Microsoft security alert.
July 11, 2006
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 19 vulnerabilities that were fixed in 7 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 7 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
ASP.NET Could Allow Information Disclosure (MS06-033)
- Severity
- Medium 2
- Qualys ID
- 90330
- Vendor Reference
- MS06-033
- CVE Reference
- CVE-2006-1300
- CVSS Scores
- Base 5 / Temporal 3.9
- Description
- ASP.NET is a collection of technologies within the .NET Framework that allows developers to build Web applications and XML Web services. ASP.NET 2.0 is vulnerable to an information disclosure vulnerability because it does not properly validate the URL passed.
- Consequence
- An attacker could bypass ASP.NET security and gain unauthorized access to objects in the application folders explicitly by name. This could be exploited to produce information that could be used to further compromise the target host.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 (.NET Framework 2.0 ):
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1Microsoft Windows XP Service Pack 1 or Windows XP Service Pack 2 (.NET Framework 2.0 ):
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1Microsoft Windows XP Professional x64 Edition (.NET Framework 2.0 ):
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1Microsoft Windows XP Tablet PC Edition (.NET Framework 2.0 ):
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1Microsoft Windows XP Media Center Edition (.NET Framework 2.0 ):
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1Microsoft Windows Server 2003 or Windows Server 2003 Service Pack 1 (.NET Framework 2.0 ):
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1Microsoft Windows Server 2003 for Itanium-based systems and Microsoft Windows Server with SP1 for Itanium-based Systems (.NET Framework 2.0 ):
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1Microsoft Windows Server 2003 x64 Edition (.NET Framework 2.0 ):
http://www.microsoft.com/downloads/details.aspx?familyid=56A1777B-9758-489F-8BE8-5177AAF488D1Refer to Microsoft Security Bulletin MS06-033 for further details.
-
Microsoft Internet Information Services Remote Code Execution Vulnerability (MS06-034)
- Severity
- Critical 4
- Qualys ID
- 90328
- Vendor Reference
- MS06-034
- CVE Reference
- CVE-2006-0026
- CVSS Scores
- Base 6.5 / Temporal 5.1
- Description
- Internet Information Services (IIS) is exposed to a remote code execution vulnerability. An attacker could exploit this vulnerability by constructing a specially crafted Active Server Pages (ASP) file. An attacker must have valid logon credentials, but if a server has been purposely configured to allow users, either anonymous or authenticated, to upload Web content such as .ASP pages to Web sites, the server could be exploited by this issue.
- Consequence
- Remote code execution is possible.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows Server 2003 x64 Edition family :
http://www.microsoft.com/downloads/details.aspx?FamilyId=f29c886d-b896-4fcf-a22b-2c1a53b1a9ebMicrosoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c917d6da-da2d-402c-a870-1de3cbd21ebfMicrosoft Windows XP Professional Service Pack 1 and Microsoft Windows XP Professional Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=55d3ca3a-97fc-4e22-8ecc-9416ebc993c4Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=4e19b792-7505-4453-b460-5a16915443dbMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c5e274a8-f962-4944-8878-6b88b1592bbfMicrosoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=e2dc245e-d0f3-41b9-b090-68a2118001cbRefer to Microsoft Security Bulletin MS06-034 for further details.
-
Microsoft Windows Server Driver Remote Code Execution Vulnerability (MS06-035)
- Severity
- Urgent 5
- Qualys ID
- 90329
- Vendor Reference
- MS06-035
- CVE Reference
- CVE-2006-1314, CVE-2006-1315
- CVSS Scores
- Base 7.5 / Temporal 5.9
- Description
- A heap overflow vulnerability and an information disclosure vulnerability exists in the Mailslot and SMB server drivers respectively. An attacker who successfully exploits these issues could remotely take complete control of an affected system and read information stored in buffers for SMB traffic.
- Consequence
- If successfully exploited, a remote attacker could take complete control of the affected system. The attacker could then install programs; view, change, or delete data; and create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b207020d-90f7-4c41-8304-06af0ded6467Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=2592a44c-82fb-4ccd-82a6-fcac7ca33172Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b0f67167-7ede-4355-af6f-50c6615f6bbdMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=48f03ad7-38f9-48f4-bbfc-14c52e9c942aMicrosoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=41a4a07f-bea3-48d6-b8d2-d7a5600d7179Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=dfbf3fa6-9e11-48b4-894d-5436693d17f7Refer to Micrsoft Security Bulletin MS06-035 for further details.
-
Microsoft Windows DHCP Client Service Remote Code Execution Vulnerability (MS06-036)
- Severity
- Urgent 5
- Qualys ID
- 90327
- Vendor Reference
- MS06-036
- CVE Reference
- CVE-2006-2372
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
- A remote code execution vulnerability exists in Windows DHCP Client Service due to an unchecked buffer. An attacker could exploit the vulnerability by answering a DHCP request on the local subnet with a specially crafted DHCP response, and could take complete control of an affected system.
- Consequence
- If successfully exploited, a remote attacker could take complete control of the affected system. The attacker could then install programs; view, change, or delete data; and create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=7a04fae4-6914-4ffa-b0ec-61b912d47873Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=bf08cc28-b359-4b27-99b2-342f832cdeccMicrosoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=49b0da03-73a7-462a-9dc2-2eb5405e2505Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=2978c3d2-59e3-4dd4-8323-b1b2f9dfa7a5Microsoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=01e7bbbd-dfb6-4524-aa35-39323b210aa4Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=d68730a7-bb7c-477a-a2a4-991629fc1402Refer to Micrsoft Security Bulletin MS06-036 for further details.
-
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (MS06-037)
- Severity
- Critical 4
- Qualys ID
- 110034
- Vendor Reference
- MS06-037
- CVE Reference
- CVE-2006-1301, CVE-2006-1302, CVE-2006-1304, CVE-2006-1306, CVE-2006-1308, CVE-2006-1309, CVE-2006-2388, CVE-2006-3059
- CVSS Scores
- Base 9.3 / Temporal 8.1
- Description
-
This update resolves several newly discovered vulnerabilities in Microsoft Excel. At least one of these issues is being actively exploited. Vulnerabilities include:
- Microsoft Excel Malformed SELECTION record Vulnerability - CVE-2006-1301
- Microsoft Excel Malformed SELECTION record Vulnerability - CVE-2006-1302
- Microsoft Excel Malformed COLINFO record Vulnerability - CVE-2006-1304
- Microsoft Excel Malformed OBJECT Record Vulnerability - CVE-2006-1306
- Microsoft Excel Malformed FNGROUPCOUNT Value Vulnerability - CVE-2006-1308
- Microsoft Excel Malformed LABEL record Vulnerability - CVE-2006-1309
- Microsoft Excel Rebuilding Vulnerability - CVE-2006-2388
- Microsoft Excel Malformed file Vulnerability - CVE-2006-3059 - Consequence
- An attacker who successfully exploits these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office 2003 Service Pack 1 or Service Pack 2 (Microsoft Excel 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=5788518C-0FB3-4381-BB42-BCA71A4FD646Microsoft Office 2003 Service Pack 1 or Service Pack 2 (Microsoft Excel Viewer 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=779666AB-CCD1-47A1-8A5A-B288A5204369Microsoft Office XP Service Pack 3 (Microsoft Excel 2002 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0828F77F-BE33-4913-B68D-6A375D5FE130Microsoft Office 2000 Service Pack 3 (Microsoft Excel 2000 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=D8A2AD6D-582C-4185-ADE1-671D2128D3EEMicrosoft Office 2004 for Mac (Microsoft Excel 2004 for Mac ):
http://www.microsoft.com/mac/Microsoft Office v. X for Mac (Microsoft Excel v. X for Mac ):
http://www.microsoft.com/mac/Refer to Microsoft Security Bulletin MS06-037 for further details.
-
Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (MS06-038)
- Severity
- Critical 4
- Qualys ID
- 110035
- Vendor Reference
- MS06-038
- CVE Reference
- CVE-2006-1316, CVE-2006-1318, CVE-2006-1540, CVE-2006-2389
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
This update resolves several newly discovered, privately reported and public vulnerabilities. Vulnerabilities include:
- Microsoft Office Parsing Vulnerability - CVE-2006-1316
- Microsoft Office Malformed String Parsing Vulnerability - CVE-2006-1540
- Microsoft Office Property Vulnerability - CVE-2006-2389 - Consequence
- An attacker could take complete control of the client workstation if the user is logged in to a vulnerable version of Microsoft Office with administrative rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office 2003 Service Pack 1 or Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B11AC6B-4A78-4A7B-995F-94738CAFE27FMicrosoft Office XP Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=266C287E-A773-4D9C-9736-EEAFB34FF893Microsoft Office 2000 Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=776FF379-0B9D-45D5-8B3C-CF9A4BD25DAEMicrosoft Project 2002 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=BF9CBFA6-5E91-4AA8-82C1-4C9A92A5B954Microsoft Visio 2002 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=9F67D75A-B69D-4064-942C-F5515C920E6BMicrosoft Project 2000 Service Release 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5C28E38A-F323-4006-BEED-A00840CAFBCERefer to Microsoft Security Bulletin MS06-038 for further details.
-
Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (MS06-039)
- Severity
- Critical 4
- Qualys ID
- 110036
- Vendor Reference
- MS06-039
- CVE Reference
- CVE-2006-0007, CVE-2006-0033
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
This update resolves two recently discovered vulnerabilities related to the handling of malformed image files. Vulnerabilities include:
Microsoft Office Remote Code Execution Using a Malformed PNG Vulnerability- CVE-2006-0033
Microsoft Office Remote Code Execution Using a Malformed GIF Vulnerability- CVE-2006-0007 - Consequence
- An attacker could take complete control of the client workstation if the user is logged in to a vulnerable version of Microsoft Office with administrative rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office 2003 Service Pack 1 or Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=66C15CD1-A33B-4EB4-9D90-87DECF053768Microsoft Works Suites (Microsoft Works Suite 2004 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=1506FE89-1753-40AC-BB3E-A053B3EB6260Microsoft Works Suites (Microsoft Works Suite 2005 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=1506FE89-1753-40AC-BB3E-A053B3EB6260Microsoft Works Suites (Microsoft Works Suite 2006 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=1506FE89-1753-40AC-BB3E-A053B3EB6260Microsoft Office XP Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1506FE89-1753-40AC-BB3E-A053B3EB6260Microsoft Office 2000 Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=9B0A1795-DA76-4935-AA90-E6AEDC0CDE6BMicrosoft Project 2002 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=2194EC63-582E-4E64-B71F-99918BF14FFAMicrosoft Project 2000 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=42493E0C-91DE-49B0-B5B7-2214D55DE079Refer to Microsoft Security Bulletin MS06-039 for further details.
These new vulnerability checks are included in Qualys vulnerability signature 1.14.96-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90330
- 90328
- 90329
- 90327
- 110034
- 110035
- 110036
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.