Microsoft security alert.

July 13, 2010

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 5 vulnerabilities that were fixed in 4 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 4 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

  • Microsoft Windows Help and Support Center Remote Code Execution Vulnerability (MS10-042 and KB2219475)

    Severity
    Critical 4
    Qualys ID
    90609
    Vendor Reference
    MS10-042
    CVE Reference
    CVE-2010-1885
    CVSS Scores
    Base 9.3 / Temporal 8.1
    Description
    Microsoft Windows Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. The following remote code execution vulnerabilities exist because the Windows Help and Support Center does not properly validate URLs when using the HCP Protocol.

    The first issue is caused by an error in the "MPC::HTML::UrlUnescapeW()" function within the Help and Support Center application (helpctr.exe) that does not properly check the return code of "MPC::HexToNum()" when escaping URLs. This could allow attackers to bypass whitelist restrictions and invoke arbitrary help files.

    The second vulnerability is caused by an input validation error in the "GetServerName()" function in the "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\commonFunc.js" script invoked via "ShowServerName()" in "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\sysinfomain.htm". This vulnerability could be exploited by attackers to execute arbitrary scripting code in the security context of the Help and Support Center.

    By combining these vulnerabilities, a remote attacker can inject malicious code in the Help and Support Center and execute arbitrary commands on a vulnerable system by tricking a user into visiting a specially crafted Web page.

    Affected software:
    Windows XP Service Pack 2 and Windows XP Service Pack 3
    Windows XP Professional x64 Edition Service Pack 2
    Windows Server 2003 Service Pack 2
    Windows Server 2003 x64 Edition Service Pack 2
    Windows Server 2003 with SP2 for Itanium-based Systems

    Microsoft has released a security update that addresses the vulnerability by modifying the manner in which data is validated when passed to the Windows Help and Support Center. This security update is rated Critical for all supported editions of Windows XP, and Low for all supported editions of Windows Server 2003.

    Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):

    July 2010 Security Updates for XPe and Standard 2009 Are Now Available on ECE (KB2229593)
    August 2010 Security Updates for XPe and Standard 2009 Available on ECE (KB2229593)

    Consequence
    Successful exploitation could allow a remote attacker to execute arbitrary commands with the privileges of the current user.
    Solution
    Patch:
    Following are links for downloading patches to fix the vulnerabilities:

    Windows XP Service Pack 2 and Windows XP Service Pack 3

    Windows XP Professional x64 Edition Service Pack 2

    Windows Server 2003 Service Pack 2

    Windows Server 2003 x64 Edition Service Pack 2

    Windows Server 2003 with SP2 for Itanium-based Systems

    Refer to Microsoft Security Bulletin MS10-042 for further details.

    Workaround :
    The vendor has provided an automated Microsoft Fix it solution to enable or disable this workaround. Refer to KB2219475 for the automated solution. Manual instructions are listed below:

    Unregister the HCP protocol using the following steps:
    1. Click Start, and then click Run.
    2. Type regedit, and then click OK.
    3. Expand HKEY_CLASSES_ROOT, and then highlight the HCP key.
    4. Right-click the HCP key, and then click Delete.

    Impact of the workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work.

    Refer to vendor advisories Microsoft Security Bulletin MS10-042 and Microsoft Security Advisory 2219475 to obtain more information about this vulnerability.

  • Microsoft Windows Canonical Display Driver Remote Code Execution Vulnerability (MS10-043 and Microsoft Security Advisory 2028859)

    Severity
    Urgent 5
    Qualys ID
    90603
    Vendor Reference
    MS10-043, Microsoft Security Advisory 2028859
    CVE Reference
    CVE-2009-3678
    CVSS Scores
    Base 9.3 / Temporal 7.3
    Description
    The Microsoft Windows Canonical Display Driver (CDD or cdd.dll) is used by desktop composition to blend GDI and DirectX drawings. CDD emulates the interface of a Windows XP display driver for interactions with the Win32k GDI graphics engine. CDD is prone to a remote code execution vulnerability because it does not properly parse information copied from user mode to kernel mode.

    Affected Operating Systems:
    Windows 7 for x64-based Systems
    Windows Server 2008 R2 for x64-based Systems

    Microsoft has released a security update that addresses the vulnerability by correcting the manner in which CDD parses information copied from user mode to kernel mode. This security update is rated Critical for x64-based editions of Windows 7 and Important for Windows Server 2008 R2.

    Consequence
    Successfully exploiting this issue could allow a remote attacker to execute arbitrary code.
    Solution
    Patch:
    Following are links for downloading patches to fix the vulnerabilities:

    Windows 7 for x64-based Systems

    Windows Server 2008 R2 for x64-based Systems

    Refer to Microsoft Security Bulletin MS10-043 for further details.

    Workaround:
    Disable the Windows Aero Theme. Further instructions on applying the workaround can be found at Microsoft Security Bulletin MS10-043 and Microsoft Security Advisory 2028859.

  • Microsoft Office Access ActiveX Controls Remote Code Execution Vulnerabilities (MS10-044)

    Severity
    Urgent 5
    Qualys ID
    110127
    Vendor Reference
    MS10-044
    CVE Reference
    CVE-2010-0814, CVE-2010-1881
    CVSS Scores
    Base 9.3 / Temporal 7.7
    Description
    Microsoft Office Access is a pseudo relational database management system from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user interface and software development tools.

    Office Access is exposed to multiple remote code execution vulnerabilities.

    A remote code execution vulnerability exists in Access ActiveX controls due to the way multiple ActiveX controls are loaded by Internet Explorer. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. (CVE-2010-0814)

    A remote code execution vulnerability exists in the way the FieldList ActiveX control is instantiated by Microsoft Office and Internet Explorer. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. (CVE-2010-1881)

    Microsoft has released an update that addresses these vulnerabilities by updating specific Access ActiveX controls and by modifying the way memory is accessed by Microsoft Office and by Internet Explorer when loading Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007.

    Consequence
    Successfully exploiting these issues might allow a remote attacker to execute arbitrary code.
    Solution
    Patch:
    Following are links for downloading patches to fix the vulnerabilities:

    Microsoft Office 2003 Service Pack 3 (Microsoft Office Access 2003 Service Pack 3)

    2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2 (Microsoft Office Access 2007 Service Pack 1 and Microsoft Office Access 2007 Service Pack 2)

    Refer to Microsoft Security Bulletin MS10-044 for further details.

    Workarounds:
    1) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting

    2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

    Impact of workaround #1 and #2:
    When visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.

    3) Prevent COM objects from running in Internet Explorer by setting the kill bit for the control in the registry. The COM object that will be prevented from instantiating in Internet Explorer by this workaround is the FieldList ActiveX control. Refer to KB240797 for information on preventing a control from running in Internet Explorer.

    Impact of workaround #3: The FieldList and ImexGrid controls are used in some of the Access wizards, a feature available in Microsoft Office Access only. After applying this workaround, a subset of wizards may not function properly.

    4) Do not open untrusted Microsoft Office files

    Detailed instructions on applying the workarounds can be found at Microsoft Security Bulletin MS10-044.

  • Microsoft Office Outlook Remote Code Execution Vulnerability (MS10-045)

    Severity
    Critical 4
    Qualys ID
    110128
    Vendor Reference
    MS10-045
    CVE Reference
    CVE-2010-0266
    CVSS Scores
    Base 9.3 / Temporal 7.7
    Description
    Microsoft Office Outlook is prone to a remote code execution vulnerability.

    The vulnerability is due to Microsoft Office Outlook not properly verifying an attachment that is attached using the ATTACH_BY_REFERENCE value of the PR_ATTACH_METHOD property in a specially crafted e-mail message.

    Microsoft has released a security update that addresses the vulnerability by modifying the way Microsoft Office Outlook verifies attachments in a specially crafted e-mail message.

    This security update is rated Important for all supported editions of Microsoft Office Outlook 2002, 2003 and 2007.

    Consequence
    The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
    Solution
    Patch:
    Following are links for downloading patches to fix the vulnerabilities:

    Microsoft Office XP Service Pack 3 (Microsoft Office Outlook 2002 Service Pack 3)

    Microsoft Office 2003 Service Pack 3 (Microsoft Office Outlook 2003 Service Pack 3)

    2007 Microsoft Office System Service Pack 1 and 2007 Microsoft Office System Service Pack 2 (Microsoft Office Outlook 2007 Service Pack 1 and Microsoft Office Outlook 2007 Service Pack 2)

    Refer to Microsoft Security Bulletin MS10-045 for further details.

    Workarounds:
    1) Do not open e-mail attachments from untrusted sources

    2) Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.

    Impact of workaround #2: When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

    Detailed instructions on applying the workarounds can be found at Microsoft Security Bulletin MS10-045.

These new vulnerability checks are included in Qualys vulnerability signature 1.26.119-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

  1. Ensure access to TCP ports 135 and 139 are available.
  2. Enable Windows Authentication (specify Authentication Records).
  3. Enable the following Qualys IDs:
    • 90609
    • 90603
    • 110127
    • 110128
  4. If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
  5. If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.