Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 11 vulnerabilities that were fixed in 4 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Microsoft has released 4 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
This update fixes the following vulnerabilities:
- CVE-2014-1757: The vulnerability is caused when affected Microsoft Office software does not properly allocate memory while attempting to convert specially crafted, binary-formatted Word documents (.doc) to newer file formats.
- CVE-2014-1758: The vulnerability is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
- CVE-2014-1761: The vulnerability is caused when Microsoft Word does not properly handle objects in memory while parsing specially crafted Office files. System memory may be corrupted in such a way that an attacker could execute arbitrary code.
Affected Versions:
Microsoft Word 2003 Service Pack 3
Microsoft Word 2007 Service Pack 3
Microsoft Word 2010 Service Pack 1 (32-bit editions)
Microsoft Word 2010 Service Pack 2 (32-bit editions)
Microsoft Word 2010 Service Pack 1 (64-bit editions)
Microsoft Word 2010 Service Pack 2 (64-bit editions)
Microsoft Word 2013 (32-bit editions)
Microsoft Word 2013 (64-bit editions)
Microsoft Word 2013 RT
Microsoft Word Viewer
Microsoft Office Compatibility Pack Service Pack 3
Microsoft Office for Mac 2011
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 1
Word Automation Services on Microsoft SharePoint Server 2010 Service Pack 2
Word Automation Services on Microsoft SharePoint Server 2013
Microsoft Office Web Apps 2010 Service Pack 1
Microsoft Office Web Apps 2010 Service Pack 2
Microsoft Office Web Apps Server 2013
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-017 Microsoft Office 2003 Service Pack 3(Microsoft Word 2003 Service Pack 3)
MS14-017 Microsoft Office 2007 Service Pack 3(Microsoft Word 2007 Service Pack 3)
MS14-017 Microsoft Office 2010 Service Pack 1 (32-bit editions)(Microsoft Word 2010 Service Pack 1 (32-bit editions))
MS14-017 Microsoft Office 2010 Service Pack 1 (32-bit editions)(Microsoft Word 2010 Service Pack 1 (32-bit editions))
MS14-017 Microsoft Office 2010 Service Pack 1 (64-bit editions)(Microsoft Word 2010 Service Pack 1 (64-bit editions))
MS14-017 Microsoft Office 2010 Service Pack 1 (64-bit editions)(Microsoft Word 2010 Service Pack 1 (64-bit editions))
MS14-017 Microsoft Office 2010 Service Pack 2 (32-bit editions)(Microsoft Word 2010 Service Pack 2 (32-bit editions))
MS14-017 Microsoft Office 2010 Service Pack 2 (32-bit editions)(Microsoft Word 2010 Service Pack 2 (32-bit editions))
MS14-017 Microsoft Office 2010 Service Pack 2 (64-bit editions)(Microsoft Word 2010 Service Pack 2 (64-bit editions))
MS14-017 Microsoft Office 2010 Service Pack 2 (64-bit editions)(Microsoft Word 2010 Service Pack 2 (64-bit editions))
MS14-017 Microsoft Office 2013 (32-bit editions)(Microsoft Word 2013 (32-bit editions))
MS14-017 Microsoft Office 2013 (64-bit editions)(Microsoft Word 2013 (64-bit editions))
MS14-017 Microsoft Office 2013 Service Pack 1 (32-bit editions)(Microsoft Word 2013 Service Pack 1 (32-bit editions))
MS14-017 Microsoft Office 2013 Service Pack 1 (64-bit editions)(Microsoft Word 2013 Service Pack 1 (64-bit editions))
MS14-017 Microsoft Office Compatibility Pack Service Pack 3
MS14-017 Microsoft Office Web Apps 2010 Service Pack 1(Microsoft Web Applications 2010 Service Pack 1)
MS14-017 Microsoft Office Web Apps 2010 Service Pack 2(Microsoft Web Applications 2010 Service Pack 2)
MS14-017 Microsoft Office Web Apps 2013(Microsoft Office Web Apps Server 2013)
MS14-017 Microsoft Office for Mac 2011
MS14-017 Microsoft SharePoint Server 2010 Service Pack 1(Word Automation Services)
MS14-017 Microsoft SharePoint Server 2010 Service Pack 2(Word Automation Services)
MS14-017 Microsoft SharePoint Server 2013(Word Automation Services)
MS14-017 Microsoft SharePoint Server 2013 Service Pack 1(Word Automation Services)
MS14-017 Microsoft Word Viewer
Microsoft Internet Explorer is affected by multiple memory corruption vulnerabilities because it improperly handles objects in memory.
An attacker could host a specially crafted website designed to exploit these vulnerabilities through Internet Explorer and then convince a user to view the website.
This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 11 on affected Windows clients, and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 11 on affected Windows servers.
Please refer to MS14-018 for details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-018 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 11)
MS14-018 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 8)
MS14-018 Windows 7 for 32-bit Systems Service Pack 1(Internet Explorer 9)
MS14-018 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 11)
MS14-018 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 8)
MS14-018 Windows 7 for x64-based Systems Service Pack 1(Internet Explorer 9)
MS14-018 Windows 8.1 for 32-bit Systems(Internet Explorer 11)
MS14-018 Windows 8.1 for x64-based Systems(Internet Explorer 11)
MS14-018 Windows Server 2003 Service Pack 2(Internet Explorer 6)
MS14-018 Windows Server 2003 Service Pack 2(Internet Explorer 7)
MS14-018 Windows Server 2003 Service Pack 2(Internet Explorer 8)
MS14-018 Windows Server 2003 with SP2 for Itanium-based Systems(Internet Explorer 6)
MS14-018 Windows Server 2003 with SP2 for Itanium-based Systems(Internet Explorer 7)
MS14-018 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 6)
MS14-018 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 7)
MS14-018 Windows Server 2003 x64 Edition Service Pack 2(Internet Explorer 8)
MS14-018 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1(Internet Explorer 8)
MS14-018 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 11)
MS14-018 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 8)
MS14-018 Windows Server 2008 R2 for x64-based Systems Service Pack 1(Internet Explorer 9)
MS14-018 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 7)
MS14-018 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 8)
MS14-018 Windows Server 2008 for 32-bit Systems Service Pack 2(Internet Explorer 9)
MS14-018 Windows Server 2008 for Itanium-based Systems Service Pack 2(Internet Explorer 7)
MS14-018 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 7)
MS14-018 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 8)
MS14-018 Windows Server 2008 for x64-based Systems Service Pack 2(Internet Explorer 9)
MS14-018 Windows Server 2012 R2(Internet Explorer 11)
MS14-018 Windows Vista Service Pack 2(Internet Explorer 7)
MS14-018 Windows Vista Service Pack 2(Internet Explorer 8)
MS14-018 Windows Vista Service Pack 2(Internet Explorer 9)
MS14-018 Windows Vista x64 Edition Service Pack 2(Internet Explorer 7)
MS14-018 Windows Vista x64 Edition Service Pack 2(Internet Explorer 8)
MS14-018 Windows Vista x64 Edition Service Pack 2(Internet Explorer 9)
MS14-018 Windows XP Professional x64 Edition Service Pack 2(Internet Explorer 6)
MS14-018 Windows XP Professional x64 Edition Service Pack 2(Internet Explorer 7)
MS14-018 Windows XP Professional x64 Edition Service Pack 2(Internet Explorer 8)
MS14-018 Windows XP Service Pack 3(Internet Explorer 6)
MS14-018 Windows XP Service Pack 3(Internet Explorer 7)
MS14-018 Windows XP Service Pack 3(Internet Explorer 8)
This security update is rated Important for all supported releases of Windows.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-019 Windows 7 for 32-bit Systems Service Pack 1
MS14-019 Windows 7 for x64-based Systems Service Pack 1
MS14-019 Windows 8 for 32-bit Systems
MS14-019 Windows 8 for x64-based Systems
MS14-019 Windows 8.1 for 32-bit Systems
MS14-019 Windows 8.1 for x64-based Systems
MS14-019 Windows Server 2003 Service Pack 2
MS14-019 Windows Server 2003 with SP2 for Itanium-based Systems
MS14-019 Windows Server 2003 x64 Edition Service Pack 2
MS14-019 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
MS14-019 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-019 Windows Server 2008 R2 for x64-based Systems Service Pack 1
MS14-019 Windows Server 2008 for 32-bit Systems Service Pack 2
MS14-019 Windows Server 2008 for 32-bit Systems Service Pack 2
MS14-019 Windows Server 2008 for Itanium-based Systems Service Pack 2
MS14-019 Windows Server 2008 for x64-based Systems Service Pack 2
MS14-019 Windows Server 2008 for x64-based Systems Service Pack 2
MS14-019 Windows Server 2012
MS14-019 Windows Server 2012
MS14-019 Windows Server 2012 R2
MS14-019 Windows Server 2012 R2
MS14-019 Windows Vista Service Pack 2
MS14-019 Windows Vista x64 Edition Service Pack 2
MS14-019 Windows XP Professional x64 Edition Service Pack 2
MS14-019 Windows XP Service Pack 3
A vulnerability exists in the PUBCONV.DLL module in Microsoft Publisher.
To exploit this vulnerability, the attacker must persuade a user to open a specially crafted file. Attackers typically accomplish this by e-mailing a targeted user the file or hosting the file on a Web page. Note that attackers cannot exploit Office file format vulnerabilities in a drive-by manner. At a minimum, a targeted user must click an "open" dialog or choose to view an attachment.
This security update is rated Important for supported editions of Microsoft Publisher 2003 and Microsoft Publisher 2007.
Affected Versions:
Microsoft Office Publisher 2007 SP3
Microsoft Office Publisher 2003 SP3
An attacker who successfully exploited this vulnerability could run arbitrary code as the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS14-020 Microsoft Office 2003 Service Pack 3(Microsoft Publisher 2003 Service Pack 3)
MS14-020 Microsoft Office 2007 Service Pack 3(Microsoft Publisher 2007 Service Pack 3)
These new vulnerability checks are included in Qualys vulnerability signature 2.2.700-5. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
To perform a selective vulnerability scan, configure a scan profile to use the following options:
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Platforms and Platform Identification
For more information, customers may contact Qualys Technical Support.
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.