Microsoft security alert.
November 9, 2010
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 11 vulnerabilities that were fixed in 3 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 3 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Office Remote Code Execution Vulnerability (MS10-087)
- Severity
- Critical 4
- Qualys ID
- 110102
- Vendor Reference
- MS10-087
- CVE Reference
- CVE-2010-3333, CVE-2010-3334, CVE-2010-3335, CVE-2010-3336, CVE-2010-3337
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Office is prone to the following vulnerabilities:
1) When Microsoft Office software parses specially crafted RTF-formatted data, system memory may be corrupted in such a way that an attacker could execute arbitrary code.
2) When a user opens a specially crafted Office file, system memory may become corrupted in such a way that an attacker could execute arbitrary code.
3) A remote code execution vulnerability exists such that it requires a user to open a document contained within the same working directory as a specially crafted DLL file. The specially crafted DLL will be loaded into memory giving the attacker control of the affected system in the security context of the logged-on user.
Microsoft has released an update that addresses the vulnerabilities by modifying the way that Microsoft Office software parses files and by helping to ensure a vulnerable component of Microsoft Office uses a more appropriate and secure search order when loading libraries.
This security update is rated Critical for all supported editions of Microsoft Office 2007 and Microsoft Office 2010. This security update is also rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011; and Open XML File Format Converter for Mac.
QID Detection Logic (Authenticated):
Operating System: Windows
The QID checks for hardcoded paths for the Office and looks at the file version of mso.dll.Operating System: MacOS
This QID checks for vulnerable version of Office applications (PowerPoint, Word, Excel).Note: This was previously an iDefense exclusive vulnerability with iDefense ID 503260.
- Consequence
- If this vulnerability is successfully exploited, it will allow an unauthenticated attacker to execute arbitrary code with the privileges of the user.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2010 (32-bit editions)
Microsoft Office 2010 (64-bit editions)
Open XML File Format Converter for Mac
Refer to Microsoft Security Bulletin MS10-087 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
Note: Modifying the Registry incorrectly can cause serious problems that may require re-installation of the operating system.For Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001For 2007 Office system:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001Impact of workaround #3:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.4) Read e-mails in plain text
Impact of workaround #4: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content.
Detailed instructions on applying the workarounds can be found in Microsoft Security Bulletin MS10-087.
-
Microsoft PowerPoint Remote Code Execution Vulnerability (MS10-088)
- Severity
- Critical 4
- Qualys ID
- 110137
- Vendor Reference
- MS10-088
- CVE Reference
- CVE-2010-2572, CVE-2010-2573
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft PowerPoint is a proprietary presentation application written and distributed by Microsoft.
The application is vulnerable to multiple remote code execution vulnerabilities because of the way that Microsoft PowerPoint parses the PowerPoint file format when opening a specially crafted PowerPoint file. (CVE-2010-2572, CVE-2010-2573)
Microsoft has released an update that addresses these vulnerabilities by changing the way that Microsoft PowerPoint parses specially crafted PowerPoint files.
This security update is rated Important for supported editions of Microsoft PowerPoint 2002, Microsoft PowerPoint 2003, and Microsoft Office 2004 for Mac; and all supported versions of Microsoft PowerPoint Viewer.
- Consequence
- An attacker who successfully exploits any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3 (Microsoft PowerPoint 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft PowerPoint 2003 Service Pack 3)
Microsoft PowerPoint Viewer Service Pack 2
Refer to Microsoft Security Bulletin MS10-088 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
Note: Modifying the Registry incorrectly can cause serious problems that may require re-installation of the operating system.For Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001For 2007 Office system:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001Impact of workaround #3:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.4) Restrict access to pp7x32.dll for users of Microsoft PowerPoint 2002
Impact of workaround #4: You will not be able to open PowerPoint 95 formatted files.
Detailed instructions on applying the workarounds can be found in Microsoft Security Bulletin MS10-088.
-
Microsoft Forefront Unified Access Gateway Elevation of Privilege Vulnerabilities (MS10-089)
- Severity
- Serious 3
- Qualys ID
- 118724
- Vendor Reference
- MS10-089
- CVE Reference
- CVE-2010-2732, CVE-2010-2733, CVE-2010-2734, CVE-2010-3936
- CVSS Scores
- Base 5.8 / Temporal 4.3
- Description
-
Microsoft Forefront Unified Access Gateway (UAG) is a virtual private networking solution that provides secure remote access to corporate networks for remote employees and business partners.
Microsoft Forefront Unified Access Gateway (UAG) is exposed to the following vulnerabilities:
1) A spoofing vulnerability exists in Forefront Unified Access Gateway (UAG). The vulnerability could allow spoofing or redirecting of traffic intended for the UAG server if a UAG user clicks a specially crafted link. (CVE-2010-2732).
2) A cross-site scripting (XSS) vulnerability exists in Forefront Unified Access Gateway (UAG) that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the UAG server in the context of the targeted user. (CVE-2010-2733, CVE-2010-2734,CVE-2010-3936).
Microsoft has released a security update that addresses the vulnerabilities by modifying the way that UAG handles input and redirect verification.
This security update is rated Important for all supported versions of Forefront Unified Access Gateway 2010.
Affected Versions:
Forefront Unified Access Gateway 2010, Forefront Unified Access Gateway 2010 Update 1, and Forefront Unified Access Gateway 2010 Update 2. - Consequence
- Successfully exploiting these vulnerabilities could allow a remote attacker perform cross-site scripting and spoofing attacks.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Forefront Unified Access Gateway 2010
Forefront Unified Access Gateway 2010 Update 1
Forefront Unified Access Gateway 2010 Update 2
Refer to Microsoft Security Bulletin MS10-089 for further details.
These new vulnerability checks are included in Qualys vulnerability signature 1.27.93-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110102
- 110137
- 118724
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.