Microsoft security alert.
October 8, 2013
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 25 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Multiple Remote Code Execution Vulnerabilities (MS13-080)
- Severity
- Urgent 5
- Qualys ID
- 100164
- Vendor Reference
- MS13-080
- CVE Reference
- CVE-2013-3872, CVE-2013-3873, CVE-2013-3874, CVE-2013-3875, CVE-2013-3882, CVE-2013-3885, CVE-2013-3886, CVE-2013-3893, CVE-2013-3897
- CVSS Scores
- Base 9.3 / Temporal 8.1
- Description
-
Microsoft Internet Explorer is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows operating systems.
Microsoft Internet Explorer is affected by following vulnerabilities. Multiple memory corruption vulnerabilities that exists in the way that Internet Explorer improperly handles objects in memory. An attacker could host a specially crafted website designed to exploit these vulnerabilities through Internet Explorer and then convince a user to view the website.
This security update is rated Critical for Internet Explorer 6, 7, 8, 9 and 10 on Windows clients and Moderate for Internet Explorer 6, 7, 8, 9 and 10 on Windows servers
- Consequence
- An attacker who successfully exploited these vulnerabilities could execute arbitrary code on affected systems with elevated privileges.
- Solution
-
Please refer to MS13-080 for details.
Workaround:
1. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS13-080 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 10)
MS13-080 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 8)
MS13-080 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 9)
MS13-080 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 10)
MS13-080 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 8)
MS13-080 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 9)
MS13-080 Windows 8 for 32-bit Systems(Internet Explorer 10)
MS13-080 Windows 8 for 64-bit Systems(Internet Explorer 10)
MS13-080 Windows Server 2003 Service Pack 2(Internet Explorer 6)
MS13-080 Windows Server 2003 Service Pack 2(Internet Explorer 7)
MS13-080 Windows Server 2003 Service Pack 2(Internet Explorer 8)
MS13-080 Windows Server 2003 with SP2 for Itanium-based Systems(Internet Explorer 6)
MS13-080 Windows Server 2003 with SP2 for Itanium-based Systems(Internet Explorer 7)
MS13-080 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 6)
MS13-080 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 7)
MS13-080 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 8)
MS13-080 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(Internet Explorer 8)
MS13-080 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 10)
MS13-080 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 8)
MS13-080 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 9)
MS13-080 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 7)
MS13-080 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 8)
MS13-080 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 9)
MS13-080 Windows Server 2008 for Itanium-based Systems Service Pack 2(Internet Explorer 7)
MS13-080 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 7)
MS13-080 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 8)
MS13-080 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 9)
MS13-080 Windows Server 2012(Internet Explorer 10)
MS13-080 Windows Vista Service Pack 2(Internet Explorer 7)
MS13-080 Windows Vista Service Pack 2(Internet Explorer 8)
MS13-080 Windows Vista Service Pack 2(Internet Explorer 9)
MS13-080 Windows Vista x64 Edition Service Pack 2(Internet Explorer 7)
MS13-080 Windows Vista x64 Edition Service Pack 2(Internet Explorer 8)
MS13-080 Windows Vista x64 Edition Service Pack 2(Internet Explorer 9)
MS13-080 Windows XP Professional x64 Edition Service Pack 2(Internet Explorer 6)
MS13-080 Windows XP Professional x64 Edition Service Pack 2(Internet Explorer 7)
MS13-080 Windows XP Professional x64 Edition Service Pack 2(Internet Explorer 8)
MS13-080 Windows XP Service Pack 3(Internet Explorer 6)
MS13-080 Windows XP Service Pack 3(Internet Explorer 7)
MS13-080 Windows XP Service Pack 3(Internet Explorer 8)
-
Microsoft Word Multiple Remote Code Execution Vulnerabilities (MS13-086)
- Severity
- Critical 4
- Qualys ID
- 110222
- Vendor Reference
- MS13-086
- CVE Reference
- CVE-2013-3891, CVE-2013-3892
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Word is a word processor developed by Microsoft.
Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files, allowing remote attackers to execute arbitrary code on the targeted system.
Affected Software:
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 3
Microsoft Office Compatibility Pack Service Pack 3
- Consequence
- An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative rights.
- Solution
-
Refer to MS13-086 for further information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS13-086 Microsoft Office 2003 Service Pack 3(Microsoft Word 2003 Service Pack 3)
MS13-086 Microsoft Office 2007 Service Pack 3(Microsoft Word 2007 Service Pack 3)
MS13-086 Microsoft Office Compatibility Pack Service Pack 3
-
Microsoft Windows Kernel-Mode Drivers Remote Code Execution (MS13-081)
- Severity
- Urgent 5
- Qualys ID
- 90913
- Vendor Reference
- MS13-081
- CVE Reference
- CVE-2013-3128, CVE-2013-3200, CVE-2013-3879, CVE-2013-3880, CVE-2013-3881, CVE-2013-3888, CVE-2013-3894
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
The Windows kernel is the core of the operating system. It provides system-level services such as device management and memory management, allocates processor time to processes, and manages error handling.
The kernel is prone to the following vulnerabilities:
- A remote code execution vulnerability exists in the way that Windows parses specially crafted OpenType fonts (OTF). (CVE-2013-3128)
- An elevation of privilege vulnerability exists when Windows USB drivers improperly handle objects in memory. (CVE-2013-3200)
- An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory.(CVE-2013-3879)
- An elevation of privilege vulnerability exists in the Windows App Container. (CVE-2013-3880)
- An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. (CVE-2013-3881)
- An elevation of privilege vulnerability exists when the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys) improperly handles objects in memory.(CVE-2013-3888)
- A remote code execution vulnerability exists in the way that Windows parses specially crafted TrueType fonts (TTF).(CVE-2013-3894)
Microsoft has released a security update that addresses the vulnerabilities by correcting the way the Windows kernel-mode drivers handle objects in memory.
This security update is rated Critical for all supported releases of Microsoft Windows except Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.
- Consequence
-
Successful exploitation of these vulnerabilities could allow a local attacker to execute arbitrary code with elevated privileges.
- Solution
-
Refer to MS13-081 for further information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for 32-bit Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 7 for x64-based Systems Service Pack 1
MS13-081 Windows 8 for 32-bit Systems
MS13-081 Windows 8 for 32-bit Systems
MS13-081 Windows 8 for 32-bit Systems
MS13-081 Windows 8 for 32-bit Systems
MS13-081 Windows 8 for 32-bit Systems
MS13-081 Windows 8 for 32-bit Systems
MS13-081 Windows 8 for 32-bit Systems
MS13-081 Windows 8 for 32-bit Systems
MS13-081 Windows 8 for 64-bit Systems
MS13-081 Windows 8 for 64-bit Systems
MS13-081 Windows 8 for 64-bit Systems
MS13-081 Windows 8 for 64-bit Systems
MS13-081 Windows 8 for 64-bit Systems
MS13-081 Windows 8 for 64-bit Systems
MS13-081 Windows 8 for 64-bit Systems
MS13-081 Windows 8 for 64-bit Systems
MS13-081 Windows Server 2003 Service Pack 2
MS13-081 Windows Server 2003 Service Pack 2
MS13-081 Windows Server 2003 Service Pack 2
MS13-081 Windows Server 2003 Service Pack 2
MS13-081 Windows Server 2003 Service Pack 2
MS13-081 Windows Server 2003 Service Pack 2
MS13-081 Windows Server 2003 with SP2 for Itanium-based Systems
MS13-081 Windows Server 2003 with SP2 for Itanium-based Systems
MS13-081 Windows Server 2003 with SP2 for Itanium-based Systems
MS13-081 Windows Server 2003 with SP2 for Itanium-based Systems
MS13-081 Windows Server 2003 with SP2 for Itanium-based Systems
MS13-081 Windows Server 2003 with SP2 for Itanium-based Systems
MS13-081 Windows Server 2003 x64 Edition Service Pack 2
MS13-081 Windows Server 2003 x64 Edition Service Pack 2
MS13-081 Windows Server 2003 x64 Edition Service Pack 2
MS13-081 Windows Server 2003 x64 Edition Service Pack 2
MS13-081 Windows Server 2003 x64 Edition Service Pack 2
MS13-081 Windows Server 2003 x64 Edition Service Pack 2
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-081 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-081 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-081 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-081 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-081 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-081 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-081 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-081 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Server 2012
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows Vista x64 Edition Service Pack 2
MS13-081 Windows XP Professional x64 Edition Service Pack 2
MS13-081 Windows XP Professional x64 Edition Service Pack 2
MS13-081 Windows XP Professional x64 Edition Service Pack 2
MS13-081 Windows XP Professional x64 Edition Service Pack 2
MS13-081 Windows XP Professional x64 Edition Service Pack 2
MS13-081 Windows XP Professional x64 Edition Service Pack 2
MS13-081 Windows XP Service Pack 3
MS13-081 Windows XP Service Pack 3
MS13-081 Windows XP Service Pack 3
MS13-081 Windows XP Service Pack 3
MS13-081 Windows XP Service Pack 3
MS13-081 Windows XP Service Pack 3
-
Microsoft .NET Framework Code Execution and Denial of Service Vulnerabilities (MS13-082)
- Severity
- Urgent 5
- Qualys ID
- 90912
- Vendor Reference
- MS13-082
- CVE Reference
- CVE-2013-3128, CVE-2013-3860, CVE-2013-3861
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
The Microsoft .NET Framework is a software framework for computers running Microsoft Windows operating systems.
Microsoft .NET Framework is exposed to the following vulnerabilities:
- A remote code execution vulnerability exists in the way that affected components handle specially crafted OpenType fonts (OTF). The vulnerability could allow remote code execution if a user visits a website hosting an XAML Browser Application (XBAP) containing a specially crafted OTF file (CVE-2013-3128).
- A denial of service vulnerability exists in the .NET Framework that could allow an attacker to cause a server or application to crash or become unresponsive (CVE-2013-3860).
- A denial of service vulnerability exists in the .NET Framework that could allow an attacker to cause a server or application to crash or become unresponsive (CVE-2013-3861).This security update is rated Critical for Microsoft .NET Framework 3.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, and Microsoft .NET Framework 4.5 on affected editions of Microsoft Windows; it is rated Important for Microsoft .NET Framework 2.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1 on affected editions of Microsoft Windows.
- Consequence
- Successfully exploiting this vulnerability might allow a remote attacker to execute arbitrary code or cause denial of service.
- Solution
-
Refer to MS13-082 for further information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS13-082 Windows 7 for 32-bit Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows 7 for 32-bit Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows 7 for 32-bit Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows 7 for 32-bit Systems Service Pack 1(Microsoft .NET Framework 4)
MS13-082 Windows 7 for 32-bit Systems Service Pack 1(Microsoft .NET Framework 4.5)
MS13-082 Windows 7 for 32-bit Systems Service Pack 1
MS13-082 Windows 7 for 32-bit Systems Service Pack 1
MS13-082 Windows 7 for 32-bit Systems Service Pack 1
MS13-082 Windows 7 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows 7 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows 7 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows 7 for x64-based Systems Service Pack 1(Microsoft .NET Framework 4)
MS13-082 Windows 7 for x64-based Systems Service Pack 1(Microsoft .NET Framework 4.5)
MS13-082 Windows 7 for x64-based Systems Service Pack 1
MS13-082 Windows 7 for x64-based Systems Service Pack 1
MS13-082 Windows 7 for x64-based Systems Service Pack 1
MS13-082 Windows 8 for 32-bit Systems(Microsoft .NET Framework 3.5)
MS13-082 Windows 8 for 32-bit Systems(Microsoft .NET Framework 3.5)
MS13-082 Windows 8 for 32-bit Systems(Microsoft .NET Framework 3.5)
MS13-082 Windows 8 for 32-bit Systems(Microsoft .NET Framework 4.5)
MS13-082 Windows 8 for 64-bit Systems(Microsoft .NET Framework 3.5)
MS13-082 Windows 8 for 64-bit Systems(Microsoft .NET Framework 3.5)
MS13-082 Windows 8 for 64-bit Systems(Microsoft .NET Framework 3.5)
MS13-082 Windows 8 for 64-bit Systems(Microsoft .NET Framework 4.5)
MS13-082 Windows Server 2003 Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows Server 2003 Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS13-082 Windows Server 2003 Service Pack 2(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows Server 2003 Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2003 Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2003 with SP2 for Itanium-based Systems(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows Server 2003 with SP2 for Itanium-based Systems(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows Server 2003 with SP2 for Itanium-based Systems(Microsoft .NET Framework 4)
MS13-082 Windows Server 2003 x64 Edition Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows Server 2003 x64 Edition Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS13-082 Windows Server 2003 x64 Edition Service Pack 2(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows Server 2003 x64 Edition Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2003 x64 Edition Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-082 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Microsoft .NET Framework 3.5.1)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Microsoft .NET Framework 4.5)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(Microsoft .NET Framework 3.5.1)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(Microsoft .NET Framework 3.5.1)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)(Microsoft .NET Framework 4.5)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
MS13-082 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
MS13-082 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS13-082 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 4.5)
MS13-082 Windows Server 2008 for 32-bit Systems Service Pack 2(Microsoft .NET Framework 4.5)
MS13-082 Windows Server 2008 for Itanium-based Systems Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows Server 2008 for Itanium-based Systems Service Pack 2(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows Server 2008 for Itanium-based Systems Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS13-082 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 4.5)
MS13-082 Windows Server 2008 for x64-based Systems Service Pack 2(Microsoft .NET Framework 4.5)
MS13-082 Windows Server 2012(Microsoft .NET Framework 3.5)
MS13-082 Windows Server 2012(Microsoft .NET Framework 3.5)
MS13-082 Windows Server 2012(Microsoft .NET Framework 3.5)
MS13-082 Windows Server 2012(Microsoft .NET Framework 4.5)
MS13-082 Windows Server 2012 (Server Core installation)(Microsoft .NET Framework 3.5)
MS13-082 Windows Server 2012 (Server Core installation)(Microsoft .NET Framework 3.5)
MS13-082 Windows Server 2012 (Server Core installation)(Microsoft .NET Framework 4.5)
MS13-082 Windows Vista Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows Vista Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS13-082 Windows Vista Service Pack 2(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows Vista Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Vista Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Vista Service Pack 2(Microsoft .NET Framework 4.5)
MS13-082 Windows Vista Service Pack 2(Microsoft .NET Framework 4.5)
MS13-082 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS13-082 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 4.5)
MS13-082 Windows Vista x64 Edition Service Pack 2(Microsoft .NET Framework 4.5)
MS13-082 Windows XP Professional x64 Edition Service Pack 2(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows XP Professional x64 Edition Service Pack 2(Microsoft .NET Framework 3.0 Service Pack 2)
MS13-082 Windows XP Professional x64 Edition Service Pack 2(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows XP Professional x64 Edition Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows XP Professional x64 Edition Service Pack 2(Microsoft .NET Framework 4)
MS13-082 Windows XP Service Pack 3(Microsoft .NET Framework 2.0 Service Pack 2)
MS13-082 Windows XP Service Pack 3(Microsoft .NET Framework 3.0 Service Pack 2)
MS13-082 Windows XP Service Pack 3(Microsoft .NET Framework 3.5 Service Pack 1)
MS13-082 Windows XP Service Pack 3(Microsoft .NET Framework 4)
MS13-082 Windows XP Service Pack 3(Microsoft .NET Framework 4)
-
Microsoft Windows Common Control Library Remote Code Execution Vulnerability (MS13-083)
- Severity
- Critical 4
- Qualys ID
- 90914
- Vendor Reference
- MS13-083
- CVE Reference
- CVE-2013-3195
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
The common controls are a set of windows that are implemented by the Microsoft Windows Common Control library, Comctl32.dll, included with the Windows operating systems.
The vulnerability occurs when the DSA_InsertItem function in the Windows common control library improperly allocates memory for data structures. An unauthenticated remote attacker could exploit the vulnerability by sending a specially crafted request to an affected system. This vulnerability can be exposed only through a vulnerable web application using the DSA_InsertItem function, which accepts an arbitrary user value as an argument.
This security update is rated Critical for all supported 64-bit editions of Microsoft Windows. This security update has no severity rating for Windows RT and for all supported 32-bit editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows 8.
- Consequence
-
An attacker who successfully exploits this vulnerability could take complete control of the affected system.
- Solution
-
Customers are advised to refer to MS13-083.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS13-083 Windows 7 for 32-bit Systems Service Pack 1
MS13-083 Windows 7 for x64-based Systems Service Pack 1
MS13-083 Windows 8 for 32-bit Systems
MS13-083 Windows 8 for 64-bit Systems
MS13-083 Windows Server 2003 Service Pack 2
MS13-083 Windows Server 2003 with SP2 for Itanium-based Systems
MS13-083 Windows Server 2003 x64 Edition Service Pack 2
MS13-083 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS13-083 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-083 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS13-083 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-083 Windows Server 2008 for 32-bit Systems Service Pack 2
MS13-083 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS13-083 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-083 Windows Server 2008 for x64-based Systems Service Pack 2
MS13-083 Windows Server 2012
MS13-083 Windows Server 2012
MS13-083 Windows Vista Service Pack 2
MS13-083 Windows Vista x64 Edition Service Pack 2
MS13-083 Windows XP Professional x64 Edition Service Pack 2
-
Microsoft SharePoint Server Remote Code Execution Vulnerability (MS13-084)
- Severity
- Critical 4
- Qualys ID
- 110223
- Vendor Reference
- MS13-084
- CVE Reference
- CVE-2013-3889, CVE-2013-3895
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
A remote code execution vulnerability exists in the way that affected Microsoft Office Services and Web Apps parse content in specially crafted files. The vulnerability occurs when affected versions of Microsoft Office Services and Web Apps do not properly handle objects in memory while parsing specially crafted Office files. (CVE-2013-3889)
An elevation of privilege vulnerability exists in Microsoft SharePoint Server. The vulnerability is caused when SharePoint Server does not properly protect against a practice known as clickjacking in a SharePoint page. (CVE-2013-3895)
Affected Software:
Microsoft SharePoint Server 2007 Service Pack 3 (32-bit editions)
Microsoft Windows SharePoint Services 3.0 Service Pack 3 (wssloc) (32-bit versions)
Microsoft SharePoint Server 2007 Service Pack 3 (64-bit editions)
Microsoft Windows SharePoint Services 3.0 Service Pack 3 (wssloc) (64-bit versions)
Microsoft SharePoint Server 2010 Service Pack 1
Microsoft SharePoint Server 2010 Service Pack 1
Microsoft SharePoint Foundation 2010 Service Pack 1 (wssloc)
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Server 2010 Service Pack 2
Microsoft SharePoint Foundation 2010 Service Pack 2 (wssloc)
Microsoft SharePoint Server 2013 (wacserver)
Microsoft SharePoint Server 2013 (pptserver)This security update is rated Important for supported editions of Microsoft SharePoint Server.
- Consequence
- An attacker who successfully exploits this vulnerability can cause arbitrary code to run in the security context of the current user.
- Solution
-
Customers are advised to refer to MS13-084.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS13-084 Microsoft Office Web Apps 2010 Service Pack 1(Microsoft Excel Web App 2010 Service Pack 1)
MS13-084 Microsoft Office Web Apps 2010 Service Pack 1(Microsoft Web Applications 2010 Service Pack 1)
MS13-084 Microsoft Office Web Apps 2010 Service Pack 2(Microsoft Excel Web App 2010 Service Pack 2)
MS13-084 Microsoft Office Web Apps 2010 Service Pack 2(Microsoft Web Applications 2010 Service Pack 2)
MS13-084 Microsoft SharePoint Server 2007 Service Pack 3 (32-bit editions)(Excel Services)
MS13-084 Microsoft SharePoint Server 2007 Service Pack 3 (32-bit editions)(Microsoft Windows SharePoint Services 3.0 Service Pack 3 (wssloc) (32-bit versions))
MS13-084 Microsoft SharePoint Server 2007 Service Pack 3 (64-bit editions)(Excel Services)
MS13-084 Microsoft SharePoint Server 2007 Service Pack 3 (64-bit editions)(Microsoft Windows SharePoint Services 3.0 Service Pack 3 (wssloc) (64-bit versions))
MS13-084 Microsoft SharePoint Server 2010 Service Pack 1(Excel Services)
MS13-084 Microsoft SharePoint Server 2010 Service Pack 1(Microsoft SharePoint Foundation 2010 Service Pack 1 (wssloc))
MS13-084 Microsoft SharePoint Server 2010 Service Pack 1(Word Automation Services)
MS13-084 Microsoft SharePoint Server 2010 Service Pack 2(Excel Services)
MS13-084 Microsoft SharePoint Server 2010 Service Pack 2(Microsoft SharePoint Foundation 2010 Service Pack 2 (wssloc))
MS13-084 Microsoft SharePoint Server 2010 Service Pack 2(Word Automation Services)
MS13-084 Microsoft SharePoint Server 2013(Microsoft SharePoint Server 2013 (pptserver))
MS13-084 Microsoft SharePoint Server 2013(Microsoft SharePoint Server 2013 (wacserver))
MS13-084 Microsoft SharePoint Server 2013(Excel Services)
MS13-084 Microsoft SharePoint Server 2013(Word Automation Services)
-
Microsoft Excel Remote Code Execution Vulnerabilities (MS13-085)
- Severity
- Critical 4
- Qualys ID
- 110224
- Vendor Reference
- MS13-085
- CVE Reference
- CVE-2013-3889, CVE-2013-3890
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft.
Excel is prone to multiple remote code execution vulnerabilities caused by the way that Microsoft Excel handles specially crafted Excel files.
Microsoft has released a security update that addresses the vulnerabilities by correcting the way Microsoft Excel parses and validates data when opening specially crafted Excel files.
This security update is rated Important for all supported editions of Microsoft Excel 2007, Microsoft Excel 2010, Microsoft Excel 2013, Microsoft Excel 2013 RT, and Microsoft Office for Mac 2011. It is also rated Important for supported versions of Microsoft Excel Viewer and Microsoft Office Compatibility Pack.
- Consequence
-
These vulnerabilities could allow remote code execution if a user opens a specially crafted Office file. An attacker who successfully exploits these vulnerabilities could gain the same user rights as the logged-on user.
- Solution
-
Refer to MS13-085 for further information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS13-085 Microsoft Excel Viewer
MS13-085 Microsoft Office 2007 Service Pack 3(Microsoft Excel 2007 Service Pack 3)
MS13-085 Microsoft Office 2007 Service Pack 3
MS13-085 Microsoft Office 2007 Service Pack 3
MS13-085 Microsoft Office 2010 Service Pack 1 (32-bit editions)(Microsoft Excel 2010 Service Pack 1 (32-bit editions))
MS13-085 Microsoft Office 2010 Service Pack 1 (32-bit editions)
MS13-085 Microsoft Office 2010 Service Pack 1 (32-bit editions)
MS13-085 Microsoft Office 2010 Service Pack 1 (64-bit editions)(Microsoft Excel 2010 Service Pack 1 (64-bit editions))
MS13-085 Microsoft Office 2010 Service Pack 1 (64-bit editions)
MS13-085 Microsoft Office 2010 Service Pack 1 (64-bit editions)
MS13-085 Microsoft Office 2010 Service Pack 2 (32-bit editions)(Microsoft Excel 2010 Service Pack 2 (32-bit editions))
MS13-085 Microsoft Office 2010 Service Pack 2 (32-bit editions)
MS13-085 Microsoft Office 2010 Service Pack 2 (32-bit editions)
MS13-085 Microsoft Office 2010 Service Pack 2 (64-bit editions)(Microsoft Excel 2010 Service Pack 2 (64-bit editions))
MS13-085 Microsoft Office 2010 Service Pack 2 (64-bit editions)
MS13-085 Microsoft Office 2010 Service Pack 2 (64-bit editions)
MS13-085 Microsoft Office 2013 (32-bit editions)(Microsoft Excel 2013 (32-bit editions))
MS13-085 Microsoft Office 2013 (32-bit editions)
MS13-085 Microsoft Office 2013 (64-bit editions)(Microsoft Excel 2013 (64-bit editions))
MS13-085 Microsoft Office 2013 (64-bit editions)
MS13-085 Microsoft Office Compatibility Pack Service Pack 3
MS13-085 Microsoft Office for Mac 2011
MS13-085
MS13-085
-
Microsoft Silverlight Information Disclosure Vulnerability (MS13-087)
- Severity
- Serious 3
- Qualys ID
- 90911
- Vendor Reference
- MS13-087
- CVE Reference
- CVE-2013-3896
- CVSS Scores
- Base 4.3 / Temporal 3.7
- Description
-
The vulnerability could allow information disclosure if an attacker hosts a web site that contains a Silverlight application designed to exploit this vulnerability and then convinces a user to view the website. The security update addresses this vulnerability by correcting the way Microsoft Silverlight checks memory pointers when accessing certain Silverlight elements.
Affected Versions:
Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac and all supported releases of Microsoft Windows.This security update is rated Important.
- Consequence
- An attacker who successfully exploits this vulnerability could disclose information on the local system. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.
- Solution
-
Refer to MS13-087 for further information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS13-087 Microsoft Silverlight 5
MS13-087 Microsoft Silverlight 5
MS13-087 Microsoft Silverlight 5
MS13-087 Microsoft Silverlight 5 Developer Runtime
MS13-087 Microsoft Silverlight 5 Developer Runtime
MS13-087 Microsoft Silverlight 5 Developer Runtime
These new vulnerability checks are included in Qualys vulnerability signature 2.2.548-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100164
- 110222
- 90913
- 90912
- 90914
- 110223
- 110224
- 90911
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.