Microsoft security alert.
April 9, 2013
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 15 vulnerabilities that were fixed in 9 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 9 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Antimalware Client Elevation of Privilege Vulnerability (MS13-034)
- Severity
- Critical 4
- Qualys ID
- 121050
- Vendor Reference
- MS13-034
- CVE Reference
- CVE-2013-0078
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
Microsoft Antimalware Client is malware related security software from Microsoft.
This security update resolves a privately reported vulnerability in the Microsoft Antimalware Client by correcting pathnames used by the Microsoft Antimalware Client.
This security update is rated Important for the Microsoft Antimalware Client in supported versions of Windows Defender for Windows 8 and Windows RT.
- Consequence
- An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-034.
Workaround:
Use this workaround to block attack vectors for the vulnerability on Windows 8 and Windows RT systems. Create a backup of the registry keys. Backup copies can be made using a managed deployment script by performing the following command as an administrator: Regedit.exe /e c:\temp\Windefend_backup.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend Note When run as an administrator, the above command creates a file named "Windefend_backup.reg" in the c:\temp folder. Create a text file named Windefend_ImagePath_fix.reg with the following contents: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend] "ImagePath"=hex(2):22,00,25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,\ 69,00,6c,00,65,00,73,00,25,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,00,73,\ 00,20,00,44,00,65,00,66,00,65,00,6e,00,64,00,65,00,72,00,5c,00,4d,00,73,00,\ 4d,00,70,00,45,00,6e,00,67,00,2e,00,65,00,78,00,65,00,22,00,00,00 Save the Windefend_ImagePath_fix.reg file to the c:\temp folder. Run the registry script file you created in step 2 on the target system by using one of the following methods: Method #1: Double-click the Windefend_ImagePath_fix.reg file. The following confirmation message should be displayed: The keys and values contained in C:\temp\Windefend_ImagePath_fix.reg have been successfully added to the registry. Method #2: Alternatively, perform the following command as an administrator: Regedit /s c:\temp\Windefend_ImagePath_fix.reg Warning When using the command line method above, no confirmation message is displayed. You will not be notified as to whether or not the registry keys and values were successfully added to the registry.
-
Microsoft Internet Explorer Multiple Remote Code Execution Vulnerabilities (MS13-028)
- Severity
- Urgent 5
- Qualys ID
- 100145
- Vendor Reference
- MS13-028
- CVE Reference
- CVE-2013-1303, CVE-2013-1304, CVE-2013-1338
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Internet Explorer is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows operating systems.
Microsoft Internet Explorer is prone to a remote code execution vulnerability that exists in the way it accesses an object in memory that has been deleted. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Microsoft has released a security update that addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory.
This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows servers.
- Consequence
- An attacker who successfully exploited this vulnerability could execute arbitrary code on affected systems with the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operates with administrative user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 3 (Internet Explorer 6)
Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 6)
Windows Server 2003 Service Pack 2 (Internet Explorer 6)
Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 6)
Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 6)
Windows XP Service Pack 3 (Internet Explorer 7)
Windows XP Professional x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2003 Service Pack 2 (Internet Explorer 7)
Windows Server 2003 x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2003 with SP2 for Itanium-based Systems (Internet Explorer 7)
Windows Vista Service Pack 2 (Internet Explorer 7)
Windows Vista x64 Edition Service Pack 2 (Internet Explorer 7)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Internet Explorer 7)
Windows Server 2003 Service Pack 2 (Internet Explorer 8)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-028.
Workaround:
1. Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
-
Microsoft Windows Remote Desktop Client Remote Code Execution Vulnerability (MS13-029)
- Severity
- Urgent 5
- Qualys ID
- 90876
- Vendor Reference
- MS13-029
- CVE Reference
- CVE-2013-1296
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
The Remote Desktop Control object is a Microsoft ActiveX control used to customize the Remote Desktop Services user experience.
The vulnerability occurs when the Microsoft Remote Desktop ActiveX Control attempts to access an object in memory that has been freed, potentially corrupting memory in a way as that could allow an attacker to execute arbitrary code in the context of the current user.
Microsoft has released a security update that addresses the vulnerability by modifying the way Remote Desktop Client handles objects in memory.
This security update is rated Critical for Remote Desktop Connection 6.1 Client and Remote Desktop Connection 7.0 Client where affected on Windows XP, Windows Vista and Windows 7. It is rated Moderate for Remote Desktop Connection 6.1 Client and Remote Desktop Connection 7.0 Client where affected on Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2013 Security Updates are on MyOEM for XPe SP3 and Standard 2009 (KB2813347, 2813345)
July 2013 Security Updates are on MyOEM for XPe SP3 and Standard 2009 (KB2813347)
- Consequence
- An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 3 (Remote Desktop Connection 6.1 Client)
Windows XP Service Pack 3 (Remote Desktop Connection 7.0 Client)
Windows XP Professional x64 Edition Service Pack 2 (Remote Desktop Connection 6.1 Client)
Windows Server 2003 Service Pack 2 (Remote Desktop Connection 6.1 Client)
Windows Server 2003 x64 Edition Service Pack 2 (Remote Desktop Connection 6.1 Client)
Windows Vista Service Pack 2 (Remote Desktop Connection 6.1 Client)
Windows Vista Service Pack 2 (Remote Desktop Connection 7.0 Client)
Windows Vista x64 Edition Service Pack 2 (Remote Desktop Connection 6.1 Client)
Windows Vista x64 Edition Service Pack 2 (Remote Desktop Connection 7.0 Client)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Remote Desktop Connection 6.1 Client)
Windows Server 2008 for x64-based Systems Service Pack 2 (Remote Desktop Connection 6.1 Client)
Windows Server 2008 for Itanium-based Systems Service Pack 2 (Remote Desktop Connection 6.1 Client)
Windows 7 for 32-bit Systems (Remote Desktop Connection 7.0 Client)
Windows 7 for 32-bit Systems Service Pack 1 (Remote Desktop Connection 7.0 Client)
Windows 7 for x64-based Systems (Remote Desktop Connection 7.0 Client)
Windows 7 for x64-based Systems Service Pack 1 (Remote Desktop Connection 7.0 Client)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-029.
-
Microsoft SharePoint Information Disclosure Vulnerability (MS13-030)
- Severity
- Critical 4
- Qualys ID
- 110209
- Vendor Reference
- MS13-030
- CVE Reference
- CVE-2013-1290
- CVSS Scores
- Base 3.5 / Temporal 2.6
- Description
-
Microsoft SharePoint Server is prone to iInformation disclosure vulnerability due to the way that SharePoint Server enforces access controls on specific SharePoint Lists. (CVE-2013-1290)
Affected Software:
Microsoft SharePoint Server 2013This security update is rated Important for Microsoft SharePoint Server 2013.
NOTE: This update requires prior installation of the Project Server 2013 cumulative update (2768001).
- Consequence
- An attacker who successfully exploited this vulnerability could gain access to list items in a SharePoint list that the list owner did not intend for the attacker to be able to access.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft SharePoint Server 2013
Refer to Microsoft Security Bulletin MS13-030 for further details.
-
Microsoft Windows Kernel Multiple Elevation of Privilege Vulnerabilities (MS13-031)
- Severity
- Urgent 5
- Qualys ID
- 90878
- Vendor Reference
- MS13-031
- CVE Reference
- CVE-2013-1284, CVE-2013-1294
- CVSS Scores
- Base 4.9 / Temporal 3.6
- Description
-
The Windows kernel is the core of the operating system. The kernel provides system-level services such as device management and memory management, allocates processor time to processes and manages error handling.
The Ntoskrnl.exe file is prone to multiple race conditions that could be leveraged by an attacker to execute code with elevated privileges. These vulnerabilities are caused by improper handling of objects in the system memory.
This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT.
- Consequence
-
Successful exploitation of these vulnerabilities could allow a local attacker to execute arbitrary code with elevated privileges.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-031.
-
Microsoft Active Directory Denial Of Service Vulnerability (MS13-032)
- Severity
- Serious 3
- Qualys ID
- 90877
- Vendor Reference
- MS13-032
- CVE Reference
- CVE-2013-1282
- CVSS Scores
- Base 5 / Temporal 3.7
- Description
-
Active Directory Services contains an extensible and scalable set of services that enables you to efficiently manage corporate identities, credentials, information protection, and system and application settings.
A denial of service vulnerability exists in implementations of Active Directory that could cause the service to stop responding. The vulnerability occurs when the LDAP service fails to handle a specially crafted query (CVE-2013-1282).
This security update is rated Important for Active Directory, Active Directory Application Mode (ADAM), Active Directory Lightweight Directory Service (AD LDS), and Active Directory Services on Microsoft Windows servers (excluding Itanium-based systems) and rated Low on Microsoft Windows clients.
- Consequence
- Successfully exploiting this vulnerability might allow a remote attacker to cause a denial of service.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Service Pack 3 (Active Directory Application Mode (ADAM))
Windows XP Professional x64 Edition Service Pack 2 (Active Directory Application Mode (ADAM))
Windows Server 2003 Service Pack 2 (Active Directory)
Windows Server 2003 Service Pack 2 (Active Directory Application Mode (ADAM))
Windows Server 2003 x64 Edition Service Pack 2 (Active Directory)
Windows Server 2003 x64 Edition Service Pack 2 (Active Directory Application Mode (ADAM))
Windows Server 2003 with SP2 for Itanium-based Systems (Active Directory)
Windows Vista Service Pack 2 (Active Directory Lightweight Directory Service (AD LDS))
Windows Vista x64 Edition Service Pack 2 (Active Directory Lightweight Directory Service (AD LDS))
Windows Server 2008 for 32-bit Systems Service Pack 2 (Active Directory Services)
Windows Server 2008 for x64-based Systems Service Pack 2 (Active Directory Services)
Windows 7 for 32-bit Systems (Active Directory Lightweight Directory Service (AD LDS))
Windows 7 for x64-based Systems (Active Directory Lightweight Directory Service (AD LDS))
For a complete list of patch download links, please refer to Microsoft Security Bulletin ms13-032.
-
Microsoft Windows Client/Server Run-Time Subsystem Elevation of Privilege Vulnerability (MS13-033)
- Severity
- Serious 3
- Qualys ID
- 90874
- Vendor Reference
- MS13-033
- CVE Reference
- CVE-2013-1295
- CVSS Scores
- Base 7.2 / Temporal 5.3
- Description
-
Microsoft Client/Server Runtime Subsystem (CSRSS) is an essential Windows subsystem. The CSRSS is responsible for console windows, creating and/or deleting threads.
An elevation of privilege vulnerability exists when the Windows CSRSS improperly handles objects in memory. The security update addresses the vulnerability by correcting the way Windows CSRSS handles objects in memory.
Affected Versions:-
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)It is rated as Important for all supported editions.
- Consequence
- An attacker who successfully exploits this vulnerability could run arbitrary code in the context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Refer to Microsoft Security Bulletin MS13-033 for further details.
-
Microsoft HTML Sanitization Component Elevation of Privilege Vulnerability (MS13-035)
- Severity
- Critical 4
- Qualys ID
- 90879
- Vendor Reference
- MS13-035
- CVE Reference
- CVE-2013-1289
- CVSS Scores
- Base 4.3 / Temporal 3.7
- Description
-
HTML sanitization is a process that restricts HTML to elements that can be safely displayed in a browser.
An elevation of privilege vulnerability exists in the way HTML strings are sanitized.
This security update is rated Important for supported editions of Microsoft SharePoint Server 2010, Microsoft Groove Server 2010, Microsoft SharePoint Foundation 2010 and Microsoft Office Web Apps 2010.
- Consequence
- An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read or use the victim's identity to take actions on the targeted site or application.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Microsoft InfoPath 2010 Service Pack 1 (32-bit editions)
Microsoft InfoPath 2010 Service Pack 1 (32-bit editions)
Microsoft InfoPath 2010 Service Pack 1 (64-bit editions)
Microsoft InfoPath 2010 Service Pack 1 (64-bit editions)
Microsoft Groove Server 2010 Service Pack 1
Microsoft SharePoint Foundation 2010 Service Pack 1
Microsoft Office Web Apps 2010 Service Pack 1
Refer to Microsoft Security Bulletin MS13-035 for further details.
-
Microsoft Windows Kernel-Mode Driver Elevation of Privilege Vulnerability (MS13-036)
- Severity
- Critical 4
- Qualys ID
- 90875
- Vendor Reference
- MS13-036
- CVE Reference
- CVE-2013-1283, CVE-2013-1291, CVE-2013-1292, CVE-2013-1293
- CVSS Scores
- Base 7.1 / Temporal 5.6
- Description
-
The Win32k.sys is a kernel-mode device driver and the kernel part of the Windows subsystem.
Elevation of privilege vulnerabilities exist when the Windows kernel-mode or the NTFS kernel-mode drivers improperly handle objects in memory.
A denial of service vulnerability exists when Windows kernel-mode driver fails to handle a specially crafted font file.This security update addresses the vulnerabilities by correcting the way the Windows kernel-mode and NTFS kernel-mode drivers handle objects in memory and the way the Windows kernel-mode drivers handle a specially crafted font file.
This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012 and Windows RT.
Note:The MS13-036 update patches two race condition vulnerabilities (CVE-2013-1238 and CVE-2013-1292), a font parsing vulnerability (CVE-2013-1291) and a NTFS NULL pointer deference vulnerability (CVE-2013-1293) that lead to privilege escalation for attackers. Security update KB2823324 addresses the NTFS null pointer deference vulnerability.
Microsoft released KB2840149 for Windows Vista, Windows 7, Windows 2008 and Windows Server R2. This replaces KB2823324.
Microsoft recommends that security update KB2823324 be uninstalled. Instructions to uninstall Security Update KB2823324 can be found under KB2839011.
Only update Security Update KB2823324 has been removed from the Windows download center.
Further details can be found at Microsoft Security Response Center. - Consequence
- Successfully exploiting these security vulnerabilities could allow an attacker to gain elevated privileges or cause a denial of service.
- Solution
-
Patch:
Following are links for downloading patches to fix the vulnerabilities:Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS13-036.
These new vulnerability checks are included in Qualys vulnerability signature 2.2.405-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 121050
- 100145
- 90876
- 110209
- 90878
- 90877
- 90874
- 90879
- 90875
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.