Microsoft security alert.
October 12, 2004
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 21 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft RPC Runtime Library Denial of Service (MS04-029)
- Severity
- Critical 4
- Qualys ID
- 90190
- Vendor Reference
- MS04-029
- CVE Reference
- CVE-2004-0569
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
- An information disclosure and denial of service vulnerability exists when the Microsoft RPC Runtime Library processes specially crafted messages. For more details, refer to Microsoft Security Bulletin MS04-029.
- Consequence
- An attacker who successfully exploits this vulnerability could potentially read portions of active memory and cause the affected system to stop responding.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=AE32474A-CB72-4044-B97F-A2BAD2CD5D97Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=80A543A6-9D5E-4954-80CD-F706F9B284BARefer to Microsoft Security Bulletin MS04-029 for further details.
-
WebDAV XML Message Handler Denial of Service (MS04-030)
- Severity
- Critical 4
- Qualys ID
- 90188
- Vendor Reference
- MS04-030
- CVE Reference
- CVE-2003-0718
- CVSS Scores
- Base 5 / Temporal 3.9
- Description
- A denial of service vulnerability exists that could allow an attacker to send a specially crafted WebDAV request to a server that is running IIS and WebDAV.
- Consequence
-
An attacker could cause WebDAV to consume all available memory and CPU time on an affected server. The IIS service would have to be restarted to restore functionality.
The vulnerability can only be exploited remotely if an attacker can establish a Web session with an affected server.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D2C632A7-CD43-466C-A624-D841905CE181Microsoft Windows XP and Microsoft Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=6A338C59-3693-4A25-B823-431A5C21A4B7Microsoft Windows XP 64 Bit Edition Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0412A361-28C5-45F7-9853-BCDC9D7B2B97Microsoft Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1F9CA027-B0B8-47DC-BB96-8709E3DB0DF2Microsoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=81CE104D-5257-447C-A2CD-D4D149581D71Microsoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1F9CA027-B0B8-47DC-BB96-8709E3DB0DF2Refer to Microsoft Security Bulletin MS04-030 for further details.
-
Vulnerability in NetDDE Could Allow Remote Code Execution (MS04-031)
- Severity
- Urgent 5
- Qualys ID
- 90184
- Vendor Reference
- MS04-031
- CVE Reference
- CVE-2004-0206
- CVSS Scores
- Base 7.5 / Temporal 6.2
- Description
-
The Microsoft Windows Network Dynamic Data Exchange (NetDDE) service is designed to facilitate communication between applications over a network. This technology has been replaced by the Distributed Component Object Model (DCOM) and is present on Windows computers to support legacy software. NetDDE is not enabled by default.
Microsoft Windows NetDDE is affected by a remote buffer overflow vulnerability. This issue is due to a failure of the application to properly verify the lengths of strings contained within unspecified network messages prior to copying them into finite buffers. The problem presents itself when the affected service receives a malicious network message.
- Consequence
- A remote attacker can exploit this vulnerability to achieve denial of service.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a ? :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A5CA71B6-8A5E-4AA9-B34E-7CE5B304CFACMicrosoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ? :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A584B37-291C-4B63-971E-FB35CC361B13Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 ? :
http://www.microsoft.com/downloads/details.aspx?FamilyId=80FE311A-B446-43D0-9614-B93112E28294Microsoft Windows XP and Microsoft Windows XP Service Pack 1 ? :
http://www.microsoft.com/downloads/details.aspx?FamilyId=C6EB8FB6-6AAE-48BC-9E4F-271F81361AE0Microsoft Windows XP 64 Bit Edition Service Pack 1 ? :
http://www.microsoft.com/downloads/details.aspx?FamilyId=7754DB47-5D9E-4652-8634-ECF7B9D6786CMicrosoft Windows XP 64 Bit Edition Version 2003 ? :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0C73C1B4-0E12-49F9-BAB7-606B07BFF569Microsoft Windows Server 2003 ? :
http://www.microsoft.com/downloads/details.aspx?FamilyId=01CFA2F4-19B2-4771-8377-FB633C5BF464Microsoft Windows Server 2003 64 Bit Edition ? :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0C73C1B4-0E12-49F9-BAB7-606B07BFF569Refer to Microsoft Security Bulletin MS04-031 for further details.
-
Microsoft Windows Multiple Vulnerabilities (MS04-032)
- Severity
- Urgent 5
- Qualys ID
- 90186
- Vendor Reference
- MS04-032
- CVE Reference
- CVE-2004-0207, CVE-2004-0208, CVE-2004-0209, CVE-2004-0211
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
- Microsoft security bulletin MS04-032 addresses multiple vulnerabilities.
- Consequence
- These vulnerabilities can be exploited to cause remote code execution, denial of service, and/or privilege escalation.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=533AE5CD-74CE-470A-8916-8E358084497CMicrosoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=3B871A96-5F64-4432-920F-FA5760DF683AMicrosoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=4A614222-BA0B-4927-856D-D443BBBE1A42Microsoft Windows XP and Microsoft Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=715E985B-7929-4BD5-9564-5CFE7D528398Microsoft Windows XP 64 Bit Edition Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=99184841-70A8-47C7-9993-44A60E999A40Microsoft Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9CMicrosoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=B4E6BBCF-F5B9-4B2D-8BC4-30911CA4FD9CRefer to Micrsoft Security Bulletin MS04-032 for further details.
-
Microsoft Excel Remote Code Execution (MS04-033)
- Severity
- Urgent 5
- Qualys ID
- 90187
- Vendor Reference
- MS04-033
- CVE Reference
- CVE-2004-0846
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
- A remote code execution vulnerability exists in Microsoft Excel. This issue occurs because the application fails to validate certain parameters while opening Excel files.
- Consequence
- If a user is logged on with administrative privileges, an attacker who successfully exploits this vulnerability could take complete control of the affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office 2000 Software Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=B0C40C24-4DDE-45AF-8433-6DBDDD030C30Microsoft Office XP Software Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5E0FADD3-1554-4C43-9B4A-D5E031478892Microsoft Office 2001 for Mac :
http://www.microsoft.com/downloads/details.aspx?FamilyId=9889BEAE-4771-415D-8070-3E51F4CC7AE3Microsoft Office v. X for Mac :
http://www.microsoft.com/downloads/details.aspx?FamilyId=148E9283-4DF8-4A75-9671-CC72E6306B84Refer to Microsoft Security Bulletin MS04-033 for further details.
-
Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (MS04-034)
- Severity
- Urgent 5
- Qualys ID
- 90183
- Vendor Reference
- MS04-034
- CVE Reference
- CVE-2004-0575
- CVSS Scores
- Base 10 / Temporal 7.8
- Description
-
The Microsoft Compressed (zipped) Folders feature allows files and folders to be stored in a compressed format.
A buffer overflow vulnerability has been reported to exist in the way that the Compressed (zipped) Folders feature processes compressed files. If the Compressed (zipped) Folder feature processes a malformed compressed file, an internal buffer will be overrun allowing attacker-supplied code to be executed on the system in the security context of the current user. This vulnerability can reportedly also be exploited through HTML email messages or other means that will let an attacker send a malicious file to an unsuspecting user.
- Consequence
- If a user is logged on with administrative privileges, an attacker who successfully exploits this vulnerability could take complete control of an affected system. Attacks may include installing programs; viewing, changing, or deleting data; and creating new accounts with full privileges.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows XP and Microsoft Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=6B70BA00-56D1-4314-8F53-F8355A6861D3Microsoft Windows XP 64 Bit Edition Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=3F6896F3-F055-438D-93CE-CD15F37264CBMicrosoft Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=4B63EF24-D0E4-4005-8E23-2F5EC24BE63FMicrosoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0903569E-7F3D-4846-A1DC-78734E77D3A9Microsoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=4B63EF24-D0E4-4005-8E23-2F5EC24BE63FRefer to Micrsoft Security Bulletin MS04-034 for further details.
-
Microsoft Windows SMTP Component Remote Code Execution (MS04-035)
- Severity
- Critical 4
- Qualys ID
- 74167
- Vendor Reference
- MS04-035
- CVE Reference
- CVE-2004-0840
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
- A remote code execution vulnerability exists in the Windows Server 2003 SMTP component because of the way that it handles Domain Name System (DNS) lookups. An attacker could exploit the vulnerability by causing the server to process a particular DNS response that allows remote code execution.
- Consequence
- An attacker who successfully exploits this vulnerability could take complete control of an affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b53e890d-7d6a-4bb4-8e28-15d661014288Microsoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=d7767455-1ca0-49ea-8f71-76da5d451a07Microsoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b53e890d-7d6a-4bb4-8e28-15d661014288Microsoft Exchange Server 2003 when installed on Microsoft Windows 2000 Service Pack 3 or Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=313BEC77-0845-46D4-BB43-06C792ADB2EAMicrosoft Exchange 2000 Server Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=EDADF98A-0D26-401B-BCB7-E199477A75C2Refer to Micrsoft Security Bulletin MS04-035 for further details.
-
Microsoft NNTP Remote Code Execution Vulnerability (MS04-036)
- Severity
- Urgent 5
- Qualys ID
- 90185
- Vendor Reference
- MS04-036
- CVE Reference
- CVE-2004-0574
- CVSS Scores
- Base 10 / Temporal 7.8
- Description
- A remote code execution vulnerability exists in the Network News Transfer Protocol (NNTP) component of affected operating systems.
- Consequence
- An attacker who successfully exploits this vulnerability could take complete control of an affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0126B7AC-9C78-45C5-8AC7-E0E8CA4B6DEEMicrosoft Windows 2000 Server Service Pack 3 and Microsoft Windows 2000 Server Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=54A86560-4A0C-4E2F-A137-D8EE905A674AMicrosoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=DCB1CB73-A426-40D8-BD14-B458C7915815Microsoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1A8C4D7A-2F85-4CDD-8CC9-E2E1817403DFRefer to Micrsoft Security Bulletin MS04-036 for further details.
-
Windows Shell Remote Code Execution (MS04-037)
- Severity
- Urgent 5
- Qualys ID
- 90189
- Vendor Reference
- MS04-037
- CVE Reference
- CVE-2004-0214, CVE-2004-0572
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
A remote code execution vulnerability exists in the way that the Windows Shell starts applications. An attacker could exploit this vulnerability by enticing an unsuspecting user to visit a malicious Web site. If the user is logged on with administrative privileges, an attacker could take complete control of an affected system.
A remote code execution vulnerability exists in the Program Group Converter because of the way that it handles specially crafted requests. An attacker could exploit this vulnerability by constructing a malicious request that allows remote code execution if a user performed an action such as opening a file attachment or clicking an HTML link. If the user is logged on with administrative privileges, an attacker could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.
- Consequence
- By successfully exploiting this issue, an attacker may take complete control of an affected system. The attacker may access the remote shell with the administrator privileges.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows NT Server 4.0 Service Pack 6a :
http://www.microsoft.com/downloads/details.aspx?FamilyId=F8046E83-E151-4AAF-80CB-AD4F31C02EACMicrosoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=2DCC6C99-509D-41A5-A3C7-CAC017D633E1Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=846E7479-133B-45D7-AA69-D9257F1BE178Microsoft Windows XP and Microsoft Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=FB93CB07-3A7E-444C-B083-324FC9049B94Microsoft Windows XP 64 Bit Edition Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=FF84BCBE-D1E5-4402-8CE4-F8D9966C79D0Microsoft Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=AB91C7FF-2547-455E-9A6D-82B09373495FMicrosoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5C60CA12-0045-42B7-9F2A-6D433DEDC105&Microsoft Windows Server 2003 64 Bit Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=AB91C7FF-2547-455E-9A6D-82B09373495FRefer to Micrsoft Security Bulletin MS04-037 for further details.
-
Microsoft Internet Explorer Multiple Vulnerabilities (MS04-038)
- Severity
- Urgent 5
- Qualys ID
- 100018
- Vendor Reference
- MS04-038
- CVE Reference
- CVE-2004-0216, CVE-2004-0727, CVE-2004-0839, CVE-2004-0841, CVE-2004-0842, CVE-2004-0843, CVE-2004-0844, CVE-2004-0845
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Microsoft Security Update 834707 mentioned in Microsoft Security Bulletin MS04-038 is not installed. This update fixes the following issues:
1. CSS Heap Memory Corruption Vulnerability - CAN-2004-0842
2. Similar Method Name Redirection Cross Domain Vulnerability - CAN-2004-0727
3. Install Engine Vulnerability - CAN-2004-0216
4. Drag and Drop Vulnerability - CAN-2004-0839
5. Address Bar Spoofing on Double Byte Character Set Systems Vulnerability - CAN-2004-0844
6. Plug-in Navigation Address Bar Spoofing Vulnerability - CAN-2004-0843
7. Script in Image Tag File Download Vulnerability - CAN-2004-0841
8. SSL Caching Vulnerability - CAN-2004-0845 - Consequence
- The consequences of these issues vary from information disclosure to remote code execution. Refer to Microsoft Microsoft Security Bulletin MS04-038 for more details.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Internet Explorer 5.01 Service Pack 3 on Windows 2000 SP3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=2D8E8E97-4946-4994-924B-1FB1DC1881BA&displaylang=enInternet Explorer 5.01 Service Pack 4 on Windows 2000 SP4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=72DBE239-AF0A-42B5-B88C-A00371F6EC81&displaylang=enInternet Explorer 5.5 Service Pack 2 on Microsoft Windows Me :
http://www.microsoft.com/downloads/details.aspx?FamilyId=BE27F77C-3C2D-45F1-86DF-2B71799DA169&displaylang=enInternet Explorer 6 on Windows XP :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A89CFBE8-C299-415D-A9D6-7CC6429C547D&displaylang=enInternet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 3, on Microsoft Windows 2000 Service Pack 4, on Microsoft Windows XP, or on Microsoft Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=7C1404E6-F5D4-4FED-9573-DD83F2DFF074&displaylang=enInternet Explorer 6 Service Pack 1 on Microsoft Windows NT Server 4.0 Service Pack 6a, on Microsoft Windows NT Server 4.0 Terminal Service Edition Service Pack 6, on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Me :
http://www.microsoft.com/downloads/details.aspx?FamilyId=DE8D94C4-7F58-4CE7-B8BD-51CFD795B03E&displaylang=enInternet Explorer 6 for Windows XP Service Pack 1 (64 Bit Edition) :
http://www.microsoft.com/downloads/details.aspx?FamilyId=C05103E8-4402-4D54-BA03-FBBC24142E4D&displaylang=enInternet Explorer 6 for Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=19E69E5F-9C98-49AD-A61F-4F82A4014412&displaylang=enInternet Explorer 6 for Windows Server 2003 64 Bit Edition and Windows XP 64 Bit Edition Version 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=566C2A05-2513-4E30-A3EA-87D4BF7F9730&displaylang=enFor a complete list of patch download links, please refer to Micrsoft Security Bulletin MS04-038.
These new vulnerability checks are included in Qualys vulnerability signature 1.9.52-5. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90190
- 90188
- 90184
- 90186
- 90187
- 90183
- 74167
- 90185
- 90189
- 100018
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.