Microsoft security alert.
July 14, 2009
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 23 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft DirectShow Remote Code Execution Vulnerability (MS09-028)
- Severity
- Critical 4
- Qualys ID
- 90503
- Vendor Reference
- MS09-028
- CVE Reference
- CVE-2009-1537, CVE-2009-1538, CVE-2009-1539
- CVSS Scores
- Base 9.3 / Temporal 8.1
- Description
-
Microsoft DirectX consists of a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support. The DirectShow technology performs client-side audio and video sourcing, manipulation and rendering.
DirectX is prone to the following vulnerabilities:
- A remote code execution vulnerability exists in the way that Microsoft DirectShow parses QuickTime media file. (CVE-2009-1537)
- A remote code execution vulnerability exists in the way that Microsoft DirectShow validates certain values when updating a pointer. This vulnerability could allow code execution if a user opened a specially crafted QuickTime file. (CVE-2009-1538)
- A remote code execution vulnerability exists in the way that Microsoft DirectShow validates specific fields in QuickTime media files. This vulnerability could allow code execution if a user opened a specially crafted QuickTime file. (CVE-2009-1539)
Affected Software:
DirectX 7.0:
Microsoft Windows 2000 Service Pack 4
DirectX 8.1:
Microsoft Windows 2000 Service Pack 4
DirectX 9.0:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The July 2009 Security Updates For Runtimes Are Now Available on the ECE (KB971633)
Aug 09 Security Updates for Standard 09 and XPe are Now Available (KB971633)
- Consequence
- Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running the application that uses DirectX.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 (DirectX 7.0)
Microsoft Windows 2000 Service Pack 4 (DirectX 8.1)
Microsoft Windows 2000 Service Pack 4 (DirectX 9.0)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (DirectX 9.0)
Windows XP Professional x64 Edition Service Pack 2 (DirectX 9.0)
Windows Server 2003 Service Pack 2 (DirectX 9.0)
Windows Server 2003 x64 Edition Service Pack 2 (DirectX 9.0)
Windows Server 2003 with SP2 for Itanium-based Systems (DirectX 9.0)
Refer to Microsoft Security Bulletin MS09-028 for further details.
Workaround:
1) Disable the parsing of QuickTime content in quartz.dll. This can be done using the Interactive Method or via a Managed Deployment Script.Impact of workaround #1: QuickTime content playback will be disabled.
2) Modify the Access Control List (ACL) on quartz.dll using the following steps.
On Windows XP and Windows Server 2003 (all editions), run the following command from a command prompt (requires administrative privileges):For 32-bit Windows systems:
Echo y| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N
For 64-bit Windows systems:
Echo y| cacls %WINDIR%\SYSTEM32\quartz.DLL /E /P everyone:N
Echo y| cacls %WINDIR%\SYSWOW64\quartz.DLL /E /P everyone:NImpact of workaround #2: Windows Media Player will not be able to play .AVI or .WAV files.
3) Unregister quartz.dll by running the following command from an elevated command prompt:
For 32-bit Windows systems:
Regsvr32.exe -u %WINDIR%\system32\quartz.dll
For 64-bit Windows systems:
Regsvr32.exe -u %WINDIR%\system32\quartz.dll
Regsvr32.exe -u %WINDIR%\syswow64\quartz.dllImpact of workaround #3: Windows Media Player will not be able to play .AVI or .WAV files.
4) For non-multimedia folder types, the Windows shell attack vector can be mitigated by using Windows Classic Folders. Folder options can be changed as follows:
- Click Start, click Control Panel, click Appearance and Themes, and then click Folder Options. Or, open any folder, such as My Documents, and on the Tools menu, click Folder Options.
- On the General tab, under Tasks, select Use Windows classic folders.For detailed steps on enabling and disabling the workarounds, please refer to Microsoft Security Bulletin MS09-028.
-
Microsoft Embedded OpenType Font Engine Remote Code Execution Vulnerabilities (MS09-029)
- Severity
- Urgent 5
- Qualys ID
- 90511
- Vendor Reference
- MS09-029
- CVE Reference
- CVE-2009-0231, CVE-2009-0232
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Embeded OpenType Font Engine is a Microsoft Windows Component. It is prone to the following vulnerabilities:
A remote code execution vulnerability exists in the way that Microsoft Windows Embedded OpenType (EOT) font technology parses data records in specially crafted embedded fonts. (CVE-2009-0231)
A remote code execution vulnerability exists in the way that Microsoft Windows Embedded OpenType (EOT) font technology parses name tables in specially crafted embedded fonts. (CVE-2009-0232)
Microsoft has released an update that addresses the vulnerability by correcting the way that the Microsoft Windows EOT component parses files and content containing embedded fonts.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The July 2009 Security Updates For Runtimes Are Now Available on the ECE (KB961371)
Aug 09 Security Updates for Standard 09 and XPe are Now Available (KB961371)
- Consequence
- Successful exploitation allows execution of arbitrary code.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Refer to Microsoft Security Bulletin MS09-029 for further details.
Workaround:
1) Disable support for parsing embedded fonts in Internet Explorer. This can be done using the Interactive Method, Group Policy or Using a Managed Deployment Script.Impact of workaround. Web sites making use of embedded font technology will fail to display properly.
2) Deny Access to T2EMBED.DLL
Impact of workaround. Applications that rely on embedded font technology will fail to display properly.
For detailed steps on enabling and disabling the workarounds, please refer to Microsoft Security Bulletin MS09-029.
-
Microsoft Office Publisher 2007 Remote Code Execution Vulnerability (MS09-030)
- Severity
- Critical 4
- Qualys ID
- 110095
- Vendor Reference
- MS09-030
- CVE Reference
- CVE-2009-0566
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Office Publisher is a desktop publishing application. The "PUBCONV.DLL" module in Publisher is responsible for converting legacy format Publisher files (.pub) created by older versions of Publisher into the Publisher 2007 format.
A vulnerability exists in PUBCONV.DLL module in Microsoft Publisher 2007. A programming error in the module causes it to dereference an arbitrary attacker-controlled value as the address of a table of function pointers. An attacker can exploit this issue by persuading an unsuspecting user into opening a malicious file. This vulnerability allows attackers to execute arbitrary code on the user's system.
Microsoft Office Publisher 2007 is vulnerable.
Previously this was an iDefense private detection.
Lionel d'Hauenens of Labo Skopia, working with Versign iDefense Labs, reported the Pointer Dereference Vulnerability. - Consequence
- A malicious user can execute arbitrary code on the affected system within the security context of the local user running Publisher.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:2007 Microsoft Office System Service Pack 1 (Microsoft Office Publisher 2007 Service Pack 1)
Refer to Microsoft Security Bulletin MS09-030 for further details.
Workaround:
- Disable the Publisher Converter DLLFor Windows XP, run the following command from a command prompt:
cacls "c:\program files\microsoft office\office12\pubconv.dll" /E /P everyone:NFor 64-bit editions of Windows XP, run the following command, using the appropriate Windows path for your system:
cacls <64BIT_PATH_AND_FILENAME> /E /P everyone:NFor Windows Vista and Windows Server 2008, run the following commands:
takeown /f "c:\program files\microsoft office\office12\pubconv.dll"
icacls "c:\program files\microsoft office\office12\pubconv.dll" /save %TEMP%\ PUBCONV ACL.TXT
icacls "c:\program files\microsoft office\office12\pubconv.dll" /deny everyone(F)For 64-bit editions of Windows Vista and Windows Server 2008, run the following commands, using the appropriate Windows path for your system:
takeown /f <64BIT_PATH_AND_FILENAME>
icacls <64BIT_PATH_AND_FILENAME> /save %TEMP%\ FILENAME _ACL.TXT
icacls <64BIT_PATH_AND_FILENAME> /deny everyone (F)Impact of the workaround: Users who have disabled the Publisher Converter DLL will not be able to open Microsoft Office Publisher files created in versions earlier than Publisher 2007.
-
Microsoft ISA Server 2006 Elevation of Privilege Vulnerability (MS09-031)
- Severity
- Urgent 5
- Qualys ID
- 90512
- Vendor Reference
- MS09-031
- CVE Reference
- CVE-2009-1135
- CVSS Scores
- Base 9 / Temporal 6.7
- Description
-
Microsoft Internet Security and Acceleration Server (ISA Server) is a firewalling and security product based on Microsoft Windows primarily designed to securely publish Web servers and other server systems.
An elevation of privilege vulnerability exists in ISA Server 2006 authentication when configured with Radius OTP. The vulnerability could allow an unauthenticated user access to any Web published resource. (CVE-2009-1135)
Affected Software:
Microsoft Internet Security and Acceleration Server 2006
Microsoft Internet Security and Acceleration Server 2006 Supportability Update
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
- Consequence
- An attacker who successfully exploits this vulnerability may be able to impersonate user accounts. If an attacker is able to successfully impersonate a user account, they may have access to resources the impersonated user has. If an attacker is impersonating an administrative account, the attacker might be able to install programs; view, change, or delete data; or create new accounts with full user rights on systems behind the ISA Server 2006 security boundary.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Internet Security and Acceleration Server 2006
Microsoft Internet Security and Acceleration Server 2006 Supportability Update
Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
Refer to Microsoft Security Bulletin MS09-031 for further details.
Workaround:
- Disable fallback to Basic authentication for ISA Forms-Based authentication together with Radius OTP.1. For customers running the original release version of Microsoft Internet Security and Acceleration Server 2006, install the hotfix available from Microsoft Knowledge Base Article 938966. Customers running Microsoft Internet Security and Acceleration Server 2006 Supportability Update and Microsoft Internet Security and Acceleration Server 2006 Service Pack 1 do not need to apply the hotfix.
2. Run the Microsoft Visual Basic script available from the Post-hotfix installation information section of Microsoft Knowledge Base Article 938966 according to the instructions in the article.
Impact of workaround: ISA server will not allow basic authentication from clients served by that Web Listener.
-
Microsoft Video ActiveX Control Remote Code Execution Vulnerability (MS09-032 and KB972890)
- Severity
- Urgent 5
- Qualys ID
- 90510
- Vendor Reference
- KB972890, MS09-032
- CVE Reference
- CVE-2008-0015, CVE-2008-0020
- CVSS Scores
- Base 9.3 / Temporal 8.8
- Description
-
The Microsoft Video Control object is a Microsoft ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video.
A buffer overflow vulnerability exists in DirectShow that is caused due to a boundary error in the ActiveX control for streaming video (msvidctl.dll) and can be exploited to cause a stack-based buffer overflow via specially crafted image content. (CVE-2008-0015)
Affected Software:
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based SystemsWindows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The July 2009 Security Updates For Runtimes Are Now Available on the ECE (KB973346)
Aug 09 Security Updates for Standard 09 and XPe are Now Available (KB973346)
- Consequence
- Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code with the privileges of the user running the application that uses DirectX.
- Solution
-
Workaround:
1) Prevent Microsoft Video ActiveX Control from running in Internet ExplorerMicrosoft is providing a capability to implement this workaround automatically. Refer to Microsoft Knowledge Base Article 972890 for information on use of the tool to disable the Microsoft Video ActiveX Control automatically on a computer that is running Windows XP or Windows Server 2003.
Disabling of Microsoft Video ActiveX Control can also be done manually by modifying the registry. Setting the kill-bit associated with Class Identifiers (CLSID) related to Microsoft Video ActiveX Control will prevent the ActiveX control from being loaded within Internet Explorer. Refer to Microsoft article KB240797 for information on setting the kill bits.
Detailed information on applying the workaround manually is available at Microsoft Security Advisory (972890) under "Workarounds" in the "Suggested Actions" section.
Impact of the workaround: There is no impact as long as the object is not intended to be used in Internet Explorer.
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack1, and Windows Vista Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
Refer to Microsoft Security Bulletin MS09-032 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-032 Microsoft Windows 2000 Service Pack 4
MS09-032 Windows Server 2003 Service Pack 2
MS09-032 Windows Server 2003 with SP2 for Itanium-based Systems
MS09-032 Windows Server 2003 x64 Edition Service Pack 2
MS09-032 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*
MS09-032 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
MS09-032 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*
MS09-032 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
MS09-032 Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
MS09-032 Windows XP Professional x64 Edition Service Pack 2
MS09-032 Windows XP Service Pack 2 and Windows XP Service Pack 3
-
Microsoft Virtual PC and Virtual Server Elevation of Privilege Vulnerability (MS09-033)
- Severity
- Critical 4
- Qualys ID
- 116509
- Vendor Reference
- MS09-033
- CVE Reference
- CVE-2009-1542
- CVSS Scores
- Base 9 / Temporal 7
- Description
-
Microsoft Virtual PC allows customers to create and run one or more virtual machines, each with its own operating system, on a single computer. Microsoft Virtual Server is a similar solution for server operating systems.
An elevation of privilege vulnerability exists in Virtual PC and Virtual Server because they do not correctly validate whether specific machine instructions require a minimum CPU privilege level in order to run within the guest operating system environment. This may allow user mode applications to execute instructions which should only be issued in kernel mode. (CVE-2009-1542)
Microsoft has released an update that addresses the vulnerability by enforcing validation of privilege levels when executing machine instructions.
- Consequence
- An attacker who successfully exploits this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Virtual PC 2004 Service Pack 1
Microsoft Virtual PC 2007 Service Pack 1
Microsoft Virtual PC 2007 x64 Edition
Microsoft Virtual PC 2007 x64 Edition Service Pack 1
Microsoft Virtual Server 2005 R2 Service Pack 1
Microsoft Virtual Server 2005 R2 x64 Edition Service Pack 1
Refer to Microsoft Security Bulletin MS09-033 for further details.
-
Oracle July 2009 Security Update Multiple Vulnerabilities
- Severity
- Critical 4
- Qualys ID
- 19484
- Vendor Reference
- CPUJUL2009
- CVE Reference
- CVE-2009-0987, CVE-2009-1015, CVE-2009-1019, CVE-2009-1020, CVE-2009-1021, CVE-2009-1963, CVE-2009-1966, CVE-2009-1967, CVE-2009-1968, CVE-2009-1969, CVE-2009-1970, CVE-2009-1973
- CVSS Scores
- Base 9 / Temporal 7
- Description
-
Oracle released a Critical Patch Update advisory for July 2009 that addresses 16 security vulnerabilities.
These are the Oracle database components affected:
- Oracle Net
- HTTP
- Consequence
- A remote attacker could affect the confidentiality and integrity of data on the target system.
- Solution
-
Workaround:
Until the Critical Patch Update (CPU) fixes are applied, network protocols required to launch the attacks should be restricted to reduce the possibility of successful attacks. For attacks requiring access to certain packages, restriction of privileges can help reduce the chances of an attack.Impact of workaround:
The above approaches can break certain application functionality. These workarounds should not be used as long-term solutions.Patch:
Oracle recommends that customers upgrade to the latest supported version of Oracle products in order to obtain the patches. Read Oracle Critical Patch Update Advisory - July 2009 for further information about the products affected and issues addressed.Patches:
The following are links for downloading patches to fix these vulnerabilities:
CPUJUL2009 Oracle
-
Mozilla Firefox 3.5 TraceMonkey JavaScript Engine Uninitialized Memory Vulnerability (MFSA 2009-41)
- Severity
- Critical 4
- Qualys ID
- 116510
- Vendor Reference
- FEDORA-2009-7898, MFSA 2009-41
- CVE Reference
- CVE-2009-2477
- CVSS Scores
- Base 9.3 / Temporal 8.1
- Description
-
Firefox is a Web browser application available for multiple platforms.
The application is prone to a remote code-execution vulnerability in the Tracemonkey components of Firefox's JavaScript rendering engine. This issue arises during the processing of JavaScript and may present itself when certain string characters are escaped and subsequently copied to a buffer.
Firefox Version 3.5 is affected with this issue.
- Consequence
- Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts may result in denial of service.
- Solution
-
The vendor has released an update (Firefox Version 3.5.1) to resolve this issue. The update is available at Mozilla Firefox Download site.
Refer to the vendor security advisory MFSA2009-41 for additional information.
Fedora has an update for this, refer to the vendor security advisory FEDORA-2009-7898
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MFSA 2009-41 Windows(Firefox)
MFSA 2009-41) Linux(Firefox)
MFSA 2009-41) Mac OS(Firefox)
These new vulnerability checks are included in Qualys vulnerability signature 1.23.28-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90503
- 90511
- 110095
- 90512
- 90510
- 116509
- 19484
- 116510
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.