Microsoft security alert.
August 13, 2013
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 23 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Multiple Remote Code Execution Vulnerabilities (MS13-059)
- Severity
- Urgent 5
- Qualys ID
- 100160
- Vendor Reference
- MS13-059
- CVE Reference
- CVE-2013-3184, CVE-2013-3186, CVE-2013-3187, CVE-2013-3188, CVE-2013-3189, CVE-2013-3190, CVE-2013-3191, CVE-2013-3192, CVE-2013-3193, CVE-2013-3194, CVE-2013-3199
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft Internet Explorer is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows operating systems.
Microsoft Internet Explorer is affected by following vulnerabilities :
1. Multiple memory corruption vulnerabilities that exists in the way that Internet Explorer improperly handles objects in memory.
2. Privilege escalation vulnerability exists in the way that Internet Explorer handles process integrity level assignment in specific cases.
3. An information disclosure vulnerability exists in Internet Explorer due to improper EUC-JP character encoding issue that could allow script to perform cross-site scripting attacks.
An attacker could host a specially crafted website designed to exploit these vulnerabilities through Internet Explorer and then convince a user to view the website.
This security update is rated Critical for Internet Explorer 6, 7, 8, 9 and 10 on Windows clients and Moderate for Internet Explorer 6, 7, 8, 9 and 10 on Windows servers.
- Consequence
-
An attacker who successfully exploited these vulnerabilities could execute arbitrary code on affected systems with elevated privileges.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 3 (Internet Explorer 6)
Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 6)
Windows Server 2003 Service Pack 2 (Internet Explorer 6)
Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 6)
Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 6)
Windows XP Service Pack 3 (Internet Explorer 7)
Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2003 Service Pack 2 (Internet Explorer 7)
Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 7)
Windows Vista Service Pack 2 (Internet Explorer 7)
Windows Vista x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Internet Explorer 7)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-059.
Workaround:
1. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
-
Microsoft Windows Unicode Scripts Processor Could Remote Code Execution (MS13-060)
- Severity
- Critical 4
- Qualys ID
- 90899
- Vendor Reference
- MS13-060
- CVE Reference
- CVE-2013-3181
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
The Unicode Script Processor (USP10.DLL), also known as Uniscribe, is a collection of APIs that enables a text layout client to format complex scripts.
Unicode Scripts Processor is exposed to remote code execution vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts.
The security update addresses the vulnerability by correcting the way that Microsoft Windows parses specific characteristics of OpenType fonts.
This security update is rated Critical for all supported editions of Windows XP and Windows Server 2003
- Consequence
- An attacker who successfully exploits this vulnerability could run arbitrary code as the logged-on user.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS13-060 for further details.
Workaround:
Modify the Access Control List (ACL) on usp10.dllModify the ACL on usp10.dll to be more restrictive.
For 32-bit editions of Windows XP and Windows Server 2003, run the following commands from a command prompt with administrative privileges:
cacls %WINDIR%\SYSTEM32\usp10.DLL /E /P everyone:NFor 64-bit editions of Windows XP and Windows Server 2003, run the following commands from a command prompt with administrative privileges:
cacls %WINDIR%\SYSWOW64\usp10.DLL /E /P everyone:NImpact of workaround. FireFox may not load. Some fonts may not render properly.
How to undo the workaround.
For 32-bit editions of Windows XP and Windows Server 2003, run the following commands from a command prompt with administrative privileges:
cacls %WINDIR%\SYSTEM32\usp10.dll /E /R everyoneFor 64-bit editions of Windows XP and Windows Server 2003, run the following commands from a command prompt with administrative privileges:
cacls %WINDIR%\SYSWOW64\usp10.dll /E /R everyone
-
Microsoft Exchange Server Remote Code Execution Vulnerability (MS13-061)
- Severity
- Critical 4
- Qualys ID
- 74270
- Vendor Reference
- MS13-061
- CVE Reference
- CVE-2013-2393, CVE-2013-3776, CVE-2013-3781
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft Exchange Server is a messaging and collaborative software product that provides support for email, calendaring, contacts and tasks, mobile and Web-based access to information, and data storage.
his security update resolves three publicly disclosed vulnerabilities in Microsoft Exchange Server. The vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The transcoding service in Exchange that is used for WebReady Document Viewing uses the credentials of the LocalService account.
This security update is rated Critical for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013.
Note: On 8/14/2013, Microsoft pulls the MS13-061 for Exchange 2013. Microsoft recommends not proceeding with the update for Exchange 2013 at this time. To mitigate the security vulnerability, workaround steps in "Workaround" section are recommended. Refer to Exchange 2013 Security Update MS13-061 Status Update for further details. - Consequence
- The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The Data Loss Prevention feature hosts code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft Exchange Server 2007 Service Pack 3
Microsoft Exchange Server 2010 Service Pack 2
Microsoft Exchange Server 2010 Service Pack 3
Refer to Microsoft Security Bulletin MS13-061 for further details.
Workaround:
1. Disable Data Loss Prevention (Exchange Server 2013 only)
2. Disable WebReady document view.
-
Microsoft Windows Remote Procedure Call Privilege Escalation Vulnerability (MS13-062)
- Severity
- Critical 4
- Qualys ID
- 90900
- Vendor Reference
- MS13-062
- CVE Reference
- CVE-2013-3175
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
Microsoft Remote Procedure Call (RPC) is a technology that allows creation of distributed client/server programs. RPC is an interprocess communication technique that allows client and server software to communicate.
An elevation of privilege vulnerability exists in the way that Windows handles asynchronous RPC requests. A remote, unauthenticated attacker could exploit this vulnerability by transmitting malformed RPC requests to a shared host.
This security update is rated Important for all supported releases of Microsoft Windows.
- Consequence
-
Successful exploit could allow remote, unauthenticated attackers to execute arbitrary code within the context of another user. If that other user has elevated rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-062.
-
Microsoft Windows Kernel Multiple Elevation of Privilege Vulnerabilities (MS13-063)
- Severity
- Serious 3
- Qualys ID
- 90903
- Vendor Reference
- MS13-063
- CVE Reference
- CVE-2013-2556, CVE-2013-3196, CVE-2013-3197, CVE-2013-3198
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
-
The Windows kernel is the core of the operating system. The kernel provides system-level services such as device management and memory management, allocates processor time to processes and manages error handling.
A security bypass vulnerability exists in Windows due to improper implementation of Address Space Layout Randomization (ASLR).
Multiple privilege escalation vulnerabilities exist in the Windows kernel due to a memory corruption condition in the NT Virtual DOS Machine (NTVDM) that could be leveraged by an attacker to execute code in kernel mode.
This security update is rated Important for all supported editions of Windows XP, Windows Server 2003,Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, and Windows 8.
- Consequence
-
Successful exploitation of these vulnerabilities could allow a local attacker to execute arbitrary code with elevated privileges.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows Server 2003 Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS13-063 for further details.
-
Microsoft Windows NAT Driver Denial of Service (MS13-064)
- Severity
- Serious 3
- Qualys ID
- 90898
- Vendor Reference
- MS13-064
- CVE Reference
- CVE-2013-3182
- CVSS Scores
- Base 7.8 / Temporal 5.8
- Description
-
The Windows NAT Driver (winnat) service provides network address translation (NAT) in Windows.
The Windows NAT Driver service in Windows Server 2012 does not properly handle specially crafted ICMP packets.
This security update is rated Important for Windows Server 2012.
- Consequence
- A remote attacker who successfully exploited this vulnerability could cause the target system to stop responding until restarted.
- Solution
-
Patch:
Following is a link for downloading patches to fix the vulnerabilities:Refer to Microsoft Security Bulletin MS13-064 for further details.
-
Microsoft Windows ICMPv6 Denial of Service Vulnerability (MS13-065)
- Severity
- Critical 4
- Qualys ID
- 90902
- Vendor Reference
- MS13-065
- CVE Reference
- CVE-2013-3183
- CVSS Scores
- Base 7.8 / Temporal 5.8
- Description
-
The IPv6 protocol component that is installed in Windows operating systems is a series of interconnected protocols that include Internet Control Message Protocol version 6 (ICMPv6), Multicast Listener Discovery (MLD), and Neighbor Discovery. It allows Microsoft Windows users to communicate with other users over the Internet.
A denial of service vulnerability exists in the Windows TCP/IP stack implementation, that could cause the targeted system to stop responding to legitimate user queries until a system restart. The vulnerability is caused due to improper allocation of memory for incoming ICMPv6 packets by the TCP/IP stack. A remote, unauthenticated attacker could exploit this vulnerability by transmitting specially crafted ICMPv6 packets to the target system.
This security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.
- Consequence
-
Successful exploitation could allow an unauthenticated, remote attacker to cause the targeted system to stop responding to legitimate user queries, leading to a denial of service condition.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Refer to Microsoft Security Bulletin MS13-065 for further details.
-
Microsoft Active Directory Federation Services Information Disclosure Vulnerability (MS13-066)
- Severity
- Serious 3
- Qualys ID
- 90901
- Vendor Reference
- MS13-066
- CVE Reference
- CVE-2013-3185
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
Active Directory Federation Services (AD FS) is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.
An information disclosure vulnerability exists in Active Directory Federation Services (AD FS) that could allow the unintentional disclosure of account information (CVE-2013-3185).
This security update is rated Important for AD FS 2.0 when installed on non-Itanium editions of Windows Server 2008 and Windows Server 2008 R2. It is also rated Important for AD FS 2.1 when installed on Windows Server 2012.
- Consequence
- An attacker who successfully exploited this vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows Server 2003 R2 Service Pack 2 (Active Directory Federation Services 1.x)
Windows Server 2003 R2 x64 Edition Service Pack 2 (Active Directory Federation Services 1.x)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Active Directory Federation Services 2.0)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Active Directory Federation Services 1.x)
Windows Server 2008 for x64-based Systems Service Pack 2 (Active Directory Federation Services 2.0)
Windows Server 2008 for x64-based Systems Service Pack 2 (Active Directory Federation Services 1.x)
Windows Server 2012 (Active Directory Federation Services 2.1)
Refer to Microsoft Security Bulletin MS13-066 for further details.
These new vulnerability checks are included in Qualys vulnerability signature 2.2.507-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100160
- 90899
- 74270
- 90900
- 90903
- 90898
- 90902
- 90901
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.