Microsoft security alert.
May 8, 2007
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 19 vulnerabilities that were fixed in 7 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 7 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Excel Remote Code Execution Vulnerability (MS07-023)
- Severity
- Critical 4
- Qualys ID
- 110058
- Vendor Reference
- MS07-023
- CVE Reference
- CVE-2007-0214, CVE-2007-0215, CVE-2007-1203
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
- Microsoft Excel has a vulnerability that exists when Excel handles files using malformed BIFF records, specially-crafted set font values, and filter records.
- Consequence
- This vulnerability may be exploited with the use of specially-crafted Excel files. If successfully exploited, this vulnerability could lead to remote code execution.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office 2000 Service Pack 3 (Microsoft Excel 2000 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=5F101D03-C0A7-41E0-95A4-A12AFB356D5FMicrosoft Office XP Service Pack 3 (Microsoft Excel 2002 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=29596861-D9F0-4A10-9E1C-CDA75DDE017DMicrosoft Office 2003 Service Pack 2 (Microsoft Excel 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=9567C583-556F-4379-80BA-3E0C8993C04CMicrosoft Office 2003 Service Pack 2 (Microsoft Excel 2003 Viewer ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3C7F18AC-24BB-41CF-B8DA-997706FDC44C2007 Microsoft Office System (Microsoft Office Excel 2007 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=CED9F11B-CE48-47A3-9288-BD11B80F3D852007 Microsoft Office System (Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=50A7924F-DB51-438A-B27D-37E40A471E60Microsoft Office 2004 for Mac :
http://www.microsoft.com/macRefer to Micrsoft Security Bulletin MS07-023 for further details.
-
Microsoft Word Remote Code Execution Vulnerabilities (MS07-024)
- Severity
- Critical 4
- Qualys ID
- 110055
- Vendor Reference
- MS07-024
- CVE Reference
- CVE-2007-0035, CVE-2007-0870, CVE-2007-1202
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Word is susceptible to the following vulnerabilities:
- A remote code execution vulnerability exists in the way Microsoft Word handles data within an array.
- A remote code execution vulnerability exists in the way Microsoft Word handles a specially crafted Word Document stream.
- A remote code execution vulnerability exists in the way Microsoft Word parses certain rich text properties within a file.
- Consequence
- If these vulnerabilities are successfully exploited, a remote attacker can execute arbitrary code on vulnerable machines.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office 2000 Service Pack 3 (Microsoft Word 2000 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=F25020F5-17C7-4A60-9088-944FFACB5F19Microsoft Office XP Service Pack 3 (Microsoft Word 2002 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0FE4F405-A568-4F15-B2C6-02D4A4B58E43Microsoft Office 2003 Service Pack 2 (Microsoft Word 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=6870245D-4618-4504-BFFC-878635267059Microsoft Office 2003 Service Pack 2 (Microsoft Word Viewer 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=24547C65-C29A-4D0A-A015-F3F08B24331FMicrosoft Works Suites (Microsoft Works Suite 2004 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0FE4F405-A568-4F15-B2C6-02D4A4B58E43Microsoft Works Suites (Microsoft Works Suite 2005 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0FE4F405-A568-4F15-B2C6-02D4A4B58E43Microsoft Works Suites (Microsoft Works Suite 2006 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=0FE4F405-A568-4F15-B2C6-02D4A4B58E43Microsoft Office 2004 for Mac :
http://www.microsoft.com/macRefer to Micrsoft Security Bulletin MS07-024 for further details.
-
Microsoft Office Remote Code Execution Vulnerability (MS07-025)
- Severity
- Urgent 5
- Qualys ID
- 110059
- Vendor Reference
- MS07-025
- CVE Reference
- CVE-2007-1747
- CVSS Scores
- Base 9.3 / Temporal 7.3
- Description
- A remote code execution vulnerability exists in the way Microsoft Office handles specially-crafted drawing objects. An attacker could exploit this vulnerability when Office parses a file and processes a malformed drawing object.
- Consequence
- An attacker who successfully exploits this vulnerability could run arbitrary code on the affected system, which could lead to complete control of the affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office 2000 Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A693C271-4B94-4541-953A-0A2DB4587B23Microsoft Office XP Service Pack 3 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=CB291AD9-348A-4C28-BEC7-53D2F35D0B72Microsoft Office 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=819857CC-3777-4E4A-9CC3-685FC079A2542007 Microsoft Office System :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A3DC8E3F-90DD-4D0C-88B8-2EC88FF3A588Microsoft Office 2004 for Mac :
http://www.microsoft.com/macRefer to Micrsoft Security Bulletin MS07-025 for further details.
-
Microsoft Exchange Multiple Remote Code Execution Vulnerabilities (MS07-026)
- Severity
- Urgent 5
- Qualys ID
- 90395
- Vendor Reference
- MS07-026
- CVE Reference
- CVE-2007-0039, CVE-2007-0213, CVE-2007-0220, CVE-2007-0221
- CVSS Scores
- Base 10 / Temporal 7.8
- Description
-
Microsoft Exchange is susceptible to the following vulnerabilities:
- An information disclosure vulnerability because of the way Outlook Web Access (OWA) handles script-based attachments.
- A denial of service vulnerability because of the way it handles calendar content requests.
- A remote code execution vulnerability because of the way it decodes specially-crafted email messages.
- A denial of service vulnerability because of the way it handles invalid IMAP requests.
- Consequence
- An attacker who successfully exploits these vulnerabilities could take complete control of the affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post Service Pack 3 Update Rollup of August 2004 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=21968843-4A81-4F1D-8207-5B0A710E3157Microsoft Exchange Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5E7939BE-73D1-461C-8C79-EDDB0F1459FCMicrosoft Exchange Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1ABF93DA-D765-4876-96B5-ACB2D2A48F8FMicrosoft Exchange Server 2007 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=356874EF-C9C0-4842-99F0-E449E9940358Refer to Micrsoft Security Bulletin MS07-026 for further details.
-
Microsoft Internet Explorer Cumulative Security Update (MS07-027)
- Severity
- Urgent 5
- Qualys ID
- 100046
- Vendor Reference
- MS07-027
- CVE Reference
- CVE-2007-0942, CVE-2007-0944, CVE-2007-0945, CVE-2007-0946, CVE-2007-0947, CVE-2007-2221
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Multiple vulnerabilities exist in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
May 2007 Microsoft Windows XP Embedded Supplement Update Now Available on the ECE (KB931768)
- Consequence
- If a user is logged on with administrative user rights, an attacker who successfully exploits the most severe of these vulnerabilities could take complete control of an affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=67AE3381-16B2-4B34-B95C-69EE7D58B357Microsoft Internet Explorer 6 Service Pack 1 when installed on Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=03FC8E0C-DEC5-48D1-9A34-3B639F185F7DMicrosoft Internet Explorer 6 for Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=EFC6BE04-0D6B-4639-8485-DA1525F6BC52Microsoft Internet Explorer 6 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A077BE20-C379-4386-B478-80197A4A4ABCMicrosoft Internet Explorer 6 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D249089D-BB8E-4B86-AB8E-18C52844ACB2Microsoft Internet Explorer 6 for Windows Server 2003 with SP1 for Itanium based Systems and Windows Server 2003 with SP2 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D52C0AFD-CC3A-4A5C-B91B-E006D497BC26Microsoft Internet Explorer 6 for Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=94B83BDD-2BD1-43E4-BABF-68135D253293Windows Internet Explorer 7 for Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=7A778D93-9D85-4217-8CC0-5C494D954CA0Windows Internet Explorer 7 for Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=29938ED4-F8BB-4793-897C-966BA7F4830CWindows Internet Explorer 7 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0F173D60-6FD0-4C92-BB2A-A7A78707E35FFor a complete list of patch download links, please refer to Micrsoft Security Bulletin MS07-027.
-
Microsoft CAPICOM Remote Code Execution Vulnerability (MS07-028)
- Severity
- Critical 4
- Qualys ID
- 115550
- Vendor Reference
- MS07-028
- CVE Reference
- CVE-2007-0940
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
CAPICOM (Cryptographic API Component Object Model) is a Microsoft ActiveX control that provides a COM interface to Microsoft CryptoAPI. It exposes a select set of CryptoAPI functions to enable application developers to easily incorporate digital signing and encryption functionality into their applications.
A remote code execution vulnerability exists in CAPICOM Certificates because of the way certain data inputs are handled. CAPICOM Certificates is an ActiveX control that provides scripters (VBS, ASP, ASP.NET, etc.) with a method for encrypting data based on secure underlying Windows CryptoAPI functionality.
- Consequence
- An attacker who successfully exploits this vulnerability could take complete control of the affected system.
- Solution
-
Refer to Microsoft Security Bulletin MS07-028 for further details on this vulnerability and patch instructions.
Note: The patch provided by Microsoft does not remove or overwrite the vulnerable CAPICOM.dll due to compatibility purposes for custom and third party applications. Please refer to the Microsoft README file (that comes with the patch) for manual post patch steps to follow for the patch to install successfully.
Microsoft has rated this issue as Critical.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS07-028 BizTalk Server 2004 Service Pack 1
MS07-028 BizTalk Server 2004 Service Pack 2
MS07-028 CAPICOM
MS07-028 Platform SDK Redistributable: CAPICOM
-
Windows DNS RPC Interface Remote Code Execution Vulnerability (MS07-029)
- Severity
- Urgent 5
- Qualys ID
- 90394
- Vendor Reference
- MS07-029
- CVE Reference
- CVE-2007-1748
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Remote Procedure Call (RPC) is a protocol that programs can use to request a service from a program located on another computer in a network.
A stack-based buffer overrun exists in the Remote Procedure Call (RPC) Management Interface in the Windows Domain Name System (DNS) Server service. A remote attacker could exploit the vulnerability by sending a specially-crafted RPC packet to an affected system.
Windows 2000 Server and Windows Server 2003 are affected.
Previously this was a zero day detection.
- Consequence
- An attacker who successfully exploits this vulnerability is able to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Server Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=d9de0480-5fa9-4974-a82f-5d89056484c4Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=dfb5eaca-788b-475c-9817-491f0b7cf295Microsoft Windows Server 2003 with SP1 for Itanium based Systems and Microsoft Windows Server 2003 with SP2 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=d4ce0aa8-46ac-446c-b1e3-ff76f1311610Microsoft Windows Server 2003 x64 Edition and Microsoft Windows Server 2003 x64 Edition Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=e7a7b46b-775d-4912-8119-3ab9a95d775aRefer to Micrsoft Security Bulletin MS07-029 for further details.
These new vulnerability checks are included in Qualys vulnerability signature 1.17.47-5. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110058
- 110055
- 110059
- 90395
- 100046
- 115550
- 90394
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.