Microsoft security alert.
April 12, 2011
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 65 vulnerabilities that were fixed in 17 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 17 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft JScript and VBScript Scripting Engines Remote Code Execution Vulnerability (MS11-031)
- Severity
- Urgent 5
- Qualys ID
- 90700
- Vendor Reference
- MS11-031
- CVE Reference
- CVE-2011-0663
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
JScript is an interpreted, object-based scripting language that is often used to make Web sites more flexible or interactive. VBScript (Visual Basic Script) is an interpreted, object-based scripting language that is often used to make Web sites more flexible or interactive.
Microsoft Jscript and VBscript engines are prone to a remote code execution vulnerability that is caused by the way JScript and VBScript scripting engines process scripts in Web pages. When the scripting engines attempt to reallocate memory while decoding a script in order to run it, an integer overflow can occur.
Affected Software:
JScript 5.7 and VBScript 5.7
JScript 5.8 and VBScript 5.8
JScript 5.6 and VBScript 5.6Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2514666, 2510531, 2510581)
August Security Updates for XPe SP3 and Standard 2009 Are Now on ECE (KB2510581)
- Consequence
- An attacker who successfully exploits this vulnerability could run arbitrary code in the context of the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 3 (JScript 5.7 and VBScript 5.7)
Windows XP Service Pack 3 (JScript 5.8 and VBScript 5.8)
Windows XP Professional x64 Edition Service Pack 2 (JScript 5.6 and VBScript 5.6)
Windows XP Professional x64 Edition Service Pack 2 (JScript 5.7 and VBScript 5.7)
Windows XP Professional x64 Edition Service Pack 2 (JScript 5.8 and VBScript 5.8)
Windows Server 2003 Service Pack 2 (JScript 5.6 and VBScript 5.6)
Windows Server 2003 Service Pack 2 (JScript 5.7 and VBScript 5.7)
Windows Server 2003 Service Pack 2 (JScript 5.8 and VBScript 5.8)
Windows Server 2003 x64 Edition Service Pack 2 (JScript 5.6 and VBScript 5.6)
Windows Server 2003 x64 Edition Service Pack 2 (JScript 5.7 and VBScript 5.7)
Windows Server 2003 x64 Edition Service Pack 2 (JScript 5.8 and VBScript 5.8)
Windows Server 2003 with SP2 for Itanium-based Systems (JScript 5.6 and VBScript 5.6)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS11-031.
Workaround:
1) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Impact of workarounds #1 and #2: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
-
Microsoft Internet Explorer Cumulative Security Update (MS11-018)
- Severity
- Critical 4
- Qualys ID
- 100099
- Vendor Reference
- MS11-018
- CVE Reference
- CVE-2011-0094, CVE-2011-0346, CVE-2011-1244, CVE-2011-1245, CVE-2011-1345
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Internet Explorer is a Web browser available for Microsoft Windows.
Microsoft has released a security update that resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, content during certain processes, and script during certain processes.
This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients; and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2497640)
- Consequence
- The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploits any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 3 (Internet Explorer 6)
Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 6)
Windows Server 2003 Service Pack 2 (Internet Explorer 6)
Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 6)
Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 6)
Windows XP Service Pack 3 (Internet Explorer 7)
Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2003 Service Pack 2 (Internet Explorer 7)
Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 7)
Windows Vista Service Pack 1 and Windows Vista Service Pack 2 (Internet Explorer 7)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS11-018.
Workaround:
1) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Impact of workarounds #1 and #2: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
3) Read e-mails in plain text
-
Microsoft SMB Client Remote Code Execution Vulnerability (MS11-019)
- Severity
- Critical 4
- Qualys ID
- 90692
- Vendor Reference
- MS11-019
- CVE Reference
- CVE-2011-0654, CVE-2011-0660
- CVSS Scores
- Base 10 / Temporal 8.3
- Description
-
Microsoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol used in Microsoft Windows.
Microsoft SMB Client is prone to a remote code execution vulnerability.
Microsoft has released a security update that addresses the vulnerabilities by correcting the manner in which the CIFS Browser handles specially crafted Browser messages, and correcting the manner in which the SMB client validates specially crafted SMB responses.
This security update is rated Critical for all supported releases of Microsoft Windows.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2511455)
- Consequence
- The vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB response to a client-initiated SMB request. To exploit these vulnerabilities, an attacker must convince the user to initiate an SMB connection to a specially crafted SMB server.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS11-019 for further details.
Workaround:
1) Block TCP ports 138 at the firewallImpact of workaround #1: Applications that rely on the Computer Browser service will not function.
2) TCP ports 139 and 445 should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability.
Impact of workaround #2: Blocking the ports can cause several windows services or applications using those ports to stop functioning.
-
Microsoft SMB Server Remote Code Execution Vulnerability (MS11-020)
- Severity
- Urgent 5
- Qualys ID
- 90699
- Vendor Reference
- MS11-020
- CVE Reference
- CVE-2011-0661
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
Microsoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol used in Microsoft Windows.
An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. The vulnerability is caused when the Microsoft SMB Protocol software improperly handles SMB packets, including some preauthentication scenarios. This vulnerability affects SMB version 1 and SMB version 2.
Microsoft has released a security update that addresses the vulnerability by correcting the way that SMB validates fields in malformed SMB requests.
This security update is rated Critical for all supported releases of Microsoft Windows.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2508429)
- Consequence
- Successful exploitation could lead to arbitrary execution of code.
- Solution
-
Patch:
Following are links for downloading patches to fix this vulnerability:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS11-020 for further details.
Workaround:
1) TCP ports 139 and 445 should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability.Impact of workaround #1:
Blocking the ports can cause several windows services or applications using those ports to stop functioning.
-
Microsoft Excel Remote Code Execution Vulnerabilities (MS11-021)
- Severity
- Critical 4
- Qualys ID
- 110132
- Vendor Reference
- MS11-021
- CVE Reference
- CVE-2011-0097, CVE-2011-0098, CVE-2011-0101, CVE-2011-0103, CVE-2011-0104, CVE-2011-0105, CVE-2011-0978, CVE-2011-0979, CVE-2011-0980
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft.
Microsoft Excel is vulnerable to multiple remote code execution vulnerabilities.
Microsoft has released an update that addresses the vulnerability by correcting the way that Microsoft Excel manages data structures, validates record information, initializes variables used in memory operations, and allocates buffer space when parsing a specially crafted file.
This security update is rated Important for all supported editions of Microsoft Excel 2002, Microsoft Excel 2003, Microsoft Excel 2007, Microsoft Excel 2010, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011; Open XML File Format Converter for Mac; and all supported versions of Microsoft Excel Viewer and Microsoft Office Compatibility Pack.
- Consequence
- An attacker who successfully exploits these vulnerabilities could take complete control of an affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3 (Microsoft Excel 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Excel 2003 Service Pack 3)
Microsoft Office 2007 Service Pack 2 (Microsoft Excel 2007 Service Pack 2)
Microsoft Office 2010 (32-bit editions) (Microsoft Excel 2010 (32-bit editions))
Microsoft Office 2010 (64-bit editions) (Microsoft Excel 2010 (64-bit editions))
Open XML File Format Converter for Mac
Microsoft Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Refer to Microsoft Security Bulletin MS11-021 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
Impact of workaround #3:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
-
Microsoft PowerPoint Remote Code Execution Vulnerability (MS11-022)
- Severity
- Critical 4
- Qualys ID
- 110148
- Vendor Reference
- MS11-022
- CVE Reference
- CVE-2011-0655, CVE-2011-0656, CVE-2011-0976
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft PowerPoint is a proprietary presentation application written and distributed by Microsoft.
PowerPoint is prone to multiple vulnerabilities that could lead to remote code execution (CVE-2011-0655, CVE-2011-0656, CVE-2011-0976).
Microsoft has released a security update that addresses the vulnerabilities by modifying the way PowerPoint validates records when opening PowerPoint files
This security update is rated Important for all supported releases of Microsoft PowerPoint; Microsoft Office for Mac; Open XML File Format Converter for Mac; Microsoft Office Compatibility Pack for Word, Excel and PowerPoint 2007 File Formats; Microsoft PowerPoint Viewer, and Microsoft PowerPoint Web App
- Consequence
- An attacker who successfully exploits these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3 (Microsoft PowerPoint 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft PowerPoint 2003 Service Pack 3)
Microsoft Office 2007 Service Pack 2 (Microsoft PowerPoint 2007 Service Pack 2)
Microsoft Office 2010 (32-bit editions) (Microsoft PowerPoint 2010 (32-bit editions))
Microsoft Office 2010 (64-bit editions) (Microsoft PowerPoint 2010 (64-bit editions))
Open XML File Format Converter for Mac
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Microsoft PowerPoint Viewer 2007 Service Pack 2
Refer to Microsoft Security Bulletin MS11-022 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources.
Impact of workaround #3: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
4) Set Office File Validation to disable editing in protected view in PowerPoint 2010.
Impact of workaround #4: Office File Validation will no longer allow the editing of suspicious files in PowerPoint 2010.
-
Microsoft Office Remote Code Execution Vulnerability (MS11-023)
- Severity
- Urgent 5
- Qualys ID
- 110146
- Vendor Reference
- MS11-023
- CVE Reference
- CVE-2011-0107, CVE-2011-0977
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Office is prone to the following vulnerabilities:
- A remote code execution vulnerability exists in the way that Microsoft Office handles the loading of DLL files. (CVE-2011-0107)
- A remote code execution vulnerability exists in the way that Microsoft Office handles graphic objects when parsing a specially crafted Office file. (CVE-2011-0977)
Microsoft has released an update that addresses the vulnerabilities by correcting the way that Microsoft Office handles graphic objects in specially crafted Office files and by correcting the manner in which Microsoft Office loads external libraries.
This security update is rated Important for all supported editions of Microsoft Office XP, Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac; and Open XML File Format Converter for Mac.
- Consequence
- By exploiting these vulnerabilities, an attacker could take complete control of an affected system.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Open XML File Format Converter for Mac
Refer to Microsoft Security Bulletin MS11-023 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
Impact of workaround #3:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.4) Disable loading of libraries from WebDAV and remote network shares
5) Disable the WebClient service
Impact of workaround #5:
When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log.6) Block TCP ports 139 and 445 at the firewall
Impact of workaround #6:
Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function.
-
Microsoft DNS Resolution Remote Code Execution Vulnerability (MS11-030)
- Severity
- Critical 4
- Qualys ID
- 90695
- Vendor Reference
- MS11-030
- CVE Reference
- CVE-2011-0657
- CVSS Scores
- Base 7.5 / Temporal 5.9
- Description
-
DNSAPI.dll component is prone to a remote code execution vulnerability.
The vulnerability is caused by the way the DNS client handles specially crafted LLMNR queries.
Microsoft has released a security update that addresses the vulnerability by correcting the manner in which the DNS client processes specifically crafted DNS queries.
This security update is rated Critical for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The security update is rated Important for all supported editions of Windows XP and Windows Server 2003.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2509553)
- Consequence
- The vulnerability could allow remote code execution if an attacker gained access to the network and then created a custom program to send specially crafted LLMNR broadcast queries to the target systems.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS11-030 for further details.
Workaround:
1) Block TCP port 5355 and UDP port 5355 at the firewallImpact of workaround #1: Blocking connectivity to these ports will help prevent systems that are behind the firewall from attempts to exploit this vulnerability.
2) Disable Link-Local Mulitcast Name Resolution using group policy
Impact of workaround #2: The computer may not be visible to other computers on the network.
3) Turn off Network Discovery
Impact of workaround #3: The computer may not be visible to other computers on the network.
-
Microsoft Windows Fax Cover Page Editor Remote Code Execution Vulnerability (MS11-024)
- Severity
- Critical 4
- Qualys ID
- 90675
- Vendor Reference
- MS11-024
- CVE Reference
- CVE-2010-3974, CVE-2010-4701
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
The Fax Cover Page Editor (fxscover.exe) application can be used to create and edit fax cover pages.
The vulnerability exists in Windows Fax Cover Page that is caused when the Windows Fax Cover Page Editor does not properly parse a specially crafted fax cover page.
Microsoft has released a security update that addresses the vulnerability by correcting the manner in which the Windows Fax Page Editor parses fax cover page files.
This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2491683, KB2506212)
- Consequence
- The vulnerability could allow remote code execution if a user opened a specially crafted fax cover page file (.cov) using the Windows Fax Cover Page Editor. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS11-024.
Workaround:
1) Remove the Fax Cover Page .COV file association on Windows XP and Windows Server 2003Impact of workaround #1: This workaround removes the .COV file association. Double-clicking a COV file will no longer launch Windows Fax Cover Page Editor.
-
Microsoft Foundation Class Library Remote Code Execution Vulnerability (MS11-025)
- Severity
- Urgent 5
- Qualys ID
- 90698
- Vendor Reference
- MS11-025
- CVE Reference
- CVE-2010-3190
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
The Microsoft Foundation Class Library is an application framework for programming in Microsoft Windows.
A remote code execution vulnerability exists in the way that certain applications built with Microsoft Foundation Classes handle the loading of DLL files.
Affected Software:
Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2008 Service Pack 1
Microsoft Visual Studio 2010
Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package
Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package
Microsoft Visual C++ 2010 Redistributable Package - Consequence
- An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Visual Studio .NET 2003 Service Pack 1
Microsoft Visual Studio 2005 Service Pack 1
Microsoft Visual Studio 2008 Service Pack 1
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package
Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package
Microsoft Visual C++ 2010 Redistributable Package
Microsoft Visual C++ 2010 Redistributable Package Service Pack 1
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS11-025.
Workaround:
1)Disable loading of libraries from WebDAV and remote network shares
2) Disable the WebClient service
Impact of workaround #2: When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log.
3) Block TCP ports 139 and 445 at the firewall
Impact of workaround #3: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function.
-
Microsoft MHTML Information Disclosure Vulnerability (KB2501696, MS11-026)
- Severity
- Serious 3
- Qualys ID
- 90679
- Vendor Reference
- KB2501696, MS11-026
- CVE Reference
- CVE-2011-0096
- CVSS Scores
- Base 4.3 / Temporal 3.6
- Description
-
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content.
An information disclosure vulnerability exists in the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to run a client-side script in the wrong security context.
Affected Software:
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2503658)
- Consequence
- An attacker who successfully exploited this vulnerability could inject a client-side script into the user's instance of Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS11-026 for further details.
Workaround:
1) Disable the MHTML protocol handlerImpact of workaround #1: The MHTML protocol will cease to function. Any application that uses MHTML will be affected by this workaround.
2) Enable the MHTML protocol lockdown
Impact of workaround #2: The MHTML protocol will be restricted to prevent the launch of script in all zones within an MHTML document. Any application that uses MHTML will be affected by this workaround. Script in standard HTML files is not affected by this workaround.
3) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting
4) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Impact of workaround #3 and #4:
On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
-
Microsoft Windows Cumulative Security Update of ActiveX Kill Bits (MS11-027)
- Severity
- Urgent 5
- Qualys ID
- 90694
- Vendor Reference
- MS11-027
- CVE Reference
- CVE-2010-0811, CVE-2010-3973, CVE-2011-1243
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
The Microsoft Data Analyzer ActiveX control allows programmatic control of the Data Analyzer from COM-based development applications such as Microsoft Visual Basic. The Microsoft Internet Explorer 8 Developer Tools enables Web site developers to quickly debug Microsoft Jscript, investigate behavior specific to Internet Explorer, and prototype new designs or solutions on-the-fly.
A remote code execution vulnerability exists in the Microsoft Data Analyzer ActiveX Control, WMITools ActiveX Control and Windows Messenger ActiveX Control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. (CVE-2010-0811,CVE-2010-3973, CVE-2011-1243).
Microsoft has released an update that also sets kill bits for the some ActiveX Controls from Oracle, CA and IBM.
This security update is rated Critical for all supported editions of Windows XP, Windows Vista, and Windows 7, and Moderate for all supported editions of Windows Server 2003 (except Itanium-based editions), Windows Server2008 (except Itanium-based editions), and Windows Server 2008 R2.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2508272)
August Security Updates for XPe SP3 and Standard 2009 Are Now on ECE (KB2508272)
- Consequence
- Successfully exploiting this vulnerability could allow a remote attacker to execute arbitrary code.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS11-027 for further details.
Workaround:
1) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Impact of workarounds #1 and #2: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
3) Prevent COM objects from running in Internet Explorer
-
Microsoft .NET Framework Remote Code Execution Vulnerability (MS11-028)
- Severity
- Urgent 5
- Qualys ID
- 90696
- Vendor Reference
- MS11-028
- CVE Reference
- CVE-2010-3958
- CVSS Scores
- Base 9.3 / Temporal 7.3
- Description
-
The Microsoft .NET Framework is a software framework for computers running Microsoft Windows operating systems.
A remote code execution vulnerability exists in the way that Microsoft .NET Framework handles certain function calls. (CVE-2010-3958).
Microsoft has released a security update that addresses the vulnerability by correcting the manner in which the .NET Framework handles certain types of function calls.
This security update is rated Critical for all affected releases of Microsoft .NET Framework for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2484015, KB2446704, KB2446708)
- Consequence
- Successfully exploiting this vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs).
- Solution
-
Patch:
Following are links for downloading patches to fix this vulnerability:Windows XP Service Pack 3 (Microsoft .NET Framework 4.0[1])
Windows XP Professional x64 Edition Service Pack 2 (Microsoft .NET Framework 4.0[1])
Windows Server 2003 Service Pack 2 (Microsoft .NET Framework 4.0[1])
Windows Server 2003 x64 Edition Service Pack 2 (Microsoft .NET Framework 4.0[1])
Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft .NET Framework 4.0[1])
Windows Vista Service Pack 1 (Microsoft .NET Framework 4.0[1])
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS11-028.
Workaround:
1) Disable partially trusted Microsoft .NET applicationsImpact of workaround #1: Microsoft .NET applications may not run.
2) Disable XAML browser applications in Internet Explorer
Impact of workaround #2: Microsoft .NET code will not run in Internet Explorer or will not run without prompting. Disabling Microsoft .NET applications and components in the Internet and Local intranet security zones may cause some Web sites to work incorrectly.
-
Microsoft Windows GDI+ Remote Code Execution Vulnerability (MS11-029)
- Severity
- Urgent 5
- Qualys ID
- 90702
- Vendor Reference
- MS11-029
- CVE Reference
- CVE-2011-0041
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
GDI+ is a graphics device interface that provides two-dimensional vector graphics, imaging, and typography to applications and programmers.
A remote code execution vulnerability exists in the way that GDI+ handles integer calculations when a user opens a specially crafted Enhanced Metafile (EMF) image format file.
Microsoft has released a security update that addresses the vulnerability by modifying the way that GDI+ handles integer calculations when processing EMF files.
The security update for Microsoft Office XP is under MS11-023.
This security update is rated Critical for all supported versions of Microsoft Windows.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2412687)
- Consequence
- An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix this vulnerability:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Workaround:
1) Disable metafile processingImpact of workaround #1: Turning off processing of metafiles may cause the performance of software or system components to decrease in functionality. Turning off processing of metafiles may also cause the software or system components to fail completely.
2) Restrict access to gdiplus.dll
Impact of workaround #2: Windows Picture and Fax Viewer (on editions prior to Windows Vista) and other applications that rely on GDI+ will not be able to view images. Also, thumbnails in Windows Explorer (on versions prior to Vista) will not display.
-
Microsoft OpenType Compact Font Format (CFF) Driver Remote Code Execution Vulnerability (MS11-032)
- Severity
- Urgent 5
- Qualys ID
- 90697
- Vendor Reference
- MS11-032
- CVE Reference
- CVE-2011-0034
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft OpenType is a font format developed jointly by Microsoft and Adobe as an extension of Apple's TrueType font format. An OpenType CFF font is an OpenType font that contains PostScript Type 1 outlines. OpenType fonts can contain either PostScript Type 1 or TrueType outlines.
A remote code execution vulnerability exists in the way that the OpenType Font (OTF) driver improperly parses specially crafted OpenType fonts. (CVE-2011-0034)
Microsoft has released an update that addresses the vulnerabilitiy by correcting the manner in which the OpenType Font (OTF) driver parses a specially crafted OpenType font.
This security update is rated Critical for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This security update is also rated Important for all supported editions of Windows XP and Windows Server 2003.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2507618)
- Consequence
- By exploiting this vulnerability, an attacker could run arbitrary code in kernel mode.
- Solution
-
Patch:
Following are links for downloading patches to fix this vulnerability:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS11-032 for further details.
Workaround:
1) Disable the Preview Pane and Details Pane in Windows ExplorerImpact of workaround #1: Windows Explorer will not automatically display OTF fonts.
2) Disable the WebClient service
Impact of workaround #2: When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the WebClient service will not start, and an error message will be logged in the System log.
-
Microsoft WordPad Text Converters Remote Code Execution Vulnerability (MS11-033)
- Severity
- Critical 4
- Qualys ID
- 90693
- Vendor Reference
- MS11-033
- CVE Reference
- CVE-2011-0028
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
WordPad is a basic word processor that is included in Windows.
A remote code execution vulnerability exists in the way that Microsoft WordPad parses specially crafted Word documents. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed structure.
Microsoft has released a security update that addresses the vulnerability by changing the way that the WordPad Text Converters handle specially crafted files.
This security update is rated Important for all supported editions of Windows XP and Windows Server 2003. All supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by the vulnerability.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2485663)
- Consequence
- Exploitation could result in arbitrary execution of code.
- Solution
-
Patch:
Following are links for downloading patches to fix this vulnerability:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS11-033 for further details.
Workaround:
Disable the WordPad Word 97 text converter by restricting access to the converter file.Impact of workaround: Upon implementing the workaround, opening a Word document in WordPad results in WordPad displaying representations of binary data instead of formatted text.
-
Microsoft Windows Kernel-Mode Drivers Elevation of Privilege Vulnerability (MS11-034)
- Severity
- Critical 4
- Qualys ID
- 90701
- Vendor Reference
- MS11-034
- CVE Reference
- CVE-2011-0662, CVE-2011-0665, CVE-2011-0666, CVE-2011-0667, CVE-2011-0670, CVE-2011-0671, CVE-2011-0672, CVE-2011-0673, CVE-2011-0674, CVE-2011-0675, CVE-2011-0676, CVE-2011-0677, CVE-2011-1225, CVE-2011-1226, CVE-2011-1227, CVE-2011-1228, CVE-2011-1229, CVE-2011-1230, CVE-2011-1231, CVE-2011-1232, CVE-2011-1233, CVE-2011-1234, CVE-2011-1235, CVE-2011-1236, CVE-2011-1237, CVE-2011-1238, CVE-2011-1239, CVE-2011-1240, CVE-2011-1241, CVE-2011-1242
- CVSS Scores
- Base 7.2 / Temporal 6
- Description
-
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.
The kernel is prone to the multiple vulnerabilities that could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application.
Microsoft has released an update that addresses the following issues: - An elevation of privilege vulnerability exists due to improper Kernel-mode driver object management.
This addresses the following CVE-IDs : CVE-2011-0662, CVE-2011-0665, CVE-2011-0666, CVE-2011-0667, CVE-2011-0670, CVE-2011-0671, CVE-2011-0672, CVE-2011-0674, CVE-2011-0675, CVE-2011-1234, CVE-2011-1235, CVE-2011-1236, CVE-2011-1237, CVE-2011-1238, CVE-2011-1239, CVE-2011-1240, CVE-2011-1241 and CVE-2011-1242- An elevation of privilege vulnerability exists due to a Null pointer dereference. This is due to the way the kernel-mode drivers keep track of pointers to certain kernel-mode driver objects.
This addresses the following CVE-IDs : CVE-2011-0673, CVE-2011-0676, CVE-2011-0677, CVE-2011-1225, CVE-2011-1226, CVE-2011-1227, CVE-2011-1228, CVE-2011-1229, CVE-2011-1230, CVE-2011-1231, CVE-2011-1232 and CVE-2011-1233Microsoft has released an update which addresses the vulnerabilities by correcting the way that kernel-mode drivers manage kernel-mode driver objects and keep track of pointers to kernel-mode driver objects.
This security update is rated Important for all supported versions of Microsoft Windows.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April Security Updates for XP Embedded SP3 and Standard 2009 Are Now on ECE (KB2506223)
- Consequence
- An attacker must have valid login credentials and be able to log on locally to exploit these vulnerabilities.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS11-034 for further details.
These new vulnerability checks are included in Qualys vulnerability signature 1.28.85-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90700
- 100099
- 90692
- 90699
- 110132
- 110148
- 110146
- 90695
- 90675
- 90698
- 90679
- 90694
- 90696
- 90702
- 90697
- 90693
- 90701
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.