Microsoft security alert.
March 9, 2010
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 18 vulnerabilities that were fixed in 6 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 6 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Windows Movie Maker and Producer Remote Code Execution Vulnerability (MS10-016)
- Severity
- Critical 4
- Qualys ID
- 90588
- Vendor Reference
- MS10-016
- CVE Reference
- CVE-2010-0265
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Windows Movie Maker is video creating/editing software included in Microsoft Windows, and Microsoft Producer is an add-on tool for MS Office PowerPoint 2003.
Microsoft Windows Movie Maker and Producer 2003 are exposed to a remote code execution vulnerability. The vulnerability exists in the way that Windows Movie Maker and Microsoft Producer 2003 handle specially crafted project files. (CVE-2010-0265)
This security update is rated Important for Windows Movie Maker 2.1, Windows Movie Maker 2.6, Windows Movie Maker 6.0, and Microsoft Producer 2003.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
March 2010 Runtime Security Updates are Now Available on ECE (KB975561)
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB975561)
- Consequence
- Successfully exploiting this vulnerability might allow a remote attacker to execute arbitrary code.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 2 and Windows XP Service Pack 3 (Movie Maker 2.1)
Windows XP Professional x64 Edition Service Pack 2 (Movie Maker 2.1)
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (Movie Maker 6.0)
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (Movie Maker 2.6)
Windows 7 for 32-bit Systems (Movie Maker 2.6)
Windows 7 for x64-based Systems (Movie Maker 2.6)
Refer to Microsoft Security Bulletin MS10-016 for further details.
Workaround:
1) Remove the Movie Maker .MSWMM file associationImpact of workaround #1 : Double-clicking an MSWMM file will no longer launch Windows Movie Maker.
2) Remove the Microsoft Producer 2003 .MSProducer, .MSProducerZ, and .MSProducerBF file associations. See Microsoft Knowledge Base Article 975561 to use the automated Microsoft Fix it solution to enable or disable this workaround.
Impact of workaround #2: Double-clicking Microsoft Producer 2003 files will no longer launch Microsoft Producer 2003.
3) Disable Microsoft Producer 2003 by restricting access
Impact of workaround #3: User will no longer be able to run Microsoft Producer 2003.
4) Prevent Microsoft Producer 2003 from being installed
Impact of workaround #4: Users will no longer be able to install the Microsoft Producer 2003 add-in.
5) Uninstall Microsoft Producer 2003
Impact of workaround #5: Users will no longer be able to run Microsoft Producer 2003.
Detailed information on enabling and disabling the workarounds can be found at Microsoft Security Bulletin MS10-016.
-
Microsoft Excel Sheet Object Type Confusion Vulnerability (MS10-017)
- Severity
- Critical 4
- Qualys ID
- 110103
- Vendor Reference
- MS10-017
- CVE Reference
- CVE-2010-0258
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Excel is a proprietary spreadsheet-application written and distributed by Microsoft.
Microsoft Excel is prone to a type confusion vulnerability that occurs when parsing several related Excel record types. The type confusion is due to multiple records containing fields that identify the type of an object shared between them.
The existence of this vulnerability is confirmed in all currently supported versions of Excel (2007 SP1/SP2, 2003 SP3, XP SP3) and Excel 2000 SP3, which is currently unsupported.
Microsoft has released a patch to resolve this issue. Previously, this was an iDefense exclusive vulnerability.
- Consequence
- Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1)
2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2)
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2
Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions)
Refer to Microsoft Security Bulletin MS10-017 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of the workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources.
Impact of the workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
-
Microsoft Excel Remote Code Execution Vulnerability (MS10-017)
- Severity
- Critical 4
- Qualys ID
- 110104
- Vendor Reference
- MS10-017
- CVE Reference
- CVE-2010-0257, CVE-2010-0258, CVE-2010-0260, CVE-2010-0261, CVE-2010-0262, CVE-2010-0263, CVE-2010-0264
- CVSS Scores
- Base 9.3 / Temporal 7.3
- Description
-
Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. Excel is prone to the following vulnerabilities:
Multiple remote code execution vulnerabilities exist in the way that Microsoft Office Excel parses the Excel file format when opening a specially crafted Excel file. (CVE-2010-0257, CVE-2010-0258, CVE-2010-0260, CVE-2010-0261, CVE-2010-0262, CVE-2010-0263, CVE-2010-0264)
Microsoft has released a security update that addresses these vulnerabilities by changing the way that Microsoft Office Excel parses specially crafted Excel files. The security update is rated Important for all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel 2007, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac; Open XML File Format Converter for Mac; and all supported versions of Microsoft Office Excel Viewer and Microsoft Office Compatibility Pack.
Previously, this was an iDefense exclusive vulnerability.
- Consequence
- Successful exploitation allows an attacker to execute arbitrary code. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1)
2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2)
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2
Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions)
Refer to Microsoft Security Bulletin MS10-017 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of the workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources.
Impact of the workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
-
Microsoft Excel MDXTUPLE Record Heap Overflow Vulnerability (MS10-017)
- Severity
- Critical 4
- Qualys ID
- 110105
- Vendor Reference
- MS10-017
- CVE Reference
- CVE-2010-0260
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft.
The application is vulnerable to a heap overflow when parsing an MDXTUPLE record inside of the Excel Workbook globals stream. This record stores metadata for external data connections inside the workbook.
Excel Versions 2007 SP0, SP1 and SP2 are vulnerable.
Microsoft has released a patch to address this issue. Previously, this was in iDefense Exclusive vulnerability
- Consequence
- Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1)
2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2)
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2
Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions)
Refer to Microsoft Security Bulletin MS10-017 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of the workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources.
Impact of the workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
-
Microsoft Excel FNGROUPNAME Record Uninitialized Memory Vulnerability (MS10-017)
- Severity
- Critical 4
- Qualys ID
- 110106
- Vendor Reference
- MS10-017
- CVE Reference
- CVE-2010-0262
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft.
The application is vulnerable to a remote exploitation of an uninitialized memory issue when the application parses an FNGROUPCOUNT record inside of the Excel worksheet.
Excel Versions 2003 and 2007 are vulnerable.
Microsoft has released a patch to resolve this issue. Previously, this was in iDefense Exclusive vulnerability
- Consequence
- Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1)
2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2)
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2
Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions)
Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions)
Refer to Microsoft Security Bulletin MS10-017 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of the workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources.
Impact of the workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
-
Microsoft Internet Explorer Cumulative Security Update (MS10-018 and KB981374)
- Severity
- Urgent 5
- Qualys ID
- 100083
- Vendor Reference
- KB981374, MS10-018
- CVE Reference
- CVE-2010-0267, CVE-2010-0488, CVE-2010-0489, CVE-2010-0490, CVE-2010-0491, CVE-2010-0492, CVE-2010-0494, CVE-2010-0805, CVE-2010-0806, CVE-2010-0807
- CVSS Scores
- Base 9.3 / Temporal 8.1
- Description
-
Microsoft Internet Explorer (IE) is prone to the following vulnerabilities:
Multiple remote code execution vulnerabilities exist in the way that IE accesses an object that has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. (CVE-2010-0267,CVE-2010-0490,CVE-2010-0491,CVE-2010-0492, CVE-2010-0806)
An information disclosure vulnerability exists in the way that IE handles content using specific encoding strings when submitting data. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page. (CVE-2010-0488)
A remote code execution vulnerability exists in the way that IE accesses an object that may have been corrupted due to a race condition. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. (CVE-2010-0489)
An information disclosure vulnerability exists in IE that could allow script to gain access to a browser window in another domain or IE zone. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could allow information disclosure if a user viewed the Web page and then drags the browser window across a second browser window.
A remote code execution vulnerability exists in the way that IE manages a long URL in certain situations. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution.
- Consequence
- Successful exploitation of these vulnerabilities might allow a remote attacker to gain the same user rights as a logged on user, gain exposure to sensitive information or cause remote code execution in context of affected product.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Windows 2000 Service Pack 4 (Internet Explorer 5.01 Service Pack 4)
Microsoft Windows 2000 Service Pack 4 (Internet Explorer 6 Service Pack 1)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Internet Explorer 6)
Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 6)
Windows Server 2003 Service Pack 2 (Internet Explorer 6)
Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 6)
Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 6)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Internet Explorer 7)
Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2003 Service Pack 2 (Internet Explorer 7)
Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 7)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS10-018.
Workaround:
1) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting.2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
Impact of workaround #1 and #2: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently.
3) Modify the Access Control List (ACL) on iepeers.dll.
Impact of workaround #3: Extended MSHTML functionality such as printing and Web folders may be affected.
4) Enable DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer 7.
Impact of workaround #4: Some browser extensions may not be compatible with DEP and may exit unexpectedly.
5) Disable the peer factory class in iepeers.dll.
Impact of workaround #5: Functionality that depends on peer factory, such as print and web folders, may be affected.
6) Enable or disable ActiveX Controls in Office 2007
These new vulnerability checks are included in Qualys vulnerability signature 1.26.13-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90588
- 110103
- 110104
- 110105
- 110106
- 100083
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.