE-2013-1253,CVE-2013-1254,CVE-2013-1255,CVE-2013-1256,CVE-2013-1257,CVE-2013-1258,CVE-2013-1259,CVE-2013-1260,CVE-2013-1261,CVE-2013-1262,CVE-2013-1263,CVE-2013-1264,CVE-2013-1265,CVE-2013-1266,CVE-2013-1267,CVE-2013-1268,CVE-2013-1269,CVE-2013-1270,CVE-2013-1271,CVE-2013-1272,CVE-2013-1273,CVE-2013-1274,CVE-2013-1275,CVE-2013-1276,CVE-2013-1277
CVSS SCORES: Base 6.6 | Temporal 4.9
THREAT: The Win32k.sys is a kernel-mode device driver and is the kernel part of the Windows subsystem. Elevation of privilege vulnerabilities exist when the Windows kernel-mode driver improperly handles objects in memory.

The security update addresses the vulnerabilities by correcting the way that the Windows kernel-mode driver handles objects in memory.

This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.

IMPACT: Successfully exploiting these security vulnerabilities could allow an attacker to gain elevated privileges and read arbitrary amounts of kernel memory. An attacker could then run a specially crafted application designed to increase privileges.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for 64-bit Systems

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-016.


Microsoft Windows Kernel Multiple Elevation of Privilege Vulnerabilities (MS13-017)
SEVERITY: Critical Critical-4 4
QUALYS ID: 90862
VENDOR REFERENCE: MS13-017
CVE REFERENCE: CVE-2013-1278,CVE-2013-1279,CVE-2013-1280
CVSS SCORES: Base 6.8 | Temporal 5
THREAT: The Windows kernel is the core of the operating system. The kernel provides system-level services such as device management and memory management, allocates processor time to processes and manages error handling.

Windows kernel is prone to multiple elevation of privilege vulnerabilities because the Windows kernel improperly handles objects in memory (CVE-2013-1278,CVE-2013-1279,CVE-2013-1280).

This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.

IMPACT: Successfully exploiting these vulnerabilities might allow a local user to gain escalated privileges
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for 64-bit Systems

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-017.


Microsoft Windows TCP/IP Denial of Service Vulnerability (MS13-018)
SEVERITY: Serious Serious-3 3
QUALYS ID: 90866
VENDOR REFERENCE: MS13-018
CVE REFERENCE: CVE-2013-0075
CVSS SCORES: Base 7.1 | Temporal 5.3
THREAT: TCP/IP is a set of networking protocols that are widely used on the Internet.

A denial of service vulnerability exists in the Windows TCP/IP stack that could cause the target system to stop responding and automatically restart.
The vulnerability is caused when the TCP/IP stack improperly handles a connection termination sequence.

This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows 2012 and Windows RT.

IMPACT: An attacker who successfully exploited this vulnerability could cause the target system to stop responding and automatically restart.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for 64-bit Systems

Windows Server 2012

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-018.


Microsoft Windows Client-Server Run-time Subsystem Elevation of Privilege Vulnerability (MS13-019)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90865
VENDOR REFERENCE: MS13-019
CVE REFERENCE: CVE-2013-0076
CVSS SCORES: Base 9.3 | Temporal 6.9
THREAT: The Windows Client/Server Runtime Subsystem (CSRSS) is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). It is responsible for handling console windows, creating and/or deleting threads. It is an essential subsystem that must be running at all times.

An elevation of privilege vulnerability exists when the Windows CSRSS improperly handles objects in memory. (CVE-2013-0076)

Affected Software:
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
IMPACT: An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows 7 for 32-bit Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Refer to Microsoft Security Bulletin MS13-019 for further details.


Microsoft OLE Automation Remote Code Execution Vulnerability (MS13-020)
SEVERITY: Urgent Urgent-5 5
QUALYS ID: 90864
VENDOR REFERENCE: MS13-020
CVE REFERENCE: CVE-2013-1313
CVSS SCORES: Base 9.3 | Temporal 6.9
THREAT: Microsoft Object Linking and Embedding (OLE) Automation is a Windows protocol that allows an application to share data with or to control another application.

A remote code execution vulnerability is caused by the way that OLE Automation parses a specially crafted file.
The security update addresses the vulnerability by correcting the manner in which OLE Automation parses files.

This security update is rated Critical for Windows XP Service Pack 3.

IMPACT: An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely.
An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
SOLUTION: Patch:
Following are links for downloading patches to fix the vulnerabilities:

Windows XP Service Pack 3

Refer to Microsoft Security Bulletin MS13-020 for further details.

This new vulnerability check is included in Qualys vulnerability signatures 2.2.356-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.

SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 100136
    • 100137
    • 90860
    • 74264
    • 90863
    • 90861
    • 90868
    • 90867
    • 90862
    • 90866
    • 90865
    • 90864
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.


Technical Support
For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
About QualysGuard
QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/