Microsoft security alert.
February 10, 2009
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 8 vulnerabilities that were fixed in 4 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 4 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Cumulative Security Update (MS09-002)
- Severity
- Critical 4
- Qualys ID
- 100070
- Vendor Reference
- MS09-002
- CVE Reference
- CVE-2009-0075, CVE-2009-0076
- CVSS Scores
- Base 9.3 / Temporal 8.1
- Description
-
Microsoft Internet Explorer is a Web browser for Microsoft Windows.
- A remote code execution exists when Internet Explorer attempts to access an object that has been deleted. (CVE-2009-0075)
- When Internet Explorer displays a maliciously crafted Cascading Style Sheets (CSS), memory could be corrupted that would allow execution of arbitrary code. (CVE-2009-0076)
Internet Explorer Versions 7 and 8 are vulnerable.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
February Security Updates are Now Available (KB961260)
NOTICE: February 2009 Security Updates (KB961260)
- Consequence
- These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=8cd902ec-e018-4b61-80f9-825d973f998eWindows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=dd3e2236-9cc0-478e-a46c-981ef685c0e3Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=e52aa1fd-e694-4322-b3ff-6abc1b4a16feWindows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=edbf1566-b96b-4c7d-98fe-b15f8e766792Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=5ce78797-d1c0-40d4-84e1-1004389833beWindows Vista and Windows Vista Service Pack 1 (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=5f9fa4b6-85a4-43bc-b84f-6bd847799650Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=e9a8c94b-b9d2-4d64-855f-b5f02ce3dfb5Windows Server 2008 for 32-bit Systems (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=2491dbf2-7cd3-44f1-bfad-77e6f760a25cWindows Server 2008 for x64-based Systems (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=794373cc-2dce-4ef5-af50-7804c622c230Windows Server 2008 for Itanium-based Systems (Windows Internet Explorer 7):
http://www.microsoft.com/download/details.aspx?familyid=11985325-4b33-4077-82cf-6afc7a71c510 Workaround:
CVE-2009-0075, CVE-2009-0076:
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.Impact of the Workaround -
On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
-
Microsoft Exchange Could Allow Remote Code Execution (MS09-003)
- Severity
- Critical 4
- Qualys ID
- 90478
- Vendor Reference
- MS09-003
- CVE Reference
- CVE-2009-0098, CVE-2009-0099
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Exchange Server is a messaging and collaborative software product that provides support for electronic mail, calendaring, contacts and tasks, mobile and Web-based access to information, and data storage.
The following vulnerabilities have been reported in Microsoft Exchange Server:
1) A vulnerability exists in the way the Exchange Server decodes the Transport Neutral Encapsulation Format (TNEF) data for a message. This flaw allows a remote attacker to execute arbitrary code by sending a specially crafted TNEF message to the Exchange Server. (CVE-2009-0098)
2) EMSMDB2 (Electronic Messaging System Microsoft Data Base, 32 bit build) is prone to a denial of service vulnerability because it fails to appropriately handle MAPI commands. An attacker can exploit this flaw by sending a specially crafted MAPI command to the application using EMSMDB32 and cause the application to stop responding. (CVE-2009-0099)
Microsoft has rated this issue as Critical.
- Consequence
- Successful exploitation of these vulnerabilities allows an attacker to execute arbitrary code in the context of the application. An attacker could also take complete control of the affected system and could cause the application or any service using the EMSMDB32 provider (such as Microsoft Exchange System Attendant service) to stop responding.
- Solution
-
Workaround:
CVE-2009-0098: The "application/ms-tnef" MIME content type should be blocked to help protect against attempts to exploit this vulnerability through SMTP email.Impact of workaround: Email messages that are formatted as RTF will not be received correctly if TNEF attachments are blocked.
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004:
http://www.microsoft.com/downloads/details.aspx?familyid=805dc856-ea60-477d-be40-6ac535a7e7e5Microsoft Exchange Server 2003 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=1d9f0956-88bd-4e13-a86b-b1c8d4782f71Microsoft Exchange Server 2007 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=93cb3f66-ae72-4356-bdbf-35029cff6df1Refer to Microsoft Security Bulletin MS09-003 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-003 Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004
MS09-003 Microsoft Exchange Server 2003 Service Pack 2
MS09-003 Microsoft Exchange Server 2007 Service Pack 1
-
Microsoft SQL Server Remote Memory Corruption Vulnerability (MS09-004)
- Severity
- Critical 4
- Qualys ID
- 90475
- Vendor Reference
- MS09-004
- CVE Reference
- CVE-2008-5416
- CVSS Scores
- Base 9 / Temporal 7.4
- Description
-
Microsoft SQL Server is prone to a remote memory corruption vulnerability because it fails to properly handle user-supplied input.
The vulnerability is caused due to a boundary error in the implementation of the "sp_replwritetovarbin()" SQL procedure. It can be exploited to cause a heap-based buffer overflow via specially crafted arguments passed to the affected procedure.
SQL Server 2000, SQL Server 2005 Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon) are affected by this issue.
Microsoft has rated this issue as Important.
- Consequence
- Successful exploitation may allow execution of arbitrary code with escalated privileges.
- Solution
-
Workaround:
Deny permissions on the "sp_replwritetovarbin" extended stored procedure.Patch:
Following are links for downloading patches to fix the vulnerabilities:(GDR Software Update) SQL Server 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=d5bb816a-6e1a-47cb-92be-51c565ee184c(QFE Software Update) SQL Server 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=a93f3cfe-18c9-4218-a551-13bf415e418a(GDR Software Update) SQL Server 2000 Itanium-based Edition Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=d5bb816a-6e1a-47cb-92be-51c565ee184c(QFE Software Update) SQL Server 2000 Itanium-based Edition Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=a93f3cfe-18c9-4218-a551-13bf415e418a(GDR Software Update) SQL Server 2005 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=5dfb7998-0316-40e5-9fc5-7a1afc18e15e(QFE Software Update) SQL Server 2005 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=aa2b82ca-e94e-4491-8639-f0749b1a0f3a(GDR Software Update) SQL Server 2005 x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=5dfb7998-0316-40e5-9fc5-7a1afc18e15e(QFE Software Update) SQL Server 2005 x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=aa2b82ca-e94e-4491-8639-f0749b1a0f3a(GDR Software Update) SQL Server 2005 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5dfb7998-0316-40e5-9fc5-7a1afc18e15e(QFE Software Update) SQL Server 2005 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=aa2b82ca-e94e-4491-8639-f0749b1a0f3a(GDR Software Update) Microsoft SQL Server 2000 Desktop Engine :
http://www.microsoft.com/downloads/details.aspx?familyid=d5bb816a-6e1a-47cb-92be-51c565ee184c(QFE Software Update) Microsoft SQL Server 2000 Desktop Engine :
http://www.microsoft.com/downloads/details.aspx?familyid=a93f3cfe-18c9-4218-a551-13bf415e418aFor a complete list of patch download links, refer to Microsoft Security Bulletin MS09-004.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-004 Microsoft SQL Server 2000 Desktop Engine
MS09-004 Microsoft SQL Server 2000 Desktop Engine
MS09-004 SQL Server 2000 Itanium-based Edition Service Pack 4
MS09-004 SQL Server 2000 Itanium-based Edition Service Pack 4
MS09-004 SQL Server 2000 Service Pack 4
MS09-004 SQL Server 2000 Service Pack 4
MS09-004 SQL Server 2005 Express Edition Service Pack 2
MS09-004 SQL Server 2005 Express Edition Service Pack 2
MS09-004 SQL Server 2005 Express Edition with Advanced Services Service Pack 2
MS09-004 SQL Server 2005 Express Edition with Advanced Services Service Pack 2
MS09-004 SQL Server 2005 Service Pack 2
MS09-004 SQL Server 2005 Service Pack 2
MS09-004 SQL Server 2005 with SP2 for Itanium-based Systems
MS09-004 SQL Server 2005 with SP2 for Itanium-based Systems
MS09-004 SQL Server 2005 x64 Edition Service Pack 2
MS09-004 SQL Server 2005 x64 Edition Service Pack 2
MS09-004 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2(Microsoft SQL Server 2000 Desktop Engine (WMSDE))
MS09-004 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2(Windows Internal Database (WYukon) Service Pack 2)
MS09-004 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2(Microsoft SQL Server 2000 Desktop Engine (WMSDE))
MS09-004 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2(Windows Internal Database (WYukon) x64 Edition Service Pack 2)
MS09-004 Windows Server 2008 for 32-bit Systems(Windows Internal Database (WYukon) Service Pack 2)
MS09-004 Windows Server 2008 for x64-based Systems(Windows Internal Database (WYukon) x64 Edition Service Pack 2)
-
Microsoft Visio Could Allow Remote Code Execution (MS09-005)
- Severity
- Critical 4
- Qualys ID
- 90479
- Vendor Reference
- MS09-005
- CVE Reference
- CVE-2009-0095, CVE-2009-0096, CVE-2009-0097
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Visio is diagramming software for Microsoft Windows. It uses vector graphics to create diverse diagrams.
Microsoft Office Visio is prone to the following vulnerabilities that result in remote code execution:
1) A vulnerability exists in the way Microsoft Office Visio validates object data while opening up Visio files which causes validation errors. (CVE-2009-0095)
2) A memory corruption vulnerability exists when Microsoft Office Visio copies object data in memory. (CVE-2009-0096)
3) A memory corruption vulnerability exists in the way Microsoft Office Visio handles memory when opening up Visio files. (CVE-2009-0097)
All the above vulnerabilities can be exploited by attackers via a specially crafted file that is included as an email attachment, or hosted on a specially crafted Web site.
Microsoft has rated this issue as Important.
- Consequence
- Successful exploitation of these vulnerabilities allows an attacker to run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Workaround:
CVE-2009-0095, CVE-2009-0096, CVE-2009-0097: Do not open Visio files that are received from untrusted sources or that are received unexpectedly from trusted sources.Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office Visio 2002 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=a30cef3f-9eaf-45bd-9a25-4b65302362cbMicrosoft Office Visio 2003 Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?familyid=c9cb589e-1a37-485d-8402-7f42bcd7a1a9Microsoft Office Visio 2007 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=4b711e89-8de2-4f17-8afc-691e0604ff82Refer to Microsoft Security Bulletin MS09-005 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-005 Microsoft Office Visio 2002 Service Pack 2
MS09-005 Microsoft Office Visio 2003 Service Pack 3
MS09-005 Microsoft Office Visio 2007 Service Pack 1
These new vulnerability checks are included in Qualys vulnerability signature 1.22.129-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100070
- 90478
- 90475
- 90479
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.