Microsoft Security Bulletin: April 14 2009 Security Bulletin

Platform
OVERVIEW

Enterprise TruRisk Platform

Everything you need to measure, manage, and reduce your cyber risk in one place

CAPABILITIES

All

Asset Management

Vulnerability & Configuration Management

Risk Remediation

Threat Detection & Response

Compliance

Cloud Security

PLATFORM APPS

ASSET MANAGEMENT

CyberSecurity Asset Management (CSAM)
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software

External Attack Surface Management (EASM) - New
Gain an attacker’s view of your external internet-facing assets and unauthorized software

Vulnerability & Configuration Management

Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster

Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools

Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Risk REMEDIATION

Patch Management (PM)
Efficiently remediate vulnerabilities and patch systems

Custom Assessment and Remediation (CAR)
Quickly create custom scripts and controls for faster, more automated remediation

Threat Detection and Response

Multi-Vector EDR
Advanced endpoint threat protection, improved threat context, and alert prioritization

Context XDR
Extend detection and response beyond the endpoint to the enterprise

Compliance

Policy Compliance
Reduce risk, and comply with internal policies and external regulations with ease

File Integrity Monitoring (FIM)
Reduce alert noise and safeguard files from nefarious actors and cyber threats

Cloud Security

TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.

Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.

Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates

SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.

Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Solutions
Use Cases

Endpoint Security

Compliance

PCI Compliance

Cloud Security

Application Security

DevOps

Threat Protection

Zero-Trust Security

Segments

Small Business

Mid-Sized Business

Enterprise

Federal

Consultant & MSP
Resources
RESOURCES

Resources Library

Blog

Webinars

Qualys Stream

Fundamentals

RESEARCH

Threat Research Unit

Security Alerts

Security Advisories
Support
SUPPORT
More
Customers

Overview

Best Practices

Success Stories

Testimonials
Partners

Overview

Partner Program

VAD Partners

VAR Resellers

MSP/MSSP Partners

Consultants and MSPs

Integration Partners

Partner FAQs

Find a Partner
Company

About Us

Our Team

Investor Relations

News

Awards

Events

Careers

Community
- Overview
- Discuss
- Blog
- Training
- Docs
- Resources
Login
What’s my platform?
Contact us
Contact us below to request a quote, or for any product-related questions
Create Account. It’s Free!
Try PM for free
Try VMDR for free
Try VMDR TruRisk for free
Try CS for free
Sign up for TotalCloud
Sign up for CDR
Try CSAM for free
Try PCI for free
Try Policy Compliance for free
Try VMDR for Mobile Devices
Try SaaSDR for free
Try Multi-Vector EDR for Free
Try CAR for Free
Request a Demo
Try it
Enterprise TruRisk Platform
- Cloud Platform - Free Trial
Free Services

Try it

Overview
Platform Apps
Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Overview
Platform Apps
TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates
SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 21 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

Microsoft DirectShow Could Allow Remote Code Execution (MS09-011)

Severity

Urgent 5

Qualys ID

90488

Vendor Reference

MS09-011

CVE Reference

CVE-2009-0084

CVSS Scores

Base 9.3 / Temporal 6.9

Description

Microsoft DirectX consists of a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support. The DirectShow technology performs client-side audio and video sourcing, manipulation and rendering.
A remote code execution vulnerability exists in the way Microsoft DirectShow handles supported format files. An error occurs when decompressing MJPEG content. This vulnerability could allow code execution if a user opens a specially crafted MJPEG file. (CVE-2009-0084)
Microsoft has released a security update to addresses the vulnerability by correcting the way that DirectShow decompresses media files.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2009 Security Updates Are Now Available On the ECE (KB961373)

Consequence

If this vulnerability is successfully exploited, it allows attackers to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Workaround A:
- Disable the decoding of MJPEG content in Quartz.dll
Steps to disable decoding of MJPEG content using the Interactive Method:
1. Click Start, click Run, type Regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey: HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)
3. Click the File menu and select Export.
4. In the Export Registry File dialog box, enter MJPEG_Decoder_Backup.reg and click Save.
5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.
Steps to disable decoding of MJPEG content using a Managed Deployment Script:
1. Create a backup copy of the registry keys by using a managed deployment script that contains the following commands:
Regedit.exe /e MJPEG_Decoder_Backup.reg HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)
2. Next, save the following to a file with a .REG extension, such as Disable_MJPEG_Decoder.reg:
Windows Registry Editor Version 5.00
[-HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)]
3. Run the above registry script on the target machine with the following command from an elevated command prompt:
Regedit.exe /s Disable_MJPEG_Decoder.reg
Impact of the Workaround:
MJPEG content playback will be disabled.
Workaround B:
- Unregister quartz.dll using the following command from an elevated command prompt:
For 32-bit Windows systems: Regsvr32.exe -u %WINDIR%\system32\quartz.dll
For 64-bit Windows systems: Regsvr32.exe -u %WINDIR%\syswow64\quartz.dll

Impact of workaround. Windows Media Player will not be able to play ".AVI" or ".WAV" files.
For additional details on applying the workarounds, please refer to Microsoft Security Bulletin MS09-011.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 (DirectX 8.1)
Microsoft Windows 2000 Service Pack 4 (DirectX 9.0)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (DirectX 9.0)
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (DirectX 9.0)
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (DirectX 9.0)
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (DirectX 9.0)
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (DirectX 9.0)
Refer to Microsoft Security Bulletin MS09-011 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-011 Microsoft Windows 2000 Service Pack 4(DirectX 8.1)
MS09-011 Microsoft Windows 2000 Service Pack 4(DirectX 9.0)
MS09-011 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2(DirectX 9.0)
MS09-011 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems(DirectX 9.0)
MS09-011 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2(DirectX 9.0)
MS09-011 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2(DirectX 9.0)
MS09-011 Windows XP Service Pack 2 and Windows XP Service Pack 3(DirectX 9.0)
WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)

Severity

Urgent 5

Qualys ID

90474

Vendor Reference

MS09-010

CVE Reference

CVE-2008-4841, CVE-2009-0087, CVE-2009-0088, CVE-2009-0235

CVSS Scores

Base 9.3 / Temporal 7.7

Description

WordPad is a default component of Microsoft Windows operating systems. Text converters in WordPad allow users who do not have Microsoft Office Word installed to open documents in various Microsoft Windows file formats. The Microsoft Office WordPerfect 6.x Converter helps users convert documents from Corel WordPerfect 6.x file formats to Microsoft Office Word file formats.
Multiple vulnerabilities listed below have been identified in WordPad and Office Text Converters:
- A memory corruption vulnerability in WordPad and Office Text Converter exists in the way the applications process memory when a user opens a specially crafted Word 6 file that includes malformed data. A remote attacker can exploit this flaw to execute arbitrary code. (CVE-2009-0087)
- A stack-based buffer overflow vulnerability exists when parsing a specially crafted Word 97 document. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed list structure. (CVE-2008-4841)
- A stack corruption vulnerability in Word 2000 WordPerfect 6.x Converter exists in the way that the converter processes memory when parsing a specially crafted WordPerfect document. (CVE-2009-0088)
- A stack-based buffer overflow vulnerability exists in WordPad as a result of memory corruption when a user opens a specially crafted Word file. This can be exploited by a remote attacker to execute arbitrary code. (CVE-2009-0235)
Microsoft has released a security update to address these vulnerabilities by modifying the way that Microsoft Office Word and Office text converters handle opening specially crafted Word 6.0, Windows Write, and WordPerfect documents. It also addresses the vulnerabilities by implementing fixes to WordPad and by preventing WordPad on affected platforms from opening Word 6.0 and Windows Write files.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2009 Security Updates Are Now Available On the ECE (KB960477, 923561)

Consequence

Successful exploitation of this vulnerability allows an attacker to run arbitrary code as the logged-on user if a specially crafted file is opened in WordPad or Microsoft Office Word. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

For Office Users:-
In order to resolve this issue, install following office patches:- "office2000-KB921606-FullFile-ENU.exe, office2003-KB960476-FullFile-ENU.exe, officexp-KB933399-FullFile-ENU.exe" along with windows patches "Windows2000-KB923561-x86-ENU.EXE, WindowsServer2003-KB923561-ia64-ENU.exe, WindowsServer2003-KB923561-x86-ENU.exe, WindowsServer2003.WindowsXP-KB923561-x64-ENU.exe, WindowsXP-KB923561-x86-ENU.exe"

For Non-Office Users:-
In order to resolve this issue, install following Windows patches:- "Windows2000-KB923561-x86-ENU.EXE, WindowsServer2003-KB923561-ia64-ENU.exe, WindowsServer2003-KB923561-x86-ENU.exe, WindowsServer2003.WindowsXP-KB923561-x64-ENU.exe, WindowsXP-KB923561-x86-ENU.exe"

Workaround:
1) Avoid opening or saving Microsoft Office files received from untrusted sources
2) Disable the Word 6 converter by restricting access by applying an access control list to affected converters to ensure that the converter is no longer loaded by WordPad and Office.
Impact of the workaround: Conversion of Word 6 documents to WordPad RTF or Word 2003 documents will no longer work.
3) Disable the Office text converter by restricting access by applying an access list to the affected converter to ensure it is no longer loaded by Microsoft Office Word.
Impact of the workaround: Microsoft Office Word will no longer load WordPerfect documents.
Detailed information on applying access lists to disable Word 6 and Office text converter can be found in Microsoft Security Bulletin MS09-010.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Office 2000 Service Pack 3 (Microsoft Office Word 2000 Service Pack 3)
Microsoft Office XP Service Pack 3 (Microsoft Office Word 2002 Service Pack 3)
Microsoft Office Converter Pack
Refer to Microsoft Security Bulletin MS09-010 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-010 Microsoft Office 2000 Service Pack 3(Microsoft Office Word 2000 Service Pack 3)
MS09-010 Microsoft Office Converter Pack
MS09-010 Microsoft Office XP Service Pack 3(Microsoft Office Word 2002 Service Pack 3)
MS09-010 Microsoft Windows 2000 Service Pack 4
MS09-010 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MS09-010 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS09-010 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
MS09-010 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
MS09-010 Windows XP Service Pack 2 and Windows XP Service Pack 3
Vulnerabilities in Windows Could Allow Elevation of Privilege (MS09-012)

Severity

Urgent 5

Qualys ID

90490

Vendor Reference

MS09-012

CVE Reference

CVE-2008-1436, CVE-2009-0078, CVE-2009-0079, CVE-2009-0080

CVSS Scores

Base 9 / Temporal 7.4

Description

The Microsoft Distributed Transaction Coordinator (MSDTC) is a distributed transaction facility for Microsoft Windows platforms. Windows Management Instrumentation (WMI) is the primary management technology for Microsoft Windows operating systems used for monitoring of systems.
The following vulnerabilities exist affecting MSDTC and WMI have been identified:
- An elevation of privilege vulnerability exists due to the MSDTC facility allowing the NetworkService token to be obtained and used when making an RPC call. This can be exploited by a process having the SeImpersonatePrivilege to run arbitrary code with NetworkService privileges. (CVE-2008-1436)
- The WMI provider improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to run arbitrary code with LocalSystem privileges by obtaining a SYSTEM token. (CVE-2009-0078)
- The RPCSS service improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to execute arbitrary code with LocalSystem privileges. (CVE-2009-0079)
- A vulnerability exists due to Windows placing incorrect access control lists (ACLs) on threads in the current ThreadPool. An attacker who successfully exploits this vulnerability could execute arbitrary code with LocalSystem privileges. (CVE-2009-0080)
Microsoft has released a security update to address these vulnerabilities by correcting the way that Windows addresses tokens requested by the Microsoft Distributed Transaction Coordinator (MSDTC), and by properly isolating WMI providers and processes that run under the NetworkService or LocalService accounts.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2009 Security Updates Are Now Available On the ECE (KB959454, 952004, 956572)

Consequence

The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploits any of these vulnerabilities could take complete control over the affected system.

Solution

Following are links for downloading patches to fix the vulnerabilities:
MSDTC Transaction Facility:
Microsoft Windows 2000 Service Pack 4
MSDTC Transaction Facility:
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows Service Isolation:
Windows XP Service Pack 2
Windows Service Isolation:
Windows XP Service Pack 3
MSDTC Transaction Facility:
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Service Isolation:
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
MSDTC Transaction Facility:
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Service Isolation:
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MSDTC Transaction Facility:
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Service Isolation:
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
MSDTC Transaction Facility:
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Service Isolation:
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-012.Workaround:
1) IIS 6.0: Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC.
2) IIS 7.0: Specify a WPI for an application pool in IIS Manager.
3) IIS 7.0: Specify a WPI for an application pool using the Command Line utility APPCMD.exe.
Detailed information on applying the workarounds is available at Microsoft Security Bulletin MS09-012.
Impact of the workarounds: Management of additional user accounts results in increased administrative overhead. Application functionality may be affected depending on the nature of applications running. Disabling MSDTC will prevent applications from using distributed transactions and will prevent configuration as well as running of COM+ applications.

Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-012 Microsoft Windows 2000 Service Pack 4(MSDTC Transaction Facility)
MS09-012 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2(MSDTC Transaction Facility)
MS09-012 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2(Windows Service Isolation)
MS09-012 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems(MSDTC Transaction Facility)
MS09-012 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems(Windows Service Isolation)
MS09-012 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2(MSDTC Transaction Facility)
MS09-012 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2(Windows Service Isolation)
MS09-012 Windows Server 2008 for 32-bit Systems(MSDTC Transaction Facility)
MS09-012 Windows Server 2008 for 32-bit Systems(Windows Service Isolation)
MS09-012 Windows Server 2008 for Itanium-based Systems(MSDTC Transaction Facility)
MS09-012 Windows Server 2008 for Itanium-based Systems(Windows Service Isolation)
MS09-012 Windows Server 2008 for x64-based Systems(MSDTC Transaction Facility)
MS09-012 Windows Server 2008 for x64-based Systems(Windows Service Isolation)
MS09-012 Windows Vista(Windows Service Isolation)
MS09-012 Windows Vista Service Pack 1(Windows Service Isolation)
MS09-012 Windows Vista and Windows Vista Service Pack 1(MSDTC Transaction Facility)
MS09-012 Windows Vista x64 Edition(Windows Service Isolation)
MS09-012 Windows Vista x64 Edition Service Pack 1(Windows Service Isolation)
MS09-012 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1(MSDTC Transaction Facility)
MS09-012 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2(MSDTC Transaction Facility)
MS09-012 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2(Windows Service Isolation)
MS09-012 Windows XP Service Pack 2(Windows Service Isolation)
MS09-012 Windows XP Service Pack 2 and Windows XP Service Pack 3(MSDTC Transaction Facility)
MS09-012 Windows XP Service Pack 3(Windows Service Isolation)
Windows HTTP Services Could Allow Remote Code Execution (MS09-013)

Severity

Urgent 5

Qualys ID

90493

Vendor Reference

MS09-013

CVE Reference

CVE-2009-0086, CVE-2009-0089, CVE-2009-0550

CVSS Scores

Base 10 / Temporal 7.8

Description

Windows HTTP Services (WinHTTP) provides developers with an HTTP client application programming interface (API) to send requests through the HTTP protocol to Web servers. WinHTTP can be used by both Microsoft Windows components and third-party software.
Windows HTTP Services is prone to the following vulnerabilities:
- A remote code execution vulnerability exists in the way that Windows HTTP Services handle specific values that are returned by a remote Web server. (CVE-2009-0086)
- A spoofing vulnerability exists in Windows HTTP Services as a result of the incomplete validation of the distinguished name in a digital certificate. When combined with specific other attacks, such as DNS spoofing, this may allow an attacker to successfully spoof the digital certificate of a Web site for any application that uses Windows HTTP Services. (CVE-2009-0089)
- A remote code execution vulnerability exists in the way that Windows HTTP Services handles NTLM credentials when a user connects to an attacker's Web server. (CVE-2009-0550)
Microsoft has released a security update that addresses these vulnerabilities by changing the way that Windows HTTP Services handles errors and validates certificates, and by ensuring that Windows HTTP Services correctly use NTLM credential reflection protection mechanisms.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2009 Security Updates Are Now Available On the ECE (KB960803)

Consequence

If this vulnerability is successfully exploited, it will allow attackers to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Successful exploitation also allows an attacker to impersonate a secure Web site and offer malicious content to the application using Windows HTTP Services, which would trust it as if it originated from a secure Web site.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS09-013 for further details.
Microsoft Internet Explorer Cumulative Security Update (MS09-014)

Severity

Urgent 5

Qualys ID

100071

Vendor Reference

MS09-014

CVE Reference

CVE-2008-2540, CVE-2009-0550, CVE-2009-0551, CVE-2009-0552, CVE-2009-0553, CVE-2009-0554

CVSS Scores

Base 9.3 / Temporal 7.7

Description

Microsoft Internet Explorer is a Web browser for Microsoft Windows. The browser is prone to the following vulnerabilities:
- A blended threat remote code execution vulnerability exists in the way that Internet Explorer locates and opens files on the system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. Internet Explorer could open a specially crafted file from the desktop allowing files be downloaded to the system without prompting. (CVE-2008-2540)
- WinINet does not correctly opt in to NTLM credential-reflection protections when a user connects to an attacker's server by way of the HTTP protocol. This vulnerability allows an attacker to replay the user's credentials back to the attacker and to execute code in the context of the logged-on user. (CVE-2009-0550)
- A memory corruption vulnerability exists in the way Internet Explorer handles transition when navigating between Web pages. As a result, system memory may be corrupted in such a way that an attacker could execute arbitrary code if a user visited a specially crafted Web site. (CVE-2009-0551)
- Multiple remote code execution vulnerabilities exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker can exploit this issue by constructing a specially crafted Web page. When Internet Explorer attempts to access an object that has not been initialized or has been deleted, it triggers memory corruption allowing arbitrary execution of code. (CVE-2009-0552, CVE-2009-0553, CVE-2009-0554)
Microsoft has released a security update to addresses these vulnerabilities by modifying the way that Internet Explorer searches the system for files to load, performs authentication reply validation, handles transition errors when navigating between Web pages, and handles memory objects.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2009 Security Updates Are Now Available On the ECE (KB963027)

Consequence

If this vulnerability is successfully exploited, it will allow attackers to execute arbitrary code to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 5.01 Service Pack 4)
Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 Service Pack 1)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Internet Explorer 6)
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Microsoft Internet Explorer 6)
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Explorer 6)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7)
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7)
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7)
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Windows Internet Explorer 7)
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Windows Internet Explorer 7)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-014. Workaround:
CVE-2009-0551, CVE-2009-0552, CVE-2009-0553, CVE-2009-0554:
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Detailed steps on applying the workarounds can be found in Microsoft Security Bulletin MS09-014.
Impact of the Workaround -
On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (MS09-015)

Severity

Serious 3

Qualys ID

90492

Vendor Reference

MS09-015

CVE Reference

CVE-2008-2540

CVSS Scores

Base 9.3 / Temporal 6.9

Description

A security vulnerability in the Windows "SearchPath" function could allow elevation of privileges due to the way the function locates and opens files on the system. By persuading an unsuspecting user to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code with privileges of the logged-on user. (CVE-2008-2540)
Microsoft has released a security update that addresses the vulnerability by modifying the way that Windows loads files from the desktop.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2009 Security Updates Are Now Available On the ECE (KB959426)

Consequence

A privilege escalation can occur which could allow an attacker to install applications; view, change, or delete data, or create new accounts.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS09-015 for further details.
Microsoft ISA Server and Forefront Threat Management Gateway Denial of Service (MS09-016)

Severity

Serious 3

Qualys ID

90491

Vendor Reference

MS09-016

CVE Reference

CVE-2009-0077, CVE-2009-0237

CVSS Scores

Base 5 / Temporal 3.7

Description

The following vulnerabilities have been identified in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG):
- A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. It can allow a remote user to send specially crafted network packets to the affected system and cause a Web listener to stop responding to new requests. (CVE-2009-0077)
- A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, "cookieauth.dll", due to improper input validation of the HTTP stream. This could allow malicious script code to run on the machine of another user under the guise of the server running "cookieauth.dll". (CVE-2009-0237)
Microsoft has released a security update to addresses these vulnerabilities by modifying the way that the firewall engine handles the TCP state and the way that HTTP forms authentication handles input.

Consequence

CVE-2009-0077: A remote user can exploit this vulnerability to cause the affected system's Web listener to become non-responsive leading to denial of service conditions.
CVE-2009-0237: Successful exploitation of this vulnerability could allow injection of arbitrary script in the user's browser. This can lead to spoofing and information disclosure.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Forefront Threat Management Gateway, Medium Business Edition
Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
Microsoft Internet Security and Acceleration Server 2006
Microsoft Internet Security and Acceleration Server 2006 Supportability Update
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
Refer to Microsoft Security Bulletin MS09-016 for further details.
Microsoft Excel Remote Code Execution Vulnerability (MS09-009)

Severity

Critical 4

Qualys ID

110093

Vendor Reference

MS09-009

CVE Reference

CVE-2009-0100, CVE-2009-0238

CVSS Scores

Base 9.3 / Temporal 7.7

Description

Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X.
The following vulnerabilities exist in Microsoft Office Excel:
- A remote code execution vulnerability exists in the way the application parses the Excel spreadsheet file format. A remote attacker can exploit this flaw by enticing an unsuspecting user into opening a specially crafted spreadsheet to cause arbitrary execution of code. (CVE-2009-0100)
- A security vulnerability that could allow remote code execution exists in Excel if a user opens a specially crafted Excel file that includes a malformed object. (CVE-2009-0238)

Consequence

Successful exploitation of this vulnerability allows an attacker to run arbitrary code as the logged-on user. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Workaround:
1) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of the workaround:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
2) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
For Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
For 2007 Office system:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
Impact of the workaround:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft Office Excel 2000 Service Pack 3)
Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1)
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office Excel Viewer 2003 Service Pack 3
Microsoft Office Excel Viewer
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
Refer to Microsoft Security Bulletin MS09-009 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-009 2007 Microsoft Office System Service Pack 1(Microsoft Office Excel 2007 Service Pack 1)
MS09-009 Microsoft Office 2000 Service Pack 3(Microsoft Office Excel 2000 Service Pack 3)
MS09-009 Microsoft Office 2003 Service Pack 3(Microsoft Office Excel 2003 Service Pack 3)
MS09-009 Microsoft Office 2004 for Mac
MS09-009 Microsoft Office 2008 for Mac
MS09-009 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
MS09-009 Microsoft Office Excel Viewer
MS09-009 Microsoft Office Excel Viewer 2003 Service Pack 3
MS09-009 Microsoft Office XP Service Pack 3(Microsoft Office Excel 2002 Service Pack 3)

These new vulnerability checks are included in Qualys vulnerability signature 1.22.184-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

Ensure access to TCP ports 135 and 139 are available.
Enable Windows Authentication (specify Authentication Records).
Enable the following Qualys IDs:
- 90488
- 90474
- 90490
- 90493
- 100071
- 90492
- 90491
- 110093
If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.

OVERVIEW

CAPABILITIES

PLATFORM APPS

ASSET MANAGEMENT

Vulnerability & Configuration Management

Risk REMEDIATION

Threat Detection and Response

Compliance

Cloud Security

Use Cases

Segments

RESOURCES

RESEARCH

Customers

Partners

Company

Overview

CAPABILITIES

Platform Apps

Use Cases

Segments

Resources

Research

Enterprise TruRisk Platform

Free Services

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Microsoft security alert.

April 14, 2009

Advisory overview

Vulnerability details

Microsoft DirectShow Could Allow Remote Code Execution (MS09-011)

WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)

Vulnerabilities in Windows Could Allow Elevation of Privilege (MS09-012)

Windows HTTP Services Could Allow Remote Code Execution (MS09-013)

Microsoft Internet Explorer Cumulative Security Update (MS09-014)

Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (MS09-015)

Microsoft ISA Server and Forefront Threat Management Gateway Denial of Service (MS09-016)

Microsoft Excel Remote Code Execution Vulnerability (MS09-009)

Selective Scan Instructions Using Qualys

Access for Qualys Customers

Technical Support

About Qualys