Microsoft security alert.

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 21 vulnerabilities that were fixed in 8 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 8 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

• Microsoft DirectShow Could Allow Remote Code Execution (MS09-011)

  Severity

  Urgent 5

  Qualys ID

  90488

  Vendor Reference

  MS09-011

  CVE Reference

  CVE-2009-0084

  CVSS Scores

  Base 9.3 / Temporal 6.9

  Description

  Microsoft DirectX consists of a set of low-level Application Programming Interfaces (APIs) used by Windows programs for multimedia support. The DirectShow technology performs client-side audio and video sourcing, manipulation and rendering.

  A remote code execution vulnerability exists in the way Microsoft DirectShow handles supported format files. An error occurs when decompressing MJPEG content. This vulnerability could allow code execution if a user opens a specially crafted MJPEG file. (CVE-2009-0084)

  Microsoft has released a security update to addresses the vulnerability by correcting the way that DirectShow decompresses media files.

  Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):

  April 2009 Security Updates Are Now Available On the ECE (KB961373)
  

  Consequence

  If this vulnerability is successfully exploited, it allows attackers to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  Solution

  Workaround A:
  - Disable the decoding of MJPEG content in Quartz.dll

  Steps to disable decoding of MJPEG content using the Interactive Method:
  1. Click Start, click Run, type Regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)
  3. Click the File menu and select Export.
  4. In the Export Registry File dialog box, enter MJPEG_Decoder_Backup.reg and click Save.
  5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.

  Steps to disable decoding of MJPEG content using a Managed Deployment Script:
  1. Create a backup copy of the registry keys by using a managed deployment script that contains the following commands:
  Regedit.exe /e MJPEG_Decoder_Backup.reg HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)
  2. Next, save the following to a file with a .REG extension, such as Disable_MJPEG_Decoder.reg:
  Windows Registry Editor Version 5.00
  [-HKEY_CLASSES_ROOT\CLSID\(301056D0-6DFF-11D2-9EEB-006008039E37)]
  3. Run the above registry script on the target machine with the following command from an elevated command prompt:
  Regedit.exe /s Disable_MJPEG_Decoder.reg

  Impact of the Workaround:
  MJPEG content playback will be disabled.

  Workaround B:
  - Unregister quartz.dll using the following command from an elevated command prompt:
  For 32-bit Windows systems: Regsvr32.exe -u %WINDIR%\system32\quartz.dll
  For 64-bit Windows systems: Regsvr32.exe -u %WINDIR%\syswow64\quartz.dll
  

  Impact of workaround. Windows Media Player will not be able to play ".AVI" or ".WAV" files.

  For additional details on applying the workarounds, please refer to Microsoft Security Bulletin MS09-011.

  Patch:
  Following are links for downloading patches to fix the vulnerabilities:

  Microsoft Windows 2000 Service Pack 4 (DirectX 8.1)

  Microsoft Windows 2000 Service Pack 4 (DirectX 9.0)

  Windows XP Service Pack 2 and Windows XP Service Pack 3 (DirectX 9.0)

  Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (DirectX 9.0)

  Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (DirectX 9.0)

  Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (DirectX 9.0)

  Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (DirectX 9.0)

  Refer to Microsoft Security Bulletin MS09-011 for further details.

  Patches:
  The following are links for downloading patches to fix these vulnerabilities:
  MS09-011 Microsoft Windows 2000 Service Pack 4(DirectX 8.1)
  MS09-011 Microsoft Windows 2000 Service Pack 4(DirectX 9.0)
  MS09-011 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2(DirectX 9.0)
  MS09-011 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems(DirectX 9.0)
  MS09-011 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2(DirectX 9.0)
  MS09-011 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2(DirectX 9.0)
  MS09-011 Windows XP Service Pack 2 and Windows XP Service Pack 3(DirectX 9.0)

• WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)

  Severity

  Urgent 5

  Qualys ID

  90474

  Vendor Reference

  MS09-010

  CVE Reference

  CVE-2008-4841, CVE-2009-0087, CVE-2009-0088, CVE-2009-0235

  CVSS Scores

  Base 9.3 / Temporal 7.7

  Description

  WordPad is a default component of Microsoft Windows operating systems. Text converters in WordPad allow users who do not have Microsoft Office Word installed to open documents in various Microsoft Windows file formats. The Microsoft Office WordPerfect 6.x Converter helps users convert documents from Corel WordPerfect 6.x file formats to Microsoft Office Word file formats.

  Multiple vulnerabilities listed below have been identified in WordPad and Office Text Converters:

  - A memory corruption vulnerability in WordPad and Office Text Converter exists in the way the applications process memory when a user opens a specially crafted Word 6 file that includes malformed data. A remote attacker can exploit this flaw to execute arbitrary code. (CVE-2009-0087)

  - A stack-based buffer overflow vulnerability exists when parsing a specially crafted Word 97 document. The vulnerability could allow remote code execution if a user opens a specially crafted Word file that includes a malformed list structure. (CVE-2008-4841)

  - A stack corruption vulnerability in Word 2000 WordPerfect 6.x Converter exists in the way that the converter processes memory when parsing a specially crafted WordPerfect document. (CVE-2009-0088)

  - A stack-based buffer overflow vulnerability exists in WordPad as a result of memory corruption when a user opens a specially crafted Word file. This can be exploited by a remote attacker to execute arbitrary code. (CVE-2009-0235)

  Microsoft has released a security update to address these vulnerabilities by modifying the way that Microsoft Office Word and Office text converters handle opening specially crafted Word 6.0, Windows Write, and WordPerfect documents. It also addresses the vulnerabilities by implementing fixes to WordPad and by preventing WordPad on affected platforms from opening Word 6.0 and Windows Write files.

  Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):

  April 2009 Security Updates Are Now Available On the ECE (KB960477, 923561)
  

  Consequence

  Successful exploitation of this vulnerability allows an attacker to run arbitrary code as the logged-on user if a specially crafted file is opened in WordPad or Microsoft Office Word. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.

  Solution

  For Office Users:-
  In order to resolve this issue, install following office patches:- "office2000-KB921606-FullFile-ENU.exe, office2003-KB960476-FullFile-ENU.exe, officexp-KB933399-FullFile-ENU.exe" along with windows patches "Windows2000-KB923561-x86-ENU.EXE, WindowsServer2003-KB923561-ia64-ENU.exe, WindowsServer2003-KB923561-x86-ENU.exe, WindowsServer2003.WindowsXP-KB923561-x64-ENU.exe, WindowsXP-KB923561-x86-ENU.exe"
  
  For Non-Office Users:-
  In order to resolve this issue, install following Windows patches:- "Windows2000-KB923561-x86-ENU.EXE, WindowsServer2003-KB923561-ia64-ENU.exe, WindowsServer2003-KB923561-x86-ENU.exe, WindowsServer2003.WindowsXP-KB923561-x64-ENU.exe, WindowsXP-KB923561-x86-ENU.exe"
  
  Workaround:
  1) Avoid opening or saving Microsoft Office files received from untrusted sources

  2) Disable the Word 6 converter by restricting access by applying an access control list to affected converters to ensure that the converter is no longer loaded by WordPad and Office.

  Impact of the workaround: Conversion of Word 6 documents to WordPad RTF or Word 2003 documents will no longer work.

  3) Disable the Office text converter by restricting access by applying an access list to the affected converter to ensure it is no longer loaded by Microsoft Office Word.

  Impact of the workaround: Microsoft Office Word will no longer load WordPerfect documents.

  Detailed information on applying access lists to disable Word 6 and Office text converter can be found in Microsoft Security Bulletin MS09-010.

  Patch:
  Following are links for downloading patches to fix the vulnerabilities:

  Microsoft Windows 2000 Service Pack 4

  Windows XP Service Pack 2 and Windows XP Service Pack 3

  Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

  Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

  Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

  Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

  Microsoft Office 2000 Service Pack 3 (Microsoft Office Word 2000 Service Pack 3)

  Microsoft Office XP Service Pack 3 (Microsoft Office Word 2002 Service Pack 3)

  Microsoft Office Converter Pack

  Refer to Microsoft Security Bulletin MS09-010 for further details.

  Patches:
  The following are links for downloading patches to fix these vulnerabilities:
  MS09-010 Microsoft Office 2000 Service Pack 3(Microsoft Office Word 2000 Service Pack 3)
  MS09-010 Microsoft Office Converter Pack
  MS09-010 Microsoft Office XP Service Pack 3(Microsoft Office Word 2002 Service Pack 3)
  MS09-010 Microsoft Windows 2000 Service Pack 4
  MS09-010 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
  MS09-010 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
  MS09-010 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
  MS09-010 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
  MS09-010 Windows XP Service Pack 2 and Windows XP Service Pack 3

• Vulnerabilities in Windows Could Allow Elevation of Privilege (MS09-012)

  Severity

  Urgent 5

  Qualys ID

  90490

  Vendor Reference

  MS09-012

  CVE Reference

  CVE-2008-1436, CVE-2009-0078, CVE-2009-0079, CVE-2009-0080

  CVSS Scores

  Base 9 / Temporal 7.4

  Description

  The Microsoft Distributed Transaction Coordinator (MSDTC) is a distributed transaction facility for Microsoft Windows platforms. Windows Management Instrumentation (WMI) is the primary management technology for Microsoft Windows operating systems used for monitoring of systems.

  The following vulnerabilities exist affecting MSDTC and WMI have been identified:

  - An elevation of privilege vulnerability exists due to the MSDTC facility allowing the NetworkService token to be obtained and used when making an RPC call. This can be exploited by a process having the SeImpersonatePrivilege to run arbitrary code with NetworkService privileges. (CVE-2008-1436)

  - The WMI provider improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to run arbitrary code with LocalSystem privileges by obtaining a SYSTEM token. (CVE-2009-0078)

  - The RPCSS service improperly isolates processes running under the NetworkService or LocalService accounts. This can be exploited to execute arbitrary code with LocalSystem privileges. (CVE-2009-0079)

  - A vulnerability exists due to Windows placing incorrect access control lists (ACLs) on threads in the current ThreadPool. An attacker who successfully exploits this vulnerability could execute arbitrary code with LocalSystem privileges. (CVE-2009-0080)

  Microsoft has released a security update to address these vulnerabilities by correcting the way that Windows addresses tokens requested by the Microsoft Distributed Transaction Coordinator (MSDTC), and by properly isolating WMI providers and processes that run under the NetworkService or LocalService accounts.

  Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):

  April 2009 Security Updates Are Now Available On the ECE (KB959454, 952004, 956572)
  

  Consequence

  The vulnerabilities could allow elevation of privilege if an attacker is allowed to log on to the system and then run a specially crafted application. The attacker must be able to run code on the local machine in order to exploit this vulnerability. An attacker who successfully exploits any of these vulnerabilities could take complete control over the affected system.

  Solution

  Following are links for downloading patches to fix the vulnerabilities:

  MSDTC Transaction Facility:
  Microsoft Windows 2000 Service Pack 4

  MSDTC Transaction Facility:
  Windows XP Service Pack 2 and Windows XP Service Pack 3

  Windows Service Isolation:
  Windows XP Service Pack 2

  Windows Service Isolation:
  Windows XP Service Pack 3

  MSDTC Transaction Facility:
  Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

  Windows Service Isolation:
  Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

  MSDTC Transaction Facility:
  Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

  Windows Service Isolation:
  Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

  MSDTC Transaction Facility:
  Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

  Windows Service Isolation:
  Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

  MSDTC Transaction Facility:
  Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

  Windows Service Isolation:
  Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

  For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-012.Workaround:
  

  1) IIS 6.0: Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC.
  2) IIS 7.0: Specify a WPI for an application pool in IIS Manager.
  3) IIS 7.0: Specify a WPI for an application pool using the Command Line utility APPCMD.exe.

  Detailed information on applying the workarounds is available at Microsoft Security Bulletin MS09-012.

  Impact of the workarounds: Management of additional user accounts results in increased administrative overhead. Application functionality may be affected depending on the nature of applications running. Disabling MSDTC will prevent applications from using distributed transactions and will prevent configuration as well as running of COM+ applications.

  Patches:
  The following are links for downloading patches to fix these vulnerabilities:
  MS09-012 Microsoft Windows 2000 Service Pack 4(MSDTC Transaction Facility)
  MS09-012 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2(MSDTC Transaction Facility)
  MS09-012 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2(Windows Service Isolation)
  MS09-012 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems(MSDTC Transaction Facility)
  MS09-012 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems(Windows Service Isolation)
  MS09-012 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2(MSDTC Transaction Facility)
  MS09-012 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2(Windows Service Isolation)
  MS09-012 Windows Server 2008 for 32-bit Systems(MSDTC Transaction Facility)
  MS09-012 Windows Server 2008 for 32-bit Systems(Windows Service Isolation)
  MS09-012 Windows Server 2008 for Itanium-based Systems(MSDTC Transaction Facility)
  MS09-012 Windows Server 2008 for Itanium-based Systems(Windows Service Isolation)
  MS09-012 Windows Server 2008 for x64-based Systems(MSDTC Transaction Facility)
  MS09-012 Windows Server 2008 for x64-based Systems(Windows Service Isolation)
  MS09-012 Windows Vista(Windows Service Isolation)
  MS09-012 Windows Vista Service Pack 1(Windows Service Isolation)
  MS09-012 Windows Vista and Windows Vista Service Pack 1(MSDTC Transaction Facility)
  MS09-012 Windows Vista x64 Edition(Windows Service Isolation)
  MS09-012 Windows Vista x64 Edition Service Pack 1(Windows Service Isolation)
  MS09-012 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1(MSDTC Transaction Facility)
  MS09-012 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2(MSDTC Transaction Facility)
  MS09-012 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2(Windows Service Isolation)
  MS09-012 Windows XP Service Pack 2(Windows Service Isolation)
  MS09-012 Windows XP Service Pack 2 and Windows XP Service Pack 3(MSDTC Transaction Facility)
  MS09-012 Windows XP Service Pack 3(Windows Service Isolation)

• Windows HTTP Services Could Allow Remote Code Execution (MS09-013)

  Severity

  Urgent 5

  Qualys ID

  90493

  Vendor Reference

  MS09-013

  CVE Reference

  CVE-2009-0086, CVE-2009-0089, CVE-2009-0550

  CVSS Scores

  Base 10 / Temporal 7.8

  Description

  Windows HTTP Services (WinHTTP) provides developers with an HTTP client application programming interface (API) to send requests through the HTTP protocol to Web servers. WinHTTP can be used by both Microsoft Windows components and third-party software.

  Windows HTTP Services is prone to the following vulnerabilities:

  - A remote code execution vulnerability exists in the way that Windows HTTP Services handle specific values that are returned by a remote Web server. (CVE-2009-0086)

  - A spoofing vulnerability exists in Windows HTTP Services as a result of the incomplete validation of the distinguished name in a digital certificate. When combined with specific other attacks, such as DNS spoofing, this may allow an attacker to successfully spoof the digital certificate of a Web site for any application that uses Windows HTTP Services. (CVE-2009-0089)

  - A remote code execution vulnerability exists in the way that Windows HTTP Services handles NTLM credentials when a user connects to an attacker's Web server. (CVE-2009-0550)

  Microsoft has released a security update that addresses these vulnerabilities by changing the way that Windows HTTP Services handles errors and validates certificates, and by ensuring that Windows HTTP Services correctly use NTLM credential reflection protection mechanisms.

  Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):

  April 2009 Security Updates Are Now Available On the ECE (KB960803)
  

  Consequence

  If this vulnerability is successfully exploited, it will allow attackers to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  Successful exploitation also allows an attacker to impersonate a secure Web site and offer malicious content to the application using Windows HTTP Services, which would trust it as if it originated from a secure Web site.

  Solution

  Patch:
  Following are links for downloading patches to fix the vulnerabilities:

  Microsoft Windows 2000 Service Pack 4

  Windows XP Service Pack 2 and Windows XP Service Pack 3

  Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

  Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

  Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

  Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

  Windows Vista and Windows Vista Service Pack 1

  Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

  Windows Server 2008 for 32-bit Systems

  Windows Server 2008 for x64-based Systems

  Windows Server 2008 for Itanium-based Systems

  Refer to Microsoft Security Bulletin MS09-013 for further details.

• Microsoft Internet Explorer Cumulative Security Update (MS09-014)

  Severity

  Urgent 5

  Qualys ID

  100071

  Vendor Reference

  MS09-014

  CVE Reference

  CVE-2008-2540, CVE-2009-0550, CVE-2009-0551, CVE-2009-0552, CVE-2009-0553, CVE-2009-0554

  CVSS Scores

  Base 9.3 / Temporal 7.7

  Description

  Microsoft Internet Explorer is a Web browser for Microsoft Windows. The browser is prone to the following vulnerabilities:

  - A blended threat remote code execution vulnerability exists in the way that Internet Explorer locates and opens files on the system. An attacker could exploit the vulnerability by constructing a specially crafted Web page. Internet Explorer could open a specially crafted file from the desktop allowing files be downloaded to the system without prompting. (CVE-2008-2540)

  - WinINet does not correctly opt in to NTLM credential-reflection protections when a user connects to an attacker's server by way of the HTTP protocol. This vulnerability allows an attacker to replay the user's credentials back to the attacker and to execute code in the context of the logged-on user. (CVE-2009-0550)

  - A memory corruption vulnerability exists in the way Internet Explorer handles transition when navigating between Web pages. As a result, system memory may be corrupted in such a way that an attacker could execute arbitrary code if a user visited a specially crafted Web site. (CVE-2009-0551)

  - Multiple remote code execution vulnerabilities exists in the way Internet Explorer accesses an object that has not been correctly initialized or has been deleted. An attacker can exploit this issue by constructing a specially crafted Web page. When Internet Explorer attempts to access an object that has not been initialized or has been deleted, it triggers memory corruption allowing arbitrary execution of code. (CVE-2009-0552, CVE-2009-0553, CVE-2009-0554)

  Microsoft has released a security update to addresses these vulnerabilities by modifying the way that Internet Explorer searches the system for files to load, performs authentication reply validation, handles transition errors when navigating between Web pages, and handles memory objects.

  Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):

  April 2009 Security Updates Are Now Available On the ECE (KB963027)
  

  Consequence

  If this vulnerability is successfully exploited, it will allow attackers to execute arbitrary code to take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  Solution

  Patch:
  Following are links for downloading patches to fix the vulnerabilities:

  Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 5.01 Service Pack 4)

  Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 Service Pack 1)

  Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Internet Explorer 6)

  Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)

  Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Microsoft Internet Explorer 6)

  Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)

  Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Explorer 6)

  Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7)

  Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7)

  Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7)

  Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 (Windows Internet Explorer 7)

  Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems (Windows Internet Explorer 7)

  For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-014. Workaround:
  CVE-2009-0551, CVE-2009-0552, CVE-2009-0553, CVE-2009-0554:
  - Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting
  - Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

  Detailed steps on applying the workarounds can be found in Microsoft Security Bulletin MS09-014.

  Impact of the Workaround -
  On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.

• Blended Threat Vulnerability in SearchPath Could Allow Elevation of Privilege (MS09-015)

  Severity

  Serious 3

  Qualys ID

  90492

  Vendor Reference

  MS09-015

  CVE Reference

  CVE-2008-2540

  CVSS Scores

  Base 9.3 / Temporal 6.9

  Description

  A security vulnerability in the Windows "SearchPath" function could allow elevation of privileges due to the way the function locates and opens files on the system. By persuading an unsuspecting user to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code with privileges of the logged-on user. (CVE-2008-2540)

  Microsoft has released a security update that addresses the vulnerability by modifying the way that Windows loads files from the desktop.

  Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):

  April 2009 Security Updates Are Now Available On the ECE (KB959426)
  

  Consequence

  A privilege escalation can occur which could allow an attacker to install applications; view, change, or delete data, or create new accounts.

  Solution

  Patch:
  Following are links for downloading patches to fix the vulnerabilities:

  Microsoft Windows 2000 Service Pack 4

  Windows XP Service Pack 2 and Windows XP Service Pack 3

  Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

  Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

  Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

  Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

  Windows Vista and Windows Vista Service Pack 1

  Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

  Windows Server 2008 for 32-bit Systems

  Windows Server 2008 for x64-based Systems

  Windows Server 2008 for Itanium-based Systems

  Refer to Microsoft Security Bulletin MS09-015 for further details.

• Microsoft ISA Server and Forefront Threat Management Gateway Denial of Service (MS09-016)

  Severity

  Serious 3

  Qualys ID

  90491

  Vendor Reference

  MS09-016

  CVE Reference

  CVE-2009-0077, CVE-2009-0237

  CVSS Scores

  Base 5 / Temporal 3.7

  Description

  The following vulnerabilities have been identified in Microsoft Internet Security and Acceleration (ISA) Server and Microsoft Forefront Threat Management Gateway (TMG):

  - A denial of service vulnerability exists in the way the firewall engine handles TCP state for Web proxy or Web publishing listeners. It can allow a remote user to send specially crafted network packets to the affected system and cause a Web listener to stop responding to new requests. (CVE-2009-0077)

  - A cross-site scripting (XSS) vulnerability exists in the HTML forms authentication component in ISA Server or Forefront TMG, "cookieauth.dll", due to improper input validation of the HTTP stream. This could allow malicious script code to run on the machine of another user under the guise of the server running "cookieauth.dll". (CVE-2009-0237)

  Microsoft has released a security update to addresses these vulnerabilities by modifying the way that the firewall engine handles the TCP state and the way that HTTP forms authentication handles input.

  Consequence

  CVE-2009-0077: A remote user can exploit this vulnerability to cause the affected system's Web listener to become non-responsive leading to denial of service conditions.

  CVE-2009-0237: Successful exploitation of this vulnerability could allow injection of arbitrary script in the user's browser. This can lead to spoofing and information disclosure.

  Solution

  Patch:
  Following are links for downloading patches to fix the vulnerabilities:

  Microsoft Forefront Threat Management Gateway, Medium Business Edition

  Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3

  Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3

  Microsoft Internet Security and Acceleration Server 2006

  Microsoft Internet Security and Acceleration Server 2006 Supportability Update

  Microsoft Internet Security and Acceleration Server 2006 Service Pack 1

  Refer to Microsoft Security Bulletin MS09-016 for further details.

• Microsoft Excel Remote Code Execution Vulnerability (MS09-009)

  Severity

  Critical 4

  Qualys ID

  110093

  Vendor Reference

  MS09-009

  CVE Reference

  CVE-2009-0100, CVE-2009-0238

  CVSS Scores

  Base 9.3 / Temporal 7.7

  Description

  Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X.

  The following vulnerabilities exist in Microsoft Office Excel:

  - A remote code execution vulnerability exists in the way the application parses the Excel spreadsheet file format. A remote attacker can exploit this flaw by enticing an unsuspecting user into opening a specially crafted spreadsheet to cause arbitrary execution of code. (CVE-2009-0100)

  - A security vulnerability that could allow remote code execution exists in Excel if a user opens a specially crafted Excel file that includes a malformed object. (CVE-2009-0238)

  Consequence

  Successful exploitation of this vulnerability allows an attacker to run arbitrary code as the logged-on user. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.

  Solution

  Workaround:
  1) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.

  Impact of the workaround:
  Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.

  2) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.

  For Office 2003:
  Windows Registry Editor Version 5.00
  [HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
  "BinaryFiles"=dword:00000001

  For 2007 Office system:
  Windows Registry Editor Version 5.00
  [HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
  "BinaryFiles"=dword:00000001

  Impact of the workaround:
  If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.

  Patch:
  Following are links for downloading patches to fix the vulnerabilities:

  Microsoft Office 2000 Service Pack 3 (Microsoft Office Excel 2000 Service Pack 3)

  Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3)

  Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3)

  2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1)

  Microsoft Office 2004 for Mac

  Microsoft Office 2008 for Mac

  Microsoft Office Excel Viewer 2003 Service Pack 3

  Microsoft Office Excel Viewer

  Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1

  Refer to Microsoft Security Bulletin MS09-009 for further details.

  Patches:
  The following are links for downloading patches to fix these vulnerabilities:
  MS09-009 2007 Microsoft Office System Service Pack 1(Microsoft Office Excel 2007 Service Pack 1)
  MS09-009 Microsoft Office 2000 Service Pack 3(Microsoft Office Excel 2000 Service Pack 3)
  MS09-009 Microsoft Office 2003 Service Pack 3(Microsoft Office Excel 2003 Service Pack 3)
  MS09-009 Microsoft Office 2004 for Mac
  MS09-009 Microsoft Office 2008 for Mac
  MS09-009 Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
  MS09-009 Microsoft Office Excel Viewer
  MS09-009 Microsoft Office Excel Viewer 2003 Service Pack 3
  MS09-009 Microsoft Office XP Service Pack 3(Microsoft Office Excel 2002 Service Pack 3)

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.