Microsoft security alert.
July 10, 2012
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 16 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft XML Core Services Remote Code Execution Vulnerability (MS12-043 and KB2719615)
- Severity
- Critical 4
- Qualys ID
- 90814
- Vendor Reference
- KB2719615, MS12-043
- CVE Reference
- CVE-2012-1889
- CVSS Scores
- Base 9.3 / Temporal 8.1
- Description
-
Microsoft XML Core Services (MSXML) allows customers who use JScript, Visual Basic Scripting Edition and Microsoft Visual Studio 6.0 to develop XML-based applications that provide interoperability with other applications that adhere to the XML 1.0 standard.
A remote code execution vulnerability exists in the way that Microsoft XML Core Services handles objects in memory. The vulnerability could allow remote code execution if a user views a website that contains specially crafted content. (CVE-2012-1889)
Affected Software:
This security update is rated Critical for Microsoft XML Core Services 3.0, 4.0, and 6.0 on all supported editions of Windows XP, Windows Vista, and Windows 7 and is rated Moderate on all supported editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2; it is also rated Critical for Microsoft XML Core Services 5.0 for all supported editions of Microsoft Office 2003, Microsoft Office 2007, Microsoft Office Word Viewer, Microsoft Office Compatibility Pack, Microsoft Expression Web, Microsoft Office SharePoint Server 2007, and Microsoft Groove Server 2007.Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
[Product Update] July 2012 Security Updates Are On ECE For XPe SP3 and Standard 2009 (KB2719985)
August 2012 Security Updates are Live on ECE for XPe and Standard 2009 (KB2719985)
- Consequence
- Successfully exploiting this vulnerability might allow a remote attacker to execute arbitrary code.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 3 (Microsoft XML Core Services 3.0)
Windows XP Service Pack 3 (Microsoft XML Core Services 4.0)
Windows XP Service Pack 3 (Microsoft XML Core Services 6.0)
Windows XP Professional x64 Edition Service Pack 2 (Microsoft XML Core Services 3.0)
Windows XP Professional x64 Edition Service Pack 2 (Microsoft XML Core Services 4.0)
Windows XP Professional x64 Edition Service Pack 2 (Microsoft XML Core Services 6.0)
Windows Server 2003 Service Pack 2 (Microsoft XML Core Services 3.0)
Windows Server 2003 Service Pack 2 (Microsoft XML Core Services 4.0)
Windows Server 2003 Service Pack 2 (Microsoft XML Core Services 6.0)
Windows Server 2003 x64 Edition Service Pack 2 (Microsoft XML Core Services 3.0)
Windows Server 2003 x64 Edition Service Pack 2 (Microsoft XML Core Services 4.0)
Windows Server 2003 x64 Edition Service Pack 2 (Microsoft XML Core Services 6.0)
Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft XML Core Services 3.0)
Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft XML Core Services 4.0)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-043.
Workaround:
1) Deploy the Enhanced Mitigation Experience Toolkit2) Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone
-
Microsoft Internet Explorer Cumulative Security Update (MS12-044)
- Severity
- Critical 4
- Qualys ID
- 100118
- Vendor Reference
- MS12-044
- CVE Reference
- CVE-2012-1522, CVE-2012-1524
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Internet Explorer is a Web browser available for Microsoft Windows.
Internet Explorer is prone to multiple vulnerabilities that could allow remote code execution.
Microsoft has released a security update that addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.
This security update is rated Critical for Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 9 on Windows servers.
- Consequence
- Successfully exploiting this vulnerability could cause execution of arbitrary code.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows Vista Service Pack 2 (Internet Explorer 9)
Windows Vista x64 Edition Service Pack 2 (Internet Explorer 9)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Internet Explorer 9)
Windows Server 2008 for x64-based Systems Service Pack 2 (Internet Explorer 9)
Windows 7 for 32-bit Systems (Internet Explorer 9)
Windows 7 for 32-bit Systems Service Pack 1 (Internet Explorer 9)
Windows 7 for x64-based Systems (Internet Explorer 9)
Windows 7 for x64-based Systems Service Pack 1 (Internet Explorer 9)
Windows Server 2008 R2 for x64-based Systems (Internet Explorer 9)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Internet Explorer 9)
Refer to Microsoft Security Bulletin MS12-044 for further details. Workaround:
Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.Configure IE to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones; add trusted sites to the IE trusted sites zone.
Note: Disabling or restricting scripting can severely impact the usability of the browser.
-
Microsoft Data Access Components Remote Code Execution Vulnerability (MS12-045)
- Severity
- Urgent 5
- Qualys ID
- 90817
- Vendor Reference
- MS12-045
- CVE Reference
- CVE-2012-1891
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Data Access Components (MDAC) is a collection of components that make it easy for programs to access databases and then to manipulate the data within them.
A remote code execution vulnerability exists in the way that Microsoft Data Access Components accesses an object in memory that has been improperly initialized. (CVE-2012-1891)
Affected Software:
Microsoft Data Access Components 2.8 Service Pack 1
- Windows XP Service Pack 3
Microsoft Data Access Components 2.8 Service Pack 2
- Windows XP Professional x64 Edition Service Pack 2
- Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP2 for Itanium-based Systems
Windows Data Access Components 6.0
- Windows Vista Service Pack 2
- Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for Itanium-based Systems Service Pack 2
- Windows 7 for 32-bit Systems
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 7 for x64-based Systems
- Windows 7 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2008 R2 for Itanium-based Systems Service Pack 1This security update is rated Critical.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
[Product Update] July 2012 Security Updates Are On ECE For XPe SP3 and Standard 2009 (KB2698365)
August 2012 Security Updates are Live on ECE for XPe and Standard 2009 (KB2698365)
- Consequence
- An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-045.
-
Microsoft Visual Basic for Applications Remote Code Execution Vulnerability (MS12-046)
- Severity
- Critical 4
- Qualys ID
- 110184
- Vendor Reference
- MS12-046
- CVE Reference
- CVE-2012-1854
- CVSS Scores
- Base 6.9 / Temporal 6
- Description
-
Microsoft VBA is a development technology for developing client desktop packaged applications and integrating them with existing data and systems. Microsoft VBA is based on the Microsoft Visual Basic development system. Microsoft Office products include VBA and make use of VBA to perform certain functions. VBA can also be used to build customized applications around an existing host application.
The security update addresses the vulnerability by correcting how Microsoft Visual Basic for Applications loads external libraries.
This security update is rated Important for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. - Consequence
- The vulnerability could allow remote code execution if a user opens a legitimate Microsoft Office file (such as a .docx file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker could then install programs; view, change, or delete data; or create new accounts that have full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2007 Service Pack 3
Microsoft Office 2010 Service Pack 1
Microsoft Office 2010 Service Pack 1
Microsoft Office 2010 Service Pack 1
Microsoft Office 2010 Service Pack 1
Microsoft Visual Basic for Applications
Refer to Microsoft Security Bulletin MS12-046 for further details.
-
Microsoft Windows Kernel-Mode Drivers Elevation of Privilege Vulnerability (MS12-047)
- Severity
- Critical 4
- Qualys ID
- 90816
- Vendor Reference
- MS12-047
- CVE Reference
- CVE-2012-1890, CVE-2012-1893
- CVSS Scores
- Base 7.2 / Temporal 5.6
- Description
-
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.
An elevation of privilege vulnerability exists in the way that the Windows kernel-mode driver handles specific keyboard layouts. (CVE-2012-1890)
An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly validates parameters when creating a hook procedure. (CVE-2012-1893)
Affected Software:
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1This security update is rated Important.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
[Product Update] July 2012 Security Updates Are On ECE For XPe SP3 and Standard 2009 (KB2718523)
- Consequence
- An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-047.
-
Microsoft Windows Shell Remote Code Execution Vulnerability (MS12-048)
- Severity
- Critical 4
- Qualys ID
- 90818
- Vendor Reference
- MS12-048
- CVE Reference
- CVE-2012-0175
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Windows is prone to a vulnerability that may allow remote code execution if a user opens a file or directory with a specially crafted name.
Microsoft has released a security update that addresses the vulnerabilities by modifying the way that Windows handles files and directories with specially crafted names.
This security update is rated Important for all supported releases of Microsoft Windows.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
[Product Update] July 2012 Security Updates Are On ECE For XPe SP3 and Standard 2009 (KB2691442)
August 2012 Security Updates are Live on ECE for XPe and Standard 2009 (KB2691442)
- Consequence
- Successfully exploiting this vulnerability might allow an attacker to execute arbitrary code.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-048.
-
Microsoft Windows TLS Information Disclosure Vulnerability (MS12-049)
- Severity
- Serious 3
- Qualys ID
- 90815
- Vendor Reference
- MS12-049
- CVE Reference
- CVE-2012-1870
- CVSS Scores
- Base 4.3 / Temporal 3.4
- Description
-
Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are cryptographic protocols that provide communication security over the Internet.
This security update resolves a publicly disclosed vulnerability in TLS. The security update addresses the vulnerability by modifying the way that the Windows Secure Channel (SChannel) and the Cryptography API: Next Generation (CNG) components handle encrypted network packets.
Affected Versions:
Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7This security update is rated Important for all supported releases of Microsoft Windows.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
[Product Update] July 2012 Security Updates Are On ECE For XPe SP3 and Standard 2009 (KB2655992)
August 2012 Security Updates are Live on ECE for XPe and Standard 2009 (KB2655992)
- Consequence
- The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. All cipher suites that do not use CBC mode are not affected.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-049.
-
Microsoft SharePoint Privilege Escalation Vulnerability (MS12-050)
- Severity
- Critical 4
- Qualys ID
- 110185
- Vendor Reference
- MS12-050
- CVE Reference
- CVE-2012-1858, CVE-2012-1859, CVE-2012-1860, CVE-2012-1861, CVE-2012-1862, CVE-2012-1863
- CVSS Scores
- Base 6.8 / Temporal 5.6
- Description
-
Microsoft SharePoint is prone to multiple vulnerabilities that could allow an attacker to conduct privilege escalation attacks.
Microsoft has released a security update that addresses the vulnerabilities by modifying the way that HTML strings are sanitized and by correcting the way that Microsoft SharePoint validates and sanitizes user input.
This security update is rated Important for supported editions of Microsoft InfoPath 2007, Microsoft InfoPath 2010, Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, and Microsoft Groove Server 2010; and for supported versions of Microsoft Windows SharePoint Services 3.0 and SharePoint Foundation 2010.
- Consequence
- Exploitation could result in elevation of privilege or information disclosure.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft InfoPath 2007 Service Pack 2
Microsoft InfoPath 2007 Service Pack 2
Microsoft InfoPath 2007 Service Pack 3
Microsoft InfoPath 2007 Service Pack 3
Microsoft InfoPath 2010 Service Pack 1
Microsoft InfoPath 2010 Service Pack 1
Microsoft InfoPath 2010 Service Pack 1
Microsoft InfoPath 2010 Service Pack 1
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS12-050.
-
Microsoft Office for Mac Could Allow Elevation of Privileges (MS12-051)
- Severity
- Critical 4
- Qualys ID
- 110186
- Vendor Reference
- MS12-051
- CVE Reference
- CVE-2012-1894
- CVSS Scores
- Base 6.9 / Temporal 5.1
- Description
-
Microsoft Office for Macintosh is a proprietary suite of Office applications.
An elevation of privilege vulnerability exists in the way that folder permissions are set in certain Microsoft Office for Mac installations.
This security update is rated ImportantAffected Version:
Microsoft Office 2011 for Mac
- Consequence
- Successful exploitation allows elevation of privilege or information disclosure.
- Solution
-
Patch:
Following link is a patch to fix the vulnerability:Workaround:
The following workaround would not correct the underlying vulnerability but would help block known attack vectors before you apply the update.Remove write permission from others in affected folders.
/usr/bin/sudo /bin/chmod -R -P o-w /Library/Internet\ Plug-Ins/SharePointWebKitPlugin.webplugin/
/usr/bin/sudo /bin/chmod -R -P o-w /Library/Internet\ Plug-Ins/SharePointBrowserPlugin.plugin/
/usr/bin/sudo /bin/chmod -R -P o-w /Library/Fonts/Microsoft/
/usr/bin/sudo /bin/chmod -R -P o-w /Library/Automator/
/usr/bin/sudo /bin/chmod -R -P o-w /Applications/Microsoft\ Office\ 2011/
These new vulnerability checks are included in Qualys vulnerability signature 2.2.169-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 90814
- 100118
- 90817
- 110184
- 90816
- 90818
- 90815
- 110185
- 110186
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.