Microsoft security alert.
March 10, 2009
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 8 vulnerabilities that were fixed in 3 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 3 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Windows Kernel Vulnerability Could Allow Remote Code Execution (MS09-006)
- Severity
- Urgent 5
- Qualys ID
- 90484
- Vendor Reference
- MS09-006
- CVE Reference
- CVE-2009-0081, CVE-2009-0082, CVE-2009-0083
- CVSS Scores
- Base 9.3 / Temporal 7.3
- Description
-
The Windows kernel is the core of the operating system that handles device management and memory management, allocates processor time to processes, and manages error handling.
The following security vulnerabilities exist in the Windows kernel:
- The Windows kernel is prone to a remote code execution vulnerability that is caused due to improper input validation of data passed from user mode through the kernel component of GDI. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted EMF or WMF image file. (CVE-2009-0081)
- The Windows kernel is prone to a privilege elevation vulnerability that is caused because it does not correctly validate handles when performing certain actions. An attacker can exploit this issue to run arbitrary code in kernel mode. For successful exploitation, an attacker would first have to log on to the system. This issue cannot be exploited remotely or by anonymous users. (CVE-2009-0082)
- The Windows kernel is prone to a privilege elevation vulnerability that is caused due to improper handling of a specially crafted invalid pointer. An attacker can exploit this issue to run arbitrary code in kernel mode. For successful exploitation, an attacker would first have to log on to the system. This issue cannot be exploited remotely or by anonymous users.(CVE-2009-0083)
Microsoft has rated these issues as Critical. A security update has been released by Microsoft to addresses the above vulnerabilities by validating input passed from user mode through the kernel component of GDI, correcting the way that the kernel validates handles, and changing the way that the Windows kernel handles specially crafted invalid pointers. .
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The March 2009 Security Updates For Runtimes Are Now Available (KB958690)
April 2009 Security Updates Are Now Available On the ECE (KB958690)
- Consequence
-
CVE-2009-0081: Successful exploitation could allow remote code execution if a user views a specially crafted EMF or WMF image file from an affected system.
CVE-2009-0082, CVE-2009-0083: Successful exploitation allows arbitrary code execution in kernel mode. An attacker can gain elevated privileges and could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Workaround:
CVE-2009-0081: Systems that have the update for Microsoft Security Bulletin MS07-017 applied, or systems running Windows Vista or Windows Server 2008 can disable metafile processing by modifying the registry.Impact of the workaround: Disabling metafile processing can cause the appearance of the output from software or system components to decrease in quality or cause software or system components to fail completely.
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=98bb7d40-89a0-470a-8eb7-06f15072a635Windows XP Service Pack 2 and Windows XP Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?familyid=e09641ba-6cbe-4095-82b5-703d3a7dc33bWindows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=d0d704c6-48c2-4907-b6c3-2455d7cf21c8Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=f5cfb8da-e7cc-4183-8631-507c2a406500Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=ecf75c70-8489-41ad-9759-3a07e13957beWindows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=04be3d7e-7dda-4dca-887a-e7a8156ede1cWindows Vista and Windows Vista Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=4b1aaaba-f355-4265-83c0-50b901856cedWindows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=0fcac480-d6db-4a94-8c7d-b7319282cf56Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=38851df2-4fb5-4d28-9d15-181c260cf8cfWindows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=ec15acc4-3e0f-4414-9383-61c122ff1382Windows Server 2008 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=eead6f93-10fd-4492-8137-481d9876a5feRefer to Microsoft Security Bulletin MS09-006 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-006 Microsoft Windows 2000 Service Pack 4
MS09-006 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MS09-006 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS09-006 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
MS09-006 Windows Server 2008 for 32-bit Systems
MS09-006 Windows Server 2008 for Itanium-based Systems
MS09-006 Windows Server 2008 for x64-based Systems
MS09-006 Windows Vista and Windows Vista Service Pack 1
MS09-006 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
MS09-006 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
MS09-006 Windows XP Service Pack 2 and Windows XP Service Pack 3
-
Windows Schannel Security Package Could Allow Spoofing Vulnerability (MS09-007)
- Severity
- Critical 4
- Qualys ID
- 116281
- Vendor Reference
- MS09-007
- CVE Reference
- CVE-2009-0085
- CVSS Scores
- Base 7.1 / Temporal 5.3
- Description
-
The Secure Channel (SChannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.
A spoofing vulnerability exists in the Microsoft Windows SChannel authentication component when using certificate based authentication because it fails to perform sufficient validation of certain Transport Layer Security (TLS) handshake messages to verify that the client has access to the private key linked to the certificate used for authentication. This issue can be exploited by an attacker with access to the public component of the certificate used for authentication by an end user to bypass the SChannel validation via a crafted TLS packet. (CVE-2009-0085)
This vulnerability affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Microsoft has rated this issue as Important.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The March 2009 Security Updates For Runtimes Are Now Available (KB960225)
April 2009 Security Updates Are Now Available On the ECE (KB960225)
- Consequence
- Successful exploitation of this vulnerability allows a malicious user to conduct spoofing attacks by authenticating against a protected server using the public component of the authentication credential of another user.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=bf7065bc-c183-4a78-8d46-72fe7385c07cWindows XP Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=942d87f6-3cb1-4d36-a70a-70d9c34488f3Windows XP Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?familyid=942d87f6-3cb1-4d36-a70a-70d9c34488f3Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=6d02306e-9e2e-4ae8-bd21-8a2c1a229472Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=0b3f6fdd-276e-4267-99d8-8f00d91ad6a2Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=ce98ff55-f565-469d-bbd2-32b681faf908Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5ca3c72c-cadb-4b0a-b3a3-fb81d0bfd7b3Windows Vista and Windows Vista Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=21086a04-402a-4940-8358-7fa63508102bWindows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=c75a2ea9-b42f-457b-be09-5c8fa0339388Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=47b361ce-624b-466c-b5c5-8703f6532615Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5c81ac45-60e6-4121-ab6b-d3b3179aacc4For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-007 for further details.Workaround:
- Implement Active Directory certificate mapping which enables a user with a trusted public key to access domain resources without typing a user name and a password. A client certificate can be directly mapped to an Active Directory user account.Impact of the workaround: Implementing the workaround will not fix the vulnerability, but will help in blocking attack vectors until the update is applied.
-
Vulnerabilities in DNS and WINS Server Could Allow Spoofing (MS09-008)
- Severity
- Critical 4
- Qualys ID
- 90481
- Vendor Reference
- MS09-008
- CVE Reference
- CVE-2009-0093, CVE-2009-0094, CVE-2009-0233, CVE-2009-0234
- CVSS Scores
- Base 6.4 / Temporal 4.7
- Description
-
Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. Windows Internet Name Service (WINS) is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names.
The following security vulnerabilities have been identified in Windows DNS and WINS servers:
- An error in the Windows DNS server causes it to not properly reuse cached responses. An attacker can exploit this issue by sending specific queries to a vulnerable DNS server and at the same time responding back in a manner that allows insertion of false or misleading DNS data resulting in redirection of network traffic. (CVE-2009-0233)
- An error in the Windows DNS server causes it to incorrectly cache specifically crafted DNS responses. An attacker can exploit this vulnerability by sending multiple specifically crafted queries to the DNS server so that the server makes unnecessary lookups allowing a greater predictability of subsequent transaction IDs used by the server. (CVE-2009-0234)
- The Windows DNS server does not properly validate who can register WPAD entries on the DNS server when dynamic update is used and ISATAP and WPAD are not registered in DNS. This issue can be exploited to launch man-in-the-middle attacks against any browsers configured to use WPAD to discover proxy server settings if an attacker registers "WPAD" in the DNS database and points it to an IP address controlled by the attacker. (CVE-2009-0093)
- The Windows WINS server does not properly validate who can register WPAD or ISATAP entries on the WINS server. This issue can be exploited to launch man-in-the-middle attacks against any browsers configured to use WPAD to discover proxy server settings if an attacker registers WPAD or ISATP in the WINS database and points it to an IP address controlled by the attacker. (CVE-2009-0094)
Microsoft has rated these issues as Important.
- Consequence
-
CVE-2009-0233, CVE-2009-0234: Successfully exploitation of this vulnerability allows an attacker to conduct spoofing attacks, insert arbitrary addresses into the DNS cache causing DNS cache poisoning and redirection of Internet traffic.
CVE-2009-0093, CVE-2009-0094: Successful exploitation of this vulnerability allows a remote authenticated attacker to spoof a Web proxy and redirect Internet traffic to an IP controlled by the attacker.
- Solution
-
Refer to MS09-008 for more information.
Workaround:
CVE-2009-0093, CVE-2009-0094: Create a WPAD.DAT proxy auto configuration file:
1) Create a WPAD.DAT file that adheres to the Proxy auto-config specification.
2) Place the WPAD.DAT file in the root directory of a Web server in the organization and ensure the file can be requested anonymously.
3) Create a MIME type for the WPAD.DAT file on the Web server of "application/x-ns-proxy-autoconfig".
4) Create the appropriate entries in the DHCP or DNS server to allow discovery of the WPAD server.
For detailed steps, please refer to the advisory.Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-008 DNS server on Microsoft Windows 2000 Server Service Pack 4
MS09-008 DNS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MS09-008 DNS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS09-008 DNS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
MS09-008 DNS server on Windows Server 2008 for 32-bit Systems
MS09-008 DNS server on Windows Server 2008 for x64-based Systems
MS09-008 WINS server on Microsoft Windows 2000 Server Service Pack 4
MS09-008 WINS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MS09-008 WINS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS09-008 WINS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
These new vulnerability checks are included in Qualys vulnerability signature 1.22.153-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90484
- 116281
- 90481
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.