Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 28 vulnerabilities that were fixed in 11 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Microsoft has released 11 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
The vulnerability exists in the way that VBScript interacts with Windows Help files (winhlp32.exe) when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user.
Microsoft has released a security update that addresses this vulnerability by modifying the way that the VBScript engine processes help files in protected mode.
This security update addresses the vulnerability first described in Microsoft Security Advisory 981169.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB981169, KB981332, KB981349, KB981350)
Updates for Windows Embedded Standard 7 Are Now Available (KB981332)
August 2010 Security Updates for XPe and Standard 2009 Available on ECE (KB981349)
Microsoft Windows 2000 Service Pack 4 (VBScript 5.1)
Microsoft Windows 2000 Service Pack 4 (VBScript 5.6)
Microsoft Windows 2000 Service Pack 4 (VBScript 5.7)
Windows XP Service Pack 2 (VBScript 5.6)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (VBScript 5.7)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (VBScript 5.8)
Windows XP Professional x64 Edition Service Pack 2 (VBScript 5.6)
Windows XP Professional x64 Edition Service Pack 2 (VBScript 5.7)
Windows XP Professional x64 Edition Service Pack 2 (VBScript 5.8)
Windows Server 2003 Service Pack 2 (VBScript 5.6)
Windows Server 2003 Service Pack 2 (VBScript 5.7)
Windows Server 2003 Service Pack 2 (VBScript 5.8)
Windows Server 2003 x64 Edition Service Pack 2 (VBScript 5.6)
Windows Server 2003 x64 Edition Service Pack 2 (VBScript 5.7)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS10-022.
Workarounds:
1) Avoid pressing F1 on untrusted Web sites.
2) Restrict access to the Windows Help System.
Impact of workaround #2: The Windows Help System will be unavailable, and users may not be able to invoke the help function in applications. The attempt to open the help function in applications may lead to an error message.
3) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting
4) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Impact of workaround #3 and #4: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
Detailed instructions on applying the workarounds can be found at Microsoft Security Bulletin MS10-022.
The kernel is prone to the following vulnerabilities:
- A denial of service vulnerability exists in the Windows kernel due to the insufficient validation of registry keys passed to a Windows kernel system call.
- A denial of service vulnerability exists in the Windows kernel due to the manner in which the kernel processes the values of symbolic links.
- An elevation of privilege vulnerability exists in the Windows kernel due to the manner in which memory is allocated when extracting a symbolic link from a registry key.
- An elevation of privilege vulnerability exists when the Windows kernel does not properly restrict symbolic link creation between untrusted and trusted registry hives.
- A denial of service vulnerability exists in the way that the Windows kernel validates registry keys.
- A denial of service vulnerability exists in the Windows kernel due to the way that the kernel resolves the real path for a registry key from its virtual path.
- A denial of service vulnerability exists in the Windows kernel due to the improper validation of specially crafted image files.
- A denial of service vulnerability exists in the Windows kernel due to the way that the kernel handles certain exceptions.
An attacker who successfully exploits these vulnerabilities could execute arbitrary code and take complete control of an affected system.
Affected Software:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service
Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit
Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based
Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for
Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB979683)
Updates for Windows Embedded Standard 7 Are Now Available (KB979683)
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS10-021 for further details.
These Windows components are prone to the following vulnerabilities:
A remote code execution vulnerability exists in the Windows Authenticode Signature Verification function used for portable executable (PE) and cabinet file formats. The vulnerability is caused when the Windows Authenticode Signature Verification function omits fields from the file digest when signing and verifying a PE or cabinet file. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to manipulate unverified portions of the signature and file in such a way as to add malicious code to the file without invalidating the signature. (CVE-2010-0486)
A remote code execution vulnerability exists in the Windows Authenticode Signature verification for cabinet (.cab) file formats. The vulnerability is caused when the Windows Cabinet File Viewer omits fields from the file digest when signing and verifying a cabinet file. An anonymous attacker could exploit the vulnerability by modifying an existing signed cabinet file to point the unverified portions of the signature to malicious code, and then convincing a user to open or view the specially crafted cabinet file. (CVE-2010-0487)
Microsoft has released a security update that addresses the vulnerabilities by correcting validations, the creation of symbolic links, the resolution of virtual registry key paths, and exceptions handling.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB981210, KB978601, KB979309)
Updates for Windows Embedded Standard 7 Are Now Available (KB978601, 979309)
Windows Server 2008 R2 for x64-based Systems (Authenticode Signature Verification 6.1)
Windows Server 2008 R2 for x64-based Systems (Cabinet File Viewer Shell Extension 6.1)
Windows Server 2008 R2 for Itanium-based Systems (Authenticode Signature Verification 6.1)
Windows Server 2008 R2 for Itanium-based Systems (Cabinet File Viewer Shell Extension 6.1)
Windows XP Professional x64 Edition Service Pack 2 (Authenticode Signature Verification 5.1)
Windows XP Professional x64 Edition Service Pack 2 (Cabinet File Viewer Shell Extension 6.0)
Windows Server 2003 Service Pack 2 (Authenticode Signature Verification 5.1)
Windows Server 2003 Service Pack 2 (Cabinet File Viewer Shell Extension 6.0)
Windows Server 2003 x64 Edition Service Pack 2 (Authenticode Signature Verification 5.1)
Windows Server 2003 x64 Edition Service Pack 2 (Cabinet File Viewer Shell Extension 6.0)
Windows Server 2003 with SP2 for Itanium-based Systems (Authenticode Signature Verification 5.1)
Windows Server 2003 with SP2 for Itanium-based Systems (Cabinet File Viewer Shell Extension 6.0)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS10-019.
Microsoft SMB Server is prone to the following vulnerabilities:
A denial of service vulnerability exists in the way that the Microsoft Server Message Block client implementation handles specially crafted SMB responses. (CVE-2009-3676)
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block client implementation allocates memory when parsing specially crafted SMB responses. (CVE-2010-0269)
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block client implementation handles specially crafted SMB transaction responses. (CVE-2010-0270)
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block client implementation parses specially crafted SMB transaction responses. (CVE-2010-0476)
An unauthenticated remote code execution vulnerability exists in the way that the Microsoft Server Message Block client implementation handles specially crafted SMB responses. (CVE-2010-0477)
Microsoft has released a security update to address these issues.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB980232)
Updates for Windows Embedded Standard 7 Are Now Available (KB980232)
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS10-020 for further details.
Workaround:
Block TCP ports 139 and 445 at the firewall. These ports are used to initiate a connection with the affected component. Blocking them at the enterprise firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability.
Impact of the workaround: Blocking the ports can cause several windows services or applications using those ports to stop functioning.
Further details on applying the workarounds can be found at Microsoft Security Bulletin MS10-020.
A vulnerability exists in the file parsing code when Microsoft Office Publisher opens Publisher files.
Microsoft Office Publisher 2002 is vulnerable.
Microsoft Office Publisher 2003 is vulnerable.
Microsoft Office Publisher 2007 is vulnerable.
Microsoft has released a security update that addresses the vulnerability by correcting the way that Microsoft Office Publisher opens specially crafted Publisher files.
Microsoft Office XP Service Pack 3 (Microsoft Office Publisher 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Publisher 2003 Service Pack 3)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Publisher 2007 Service Pack 1)
2007 Microsoft Office System Service Pack 2 (Microsoft Office Publisher 2007 Service Pack 2)
Please refer to Microsoft Security Bulletin MS10-023 for further details.
Workaround:
Do not open Publisher files from untrusted sources.
Microsoft Exchange and Windows SMTP Service are exposed to the following vulnerabilities:
1) A denial of service vulnerability exists in the way that the Microsoft Windows Simple Mail Transfer Protocol (SMTP) component handles specially crafted DNS Mail Exchanger (MX) resource records. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted network message to a computer running the SMTP service. (CVE-2010-0024)
2) An information disclosure vulnerability exists in the Microsoft Windows Simple Mail Transfer Protocol (SMTP) component due to the manner in which the SMTP component handles memory allocation. An attacker could exploit the vulnerability by sending invalid commands, followed by the STARTTLS command, to an affected server. An attacker who successfully exploits this vulnerability could read random email message fragments stored on the affected server. (CVE-2010-0025)
Microsoft has released a security update that addresses the vulnerabilities by correcting the manner in which SMTP parses MX records and the manner in which SMTP allocates memory for interpreting SMTP command responses.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB981832, KB976323)
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems
Microsoft Exchange Server 2000 Service Pack 3
Microsoft Exchange Server 2003 Service Pack 2
Microsoft Exchange Server 2007 Service Pack 1 for x64-based Systems
Microsoft Exchange Server 2007 Service Pack 2 for x64-based Systems
Microsoft Exchange Server 2010 for x64-based Systems
Refer to Microsoft Security Bulletin MS10-024 for further details.
A remote code execution vulnerability exists in Microsoft Windows 2000 Server Service Pack 4 running the optional Windows Media Services component due to the way the Windows Media Unicast Service handles specially crafted transport information packets. On Microsoft Windows 2000 Server Service Pack 4, Windows Media Services is an optional component and is not installed by default. (CVE-2010-0478)
Microsoft has released a security bulletin describing workarounds to mitigate this issue.
Workarounds:
1) Stop and disable Windows Media Unicast Service.
As an Administrator, disable the Windows Media Unicast Service by using the following command at the command prompt:
sc stop nsunicast & sc config nsunicast start= disabled
Impact of workaround #1: Connections to the streaming media server via the Windows Media Unicast Service will not be allowed.
2) Uninstall the Windows Media Services component using Windows Component Wizard.
1. Log on to the computer as an administrator or a member of the Administrators group.
2. Click Start, point to Settings, and then click Control Panel.
3. In Control Panel, double-click Add/Remove Programs.
4. Click Add/Remove Windows Components. The Windows Components Wizard starts and the Windows Components screen is displayed.
5. Clear the Windows Media Services check box. Click Next and follow the instructions in the Windows Component Wizard.
Impact of workaround #2: The server will no longer be configured as a streaming media server using Windows Media Services.
Additional details on the workarounds can be obtained from Microsoft Security Bulletin MS10-025.
The Microsoft MPEG Layer-3 audio codecs do not properly handle specially crafted AVI files containing an MPEG Layer-3 audio stream allowing an attacker to execute remote code. (CVE-2010-0480)
Microsoft has released a security update that addresses this vulnerability by correcting the way that the Microsoft MPEG Layer-3 audio codecs decode the MPEG Layer-3 audio stream in specially crafted AVI files.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB977816)
August 2010 Security Updates for XPe and Standard 2009 Available on ECE (KB977816)
Microsoft Windows 2000 Service Pack 4 (MPEG Layer-3 codecs)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (MPEG Layer-3 codecs)
Windows XP Professional x64 Edition Service Pack 2 (MPEG Layer-3 codecs)
Windows Server 2003 Service Pack 2 (MPEG Layer-3 codecs)
Windows Server 2003 x64 Edition Service Pack 2 (MPEG Layer-3 codecs)
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (MPEG Layer-3 codecs)
Refer to Microsoft Security Bulletin MS10-026 for further details.
Workaround:
Restrict Access to the MPEG Layer-3 audio codecs to ensure that they can no longer be loaded. This effectively prevents exploitation of the vulnerability using this attack vector.
Impact of the workaround: MPEG Layer-3 audio encoded files will not play.
Further details on applying the workarounds can be found at Microsoft Security Bulletin MS10-026.
A remote code execution vulnerability exists in the Windows Media Player ActiveX control. This vulnerability exists because the Windows Media Player ActiveX control incorrectly handles specially crafted media content hosted on a malicious Web site. (CVE-2010-0268)
Microsoft has released a security update that addresses the vulnerability by modifying the way the Windows Media Player ActiveX control handles specially crafted media content hosted on a malicious Web site.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB979402)
Microsoft Windows 2000 Service Pack 4 (Windows Media Player 9 Series)
Windows XP Service Pack 2 (Windows Media Player 9 Series)
Windows XP Service Pack 3 (Windows Media Player 9 Series)
Refer to Microsoft Security Bulletin MS10-027 for further details.
Workarounds:
1) Prevent the Windows Media Player ActiveX control from running in Internet Explorer. Attempts to instantiate the Windows Media Player ActiveX control in Internet Explorer can be disabled by setting the kill bit for the control in the registry.
Impact of workaround #1: Users will not be able to start the Windows Media Player ActiveX control from within Web pages. As a result, Windows Media Player content will not render inside a Web page.
2) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting
3) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Impact of workaround #2 and #3: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
Further details on applying the workarounds are available at Microsoft Security Bulletin MS10-027.
Microsoft Office Visio is prone to the following vulnerabilities that result in remote code execution:
A remote code execution vulnerability exists in the way that Microsoft Office Visio validates attributes when handling specially crafted Visio files. (CVE-2010-0254)
A remote code execution vulnerability exists in the way that Microsoft Office Visio calculates indexes when handling specially crafted Visio files. (CVE-2010-0256)
Microsoft has released a security update that addresses these vulnerabilities by correcting the way that Microsoft Office Visio validates attributes and calculates indexes when opening specially crafted Visio files.
Microsoft Office Visio 2002 Service Pack 2
Microsoft Office Visio 2003 Service Pack 3
Microsoft Office Visio 2007 Service Pack 1
Microsoft Office Visio 2007 Service Pack 2
Refer to Microsoft Security Bulletin MS10-028 for further details.
Workaround:
Do not open Visio files from untrusted sources.
ISATAP is prone to an address spoofing vulnerability. The vulnerability exists because the Windows TCP/IP stack does not properly check the source IPv6 address in a tunneled ISATAP packet. (CVE-2010-0812)
An attacker could try to exploit the vulnerability by creating specially crafted network packets with a specially crafted IPv6 source address in an ISATAP connection that does not match the corresponding IPv4 source address.
Micrososft has released a security update that addresses this vulnerability by changing the manner in which the Windows TCP/IP stack checks the source IPv6 address in a tunneled ISATAP packet.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2010 Security Updates for Standard 2009 and XPe are Available on ECE (KB978338)
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Refer to Microsoft Security Bulletin MS10-029 for further details.
Workaround:
1) Block IP Protocol Type 41 (ISATAP) at the firewall. Blocking them at the enterprise firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability.
2) Disable the ISATAP IPv6 interface.
Impact of workaround #2: Disabling the ISATAP interface will prevent the system from using ISATAP as an IPv6 tunneling mechanism.
Further details on applying the advisories can be found at Microsoft Security Bulletin MS10-029.
These new vulnerability checks are included in Qualys vulnerability signature 1.26.39-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
To perform a selective vulnerability scan, configure a scan profile to use the following options:
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Platforms and Platform Identification
For more information, customers may contact Qualys Technical Support.
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.