Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 19 vulnerabilities that were fixed in 7 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Microsoft has released 7 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft Excel 2000 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=5F101D03-C0A7-41E0-95A4-A12AFB356D5F
Microsoft Office XP Service Pack 3 (Microsoft Excel 2002 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=29596861-D9F0-4A10-9E1C-CDA75DDE017D
Microsoft Office 2003 Service Pack 2 (Microsoft Excel 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=9567C583-556F-4379-80BA-3E0C8993C04C
Microsoft Office 2003 Service Pack 2 (Microsoft Excel 2003 Viewer ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3C7F18AC-24BB-41CF-B8DA-997706FDC44C
2007 Microsoft Office System (Microsoft Office Excel 2007 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=CED9F11B-CE48-47A3-9288-BD11B80F3D85
2007 Microsoft Office System (Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=50A7924F-DB51-438A-B27D-37E40A471E60
Microsoft Office 2004 for Mac :
http://www.microsoft.com/mac
Refer to Micrsoft Security Bulletin MS07-023 for further details.
Microsoft Office 2000 Service Pack 3 (Microsoft Word 2000 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=F25020F5-17C7-4A60-9088-944FFACB5F19
Microsoft Office XP Service Pack 3 (Microsoft Word 2002 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0FE4F405-A568-4F15-B2C6-02D4A4B58E43
Microsoft Office 2003 Service Pack 2 (Microsoft Word 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=6870245D-4618-4504-BFFC-878635267059
Microsoft Office 2003 Service Pack 2 (Microsoft Word Viewer 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=24547C65-C29A-4D0A-A015-F3F08B24331F
Microsoft Works Suites (Microsoft Works Suite 2004 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0FE4F405-A568-4F15-B2C6-02D4A4B58E43
Microsoft Works Suites (Microsoft Works Suite 2005 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0FE4F405-A568-4F15-B2C6-02D4A4B58E43
Microsoft Works Suites (Microsoft Works Suite 2006 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0FE4F405-A568-4F15-B2C6-02D4A4B58E43
Microsoft Office 2004 for Mac :
http://www.microsoft.com/mac
Refer to Micrsoft Security Bulletin MS07-024 for further details.
Microsoft Office 2000 Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A693C271-4B94-4541-953A-0A2DB4587B23
Microsoft Office XP Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=CB291AD9-348A-4C28-BEC7-53D2F35D0B72
Microsoft Office 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=819857CC-3777-4E4A-9CC3-685FC079A254
2007 Microsoft Office System :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A3DC8E3F-90DD-4D0C-88B8-2EC88FF3A588
Microsoft Office 2004 for Mac :
http://www.microsoft.com/mac
Refer to Micrsoft Security Bulletin MS07-025 for further details.
Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post Service Pack 3 Update Rollup of August 2004 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=21968843-4A81-4F1D-8207-5B0A710E3157
Microsoft Exchange Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5E7939BE-73D1-461C-8C79-EDDB0F1459FC
Microsoft Exchange Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1ABF93DA-D765-4876-96B5-ACB2D2A48F8F
Microsoft Exchange Server 2007 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=356874EF-C9C0-4842-99F0-E449E9940358
Refer to Micrsoft Security Bulletin MS07-026 for further details.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
May 2007 Microsoft Windows XP Embedded Supplement Update Now Available on the ECE (KB931768)
Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=67AE3381-16B2-4B34-B95C-69EE7D58B357
Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=03FC8E0C-DEC5-48D1-9A34-3B639F185F7D
Microsoft Internet Explorer 6 for Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=EFC6BE04-0D6B-4639-8485-DA1525F6BC52
Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A077BE20-C379-4386-B478-80197A4A4ABC
Microsoft Internet Explorer 6 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D249089D-BB8E-4B86-AB8E-18C52844ACB2
Microsoft Internet Explorer 6 for Windows Server 2003 with SP1 for Itanium based Systems and Windows Server 2003 with SP2 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D52C0AFD-CC3A-4A5C-B91B-E006D497BC26
Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=94B83BDD-2BD1-43E4-BABF-68135D253293
Windows Internet Explorer 7 for Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=7A778D93-9D85-4217-8CC0-5C494D954CA0
Windows Internet Explorer 7 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=29938ED4-F8BB-4793-897C-966BA7F4830C
Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0F173D60-6FD0-4C92-BB2A-A7A78707E35F
For a complete list of patch download links, please refer to Micrsoft Security Bulletin MS07-027.
A remote code execution vulnerability exists in CAPICOM Certificates because of the way certain data inputs are handled. CAPICOM Certificates is an ActiveX control that provides scripters (VBS, ASP, ASP.NET, etc.) with a method for encrypting data based on secure underlying Windows CryptoAPI functionality.
Note: The patch provided by Microsoft does not remove or overwrite the vulnerable CAPICOM.dll due to compatibility purposes for custom and third party applications. Please refer to the Microsoft README file (that comes with the patch) for manual post patch steps to follow for the patch to install successfully.
Microsoft has rated this issue as Critical.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS07-028 BizTalk Server 2004 Service Pack 1
MS07-028 BizTalk Server 2004 Service Pack 2
MS07-028 CAPICOM
MS07-028 Platform SDK Redistributable: CAPICOM
A stack-based buffer overrun exists in the Remote Procedure Call (RPC) Management Interface in the Windows Domain Name System (DNS) Server service. A remote attacker could exploit the vulnerability by sending a specially-crafted RPC packet to an affected system.
Windows 2000 Server and Windows Server 2003 are affected.
Previously this was a zero day detection.
Microsoft Windows 2000 Server Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=d9de0480-5fa9-4974-a82f-5d89056484c4
Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=dfb5eaca-788b-475c-9817-491f0b7cf295
Microsoft Windows Server 2003 with SP1 for Itanium based Systems and Microsoft Windows Server 2003 with SP2 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=d4ce0aa8-46ac-446c-b1e3-ff76f1311610
Microsoft Windows Server 2003 x64 Edition and Microsoft Windows Server 2003 x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=e7a7b46b-775d-4912-8119-3ab9a95d775a
Refer to Micrsoft Security Bulletin MS07-029 for further details.
These new vulnerability checks are included in Qualys vulnerability signature 1.17.47-5. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
To perform a selective vulnerability scan, configure a scan profile to use the following options:
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Platforms and Platform Identification
For more information, customers may contact Qualys Technical Support.
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.