Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 5 vulnerabilities that were fixed in 4 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Microsoft has released 4 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
The first issue is caused by an error in the "MPC::HTML::UrlUnescapeW()" function within the Help and Support Center application (helpctr.exe) that does not properly check the return code of "MPC::HexToNum()" when escaping URLs. This could allow attackers to bypass whitelist restrictions and invoke arbitrary help files.
The second vulnerability is caused by an input validation error in the "GetServerName()" function in the "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\commonFunc.js" script invoked via "ShowServerName()" in "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\sysinfomain.htm". This vulnerability could be exploited by attackers to execute arbitrary scripting code in the security context of the Help and Support Center.
By combining these vulnerabilities, a remote attacker can inject malicious code in the Help and Support Center and execute arbitrary commands on a vulnerable system by tricking a user into visiting a specially crafted Web page.
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft has released a security update that addresses the vulnerability by modifying the manner in which data is validated when passed to the Windows Help and Support Center. This security update is rated Critical for all supported editions of Windows XP, and Low for all supported editions of Windows Server 2003.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
Refer to Microsoft Security Bulletin MS10-042 for further details.
The vendor has provided an automated Microsoft Fix it solution to enable or disable this workaround. Refer to KB2219475 for the automated solution. Manual instructions are listed below:
Unregister the HCP protocol using the following steps:
1. Click Start, and then click Run.
2. Type regedit, and then click OK.
3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
4. Right-click the HCP key, and then click Delete.
Impact of the workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.
Affected Operating Systems:
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Microsoft has released a security update that addresses the vulnerability by correcting the manner in which CDD parses information copied from user mode to kernel mode. This security update is rated Critical for x64-based editions of Windows 7 and Important for Windows Server 2008 R2.
Refer to Microsoft Security Bulletin MS10-043 for further details.
Office Access is exposed to multiple remote code execution vulnerabilities.
A remote code execution vulnerability exists in Access ActiveX controls due to the way multiple ActiveX controls are loaded by Internet Explorer. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. (CVE-2010-0814)
A remote code execution vulnerability exists in the way the FieldList ActiveX control is instantiated by Microsoft Office and Internet Explorer. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. (CVE-2010-1881)
Microsoft has released an update that addresses these vulnerabilities by updating specific Access ActiveX controls and by modifying the way memory is accessed by Microsoft Office and by Internet Explorer when loading Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007.
Refer to Microsoft Security Bulletin MS10-044 for further details.
1) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting
2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Impact of workaround #1 and #2:
When visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
3) Prevent COM objects from running in Internet Explorer by setting the kill bit for the control in the registry. The COM object that will be prevented from instantiating in Internet Explorer by this workaround is the FieldList ActiveX control. Refer to KB240797 for information on preventing a control from running in Internet Explorer.
Impact of workaround #3: The FieldList and ImexGrid controls are used in some of the Access wizards, a feature available in Microsoft Office Access only. After applying this workaround, a subset of wizards may not function properly.
4) Do not open untrusted Microsoft Office files
Detailed instructions on applying the workarounds can be found at Microsoft Security Bulletin MS10-044.
The vulnerability is due to Microsoft Office Outlook not properly verifying an attachment that is attached using the ATTACH_BY_REFERENCE value of the PR_ATTACH_METHOD property in a specially crafted e-mail message.
Microsoft has released a security update that addresses the vulnerability by modifying the way Microsoft Office Outlook verifies attachments in a specially crafted e-mail message.
This security update is rated Important for all supported editions of Microsoft Office Outlook 2002, 2003 and 2007.
Refer to Microsoft Security Bulletin MS10-045 for further details.
1) Do not open e-mail attachments from untrusted sources
2) Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.
Impact of workaround #2: When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.
Detailed instructions on applying the workarounds can be found at Microsoft Security Bulletin MS10-045.
These new vulnerability checks are included in Qualys vulnerability signature 1.26.119-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
To perform a selective vulnerability scan, configure a scan profile to use the following options:
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
For more information, customers may contact Qualys Technical Support.
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.