Microsoft security alert.
November 14, 2006
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 13 vulnerabilities that were fixed in 6 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 6 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Client Service for NetWare Multiple Remote Code Execution Vulnerabilities (MS06-066)
- Severity
- Critical 4
- Qualys ID
- 90363
- Vendor Reference
- MS06-066
- CVE Reference
- CVE-2006-4688, CVE-2006-4689
- CVSS Scores
- Base 7.5 / Temporal 5.9
- Description
-
Client Service for NetWare (CSNW) on Windows is exposed to multiple security isssues. There is a remote code execution vulnerability in CSNW that could allow an attacker who successfully exploits this vulnerability to take complete control of the affected system. There is also a denial of service vulnerability in CSNW that could allow an attacker to send a specially-crafted network message to an affected system running the Client Service for NetWare service. An attacker could cause the system to stop responding.
Please note that this is a patch detection; the target system may or may-not be exploitable.
- Consequence
- As a result, a remote attacker can gain complete control of a vulnerable machine.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=3cf0b0d1-ff07-40ac-a6ac-44dc4a54f91eMicrosoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=2f54258f-1071-467b-80a2-e4dbfc050667Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=f23574f7-4033-45ac-8ad8-6cced2ee9285Refer to Micrsoft Security Bulletin MS06-066 for further details.
-
Cumulative Security Update for Internet Explorer (MS06-067)
- Severity
- Urgent 5
- Qualys ID
- 100038
- Vendor Reference
- MS06-067
- CVE Reference
- CVE-2006-4446, CVE-2006-4687, CVE-2006-4777
- CVSS Scores
- Base 7.6 / Temporal 6.6
- Description
-
A vulnerability exists in Internet Explorer due to a memory corruption error in the Microsoft Multimedia Controls ActiveX control (daxctle.ocx) in the "CPathCtl::KeyFrame()" function. This issue can be exploited by tricking a user into viewing a malicious HTML document passing specially-crafted arguments to the ActiveX control's "KeyFrame()" method. Another vulnerability addressed in this update comes from the way Internet Explorer interprets HTML with certain layout combinations.
Note: This QID was reported previously as a zero day vulnerability by the service.
- Consequence
- Successful exploitation of these issues allows a complete compromise of the affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=B743B081-20D4-4C1C-BC86-254D2F653953Microsoft Internet Explorer 6 Service Pack 1 on Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=C65C8EE7-F78D-4D52-A20C-1F896E0DC0A8Microsoft Internet Explorer 6 for Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=EA3CE61C-3A28-4777-9EEF-1486BB483C4FMicrosoft Internet Explorer 6 for Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=C535A36F-705E-4663-9EE4-B82632A50F0AMicrosoft Internet Explorer 6 for Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=35EEF49C-E3D7-41EE-82F5-964A3959D453Microsoft Internet Explorer 6 for Windows Server 2003 for Itanium based Systems and Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=E8E03176-F93B-4DE7-AC95-01F9B1C5409CMicrosoft Internet Explorer 6 for Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?familyid=ABE4FE3E-BDB6-44B1-B203-528C67980B8FRefer to Micrsoft Security Bulletin MS06-067 for further details.
-
Microsoft Agent Vulnerability Could Allow Remote Code Execution (MS06-068)
- Severity
- Urgent 5
- Qualys ID
- 90364
- Vendor Reference
- MS06-068
- CVE Reference
- CVE-2006-3445
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
-
Microsoft Agent is software technology that enables an enriched form of user interaction that can make using and learning to use a computer easier.
A vulnerability exists in Microsoft Agent that could allow remote code to be executed via specially-crafted .ACF files.
- Consequence
- An attacker could exploit the vulnerability by constructing a specially-crafted Web page that could potentially allow remote code execution if a user views the Web page. An attacker who successfully exploits this vulnerability could take complete control of an affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c72ceec8-3e4d-4281-8183-11b724693217Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c16e1607-f396-4113-89f6-1fe89ec54b6aMicrosoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b4002a2a-b03e-4428-a26a-84293270d149Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=8f1a3f85-830b-4662-a4cc-8dff9f59aceaMicrosoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b528f61d-ad54-4bad-b9a0-b650385de216Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=3da7ff4a-2389-4ce4-a6bb-b7e02f646b74Refer to Micrsoft Security Bulletin MS06-068 for further details.
-
Adobe Flash Player Multiple Remote Code Execution Vulnerabilities (APSB06-11) (MS06-069)
- Severity
- Urgent 5
- Qualys ID
- 115409
- Vendor Reference
- APSB06-11, MS06-069
- CVE Reference
- CVE-2006-3014, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640
- CVSS Scores
- Base 6.8 / Temporal 5.6
- Description
-
Adobe Flash Player is prone to multiple remote code execution vulnerabilities. The application fails to properly bounds check user-supplied input before copying the input into insufficiently-sized memory buffers. An attacker could exploit this issue by creating a media file containing large, dynamically-generated string data and then submitting it to be processed by the media player. This will cause the application to overwrite system memory at an explicit location.
Adobe Flash Player 8.0.24.0 and earlier versions are vulnerable. Vulnerable versions of Flash Player are also redistributed with Microsoft Windows XP Service Pack 2 and Microsoft Windows XP Professional x64 Edition.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
February 2007 Windows XP Embedded Updates Now Available on the ECE (KB923789)
- Consequence
- The successful exploitation of these remote code execution vulnerabilities could lead to race conditions, heap overflow vulnerabilities and stack overflow vulnerabilities. These issues allow remote attackers to execute arbitrary machine code in the context of the user running the application. Other attacks are also possible.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=93208e57-5f14-4fb2-bc0c-2c4f3c56274aMicrosoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=93208e57-5f14-4fb2-bc0c-2c4f3c56274aRefer to Microsoft Security Bulletin MS06-069 for further details.
Also refer to Adobe Security Advisory APSB06-11.
-
Workstation Service Vulnerability Could Allow Remote Code Execution (MS06-070)
- Severity
- Urgent 5
- Qualys ID
- 90365
- Vendor Reference
- MS06-070
- CVE Reference
- CVE-2006-4691
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
- A remote code execution vulnerability exists in the Workstation service that could allow an attacker who successfully exploits this vulnerability to take complete control of the affected system.
- Consequence
- An attacker who successfully exploits this vulnerability could gain complete control of the affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=3ad5c57d-d3f6-46a1-8dee-3e16d0977f80Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=f4c8e767-4ed2-4e36-aa43-612f3017efc7Refer to Micrsoft Security Bulletin MS06-070 for further details.
-
Microsoft XML Core Services Remote Code Execution Vulnerability (MS06-071)
- Severity
- Critical 4
- Qualys ID
- 90361
- Vendor Reference
- MS06-071
- CVE Reference
- CVE-2006-5745
- CVSS Scores
- Base 7.6 / Temporal 6.6
- Description
-
Microsoft XML Core Services (MSXML) allow developers who use applications such as JScript, Visual Basic Scripting Edition (VBScript), and Microsoft Visual Studio to create XML-based applications. MSXML includes the XMLHTTP ActiveX control, which allows Web pages to transmit or receive XML data via HTTP operations.
A vulnerability exists in the XMLHTTP ActiveX control within Microsoft XML Core Services that could allow for remote code execution. An attacker could exploit the vulnerability by constructing a specially-crafted Web page that could potentially allow remote code execution if a user visited that page or clicked a link in an email message.
Microsoft XML Core Services Versions 4.0 and 6.0 installed on all versions of Windows are affected.
- Consequence
- An attacker who successfully exploits this vulnerability could take complete control of an affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft XML Core Services 6.0 when installed on Windows (all versions) :
http://www.microsoft.com/download/details.aspx?FamilyId=9AE7F4E9-8228-4098-AF71-49C35684C17EMicrosoft XML Core Services 4.0 when installed on Windows (all versions) :
http://www.microsoft.com/download/details.aspx?FamilyId=24B7D141-6CDF-4FC4-A91B-6F18FE6921D4Refer to Micrsoft Security Bulletin MS06-071 for further details.
These new vulnerability checks are included in Qualys vulnerability signature 1.16.5-5. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90363
- 100038
- 90364
- 115409
- 90365
- 90361
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.