March 9, 2010 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 2 security bulletins that fix 8 vulnerabilities. Qualys has also released a detection (QID 100083) to detect an un-patched Internet Explorer advisory that was also announced by Microsoft today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Microsoft has released security patches to fix newly discovered flaws.
Qualys has released the following checks for these new vulnerabilities:
| Microsoft Windows Movie Maker and Producer Remote Code Execution Vulnerability |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 90588 |
| VENDOR REFERENCE: MS10-016 |
| CVE REFERENCE: CVE-2010-0265 |
| CVSS SCORES: Base 10/ Temporal 7.4 |
| THREAT: Microsoft Windows Movie Maker is video creating/editing software included in Microsoft Windows, and Microsoft Producer is an add-on tool for MS Office PowerPoint 2003.
Microsoft Windows Movie Maker and Producer 2003 are exposed to a remote code execution vulnerability. The vulnerability exists in the way that Windows Movie Maker and Microsoft Producer 2003 handle specially crafted project files. (CVE-2010-0265) This security update is rated Important for Windows Movie Maker 2.1, Windows Movie Maker 2.6, Windows Movie Maker 6.0, and Microsoft Producer 2003. Note: There is no security update available for Microsoft Producer 2003 at this time. Please refer to the solution section to for mitigation and workarounds. |
| IMPACT: Successfully exploiting this vulnerability might allow a remote attacker to execute arbitrary code. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Windows XP Service Pack 2 and Windows XP Service Pack 3 (Movie Maker 2.1) Windows XP Professional x64 Edition Service Pack 2 (Movie Maker 2.1) Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (Movie Maker 6.0) Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 (Movie Maker 2.6) Windows 7 for 32-bit Systems (Movie Maker 2.6) Windows 7 for x64-based Systems (Movie Maker 2.6) The security update for Microsoft Producer 2003 is unavailable at this time. Apply workarounds to mitigate the issues. Refer to Microsoft Security Bulletin MS10-016 for further details.
Workaround: Impact of workaround #1 : Double-clicking an MSWMM file will no longer launch Windows Movie Maker. 2) Remove the Microsoft Producer 2003 .MSProducer, .MSProducerZ, and .MSProducerBF file associations. See Microsoft Knowledge Base Article 975561 to use the automated Microsoft Fix it solution to enable or disable this workaround. Impact of workaround #2: Double-clicking Microsoft Producer 2003 files will no longer launch Microsoft Producer 2003. 3) Disable Microsoft Producer 2003 by restricting access Impact of workaround #3: User will no longer be able to run Microsoft Producer 2003. 4) Prevent Microsoft Producer 2003 from being installed Impact of workaround #4: Users will no longer be able to install the Microsoft Producer 2003 add-in. 5) Uninstall Microsoft Producer 2003 Impact of workaround #5: Users will no longer be able to run Microsoft Producer 2003. Detailed information on enabling and disabling the workarounds can be found at Microsoft Security Bulletin MS10-016. |
| Microsoft Excel Sheet Object Type Confusion Vulnerability |
|---|
SEVERITY: Serious  3 |
| QUALYS ID: 110103 |
| VENDOR REFERENCE: MS10-017 |
| CVE REFERENCE: CVE-2010-0258 |
| CVSS SCORES: Base 6.8/ Temporal 5 |
| THREAT: Microsoft Excel is a proprietary spreadsheet-application written and distributed by Microsoft.
Microsoft Excel is prone to a type confusion vulnerability that occurs when parsing several related Excel record types. The type confusion is due to multiple records containing fields that identify the type of an object shared between them. The existence of this vulnerability is confirmed in all currently supported versions of Excel (2007 SP1/SP2, 2003 SP3, XP SP3) and Excel 2000 SP3, which is currently unsupported. Microsoft has released a patch to resolve this issue. Previously, this was an iDefense exclusive vulnerability. |
| IMPACT: Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3) 2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1) 2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2) Open XML File Format Converter for Mac Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2 Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions) Refer to Microsoft Security Bulletin MS10-017 for further details. Workaround: 2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865. Impact of the workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted. 3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. Impact of the workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System. |
| Microsoft Excel Remote Code Execution Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110104 |
| VENDOR REFERENCE: MS10-017 |
| CVE REFERENCE: CVE-2010-0257 | CVE-2010-0258 | CVE-2010-0260 | CVE-2010-0261 | CVE-2010-0262 | CVE-2010-0263 | CVE-2010-0264 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT: Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. Excel is prone to the following vulnerabilities:
Multiple remote code execution vulnerabilities exist in the way that Microsoft Office Excel parses the Excel file format when opening a specially crafted Excel file. (CVE-2010-0257, CVE-2010-0258, CVE-2010-0260, CVE-2010-0261, CVE-2010-0262, CVE-2010-0263, CVE-2010-0264) Microsoft has released a security update that addresses these vulnerabilities by changing the way that Microsoft Office Excel parses specially crafted Excel files. The security update is rated Important for all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel 2007, Microsoft Office 2004 for Mac, and Microsoft Office 2008 for Mac; Open XML File Format Converter for Mac; and all supported versions of Microsoft Office Excel Viewer and Microsoft Office Compatibility Pack. Previously, this was an iDefense exclusive vulnerability. |
| IMPACT: Successful exploitation allows an attacker to execute arbitrary code. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3) 2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1) 2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2) Open XML File Format Converter for Mac Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2 Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions) Refer to Microsoft Security Bulletin MS10-017 for further details. Workaround: 2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865. Impact of the workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted. 3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. Impact of the workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System. |
| Microsoft Excel MDXTUPLE Record Heap Overflow Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110105 |
| VENDOR REFERENCE: MS10-017 |
| CVE REFERENCE: CVE-2010-0260 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT: Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft.
The application is vulnerable to a heap overflow when parsing an MDXTUPLE record inside of the Excel Workbook globals stream. This record stores metadata for external data connections inside the workbook. Excel Versions 2007 SP0, SP1 and SP2 are vulnerable. Microsoft has released a patch to address this issue. Previously, this was in iDefense Exclusive vulnerability |
| IMPACT: Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3) 2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1) 2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2) Open XML File Format Converter for Mac Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2 Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions) Refer to Microsoft Security Bulletin MS10-017 for further details. Workaround: 2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865. Impact of the workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted. 3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. Impact of the workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System. |
| Microsoft Excel FNGROUPNAME Record Uninitialized Memory Vulnerability |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110106 |
| VENDOR REFERENCE: MS10-017 |
| CVE REFERENCE: CVE-2010-0262 |
| CVSS SCORES: Base 7.5/ Temporal 5.5 |
| THREAT: Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft.
The application is vulnerable to a remote exploitation of an uninitialized memory issue when the application parses an FNGROUPCOUNT record inside of the Excel worksheet. Excel Versions 2003 and 2007 are vulnerable. Microsoft has released a patch to resolve this issue. Previously, this was in iDefense Exclusive vulnerability |
| IMPACT: Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3) 2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1) 2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2) Open XML File Format Converter for Mac Microsoft Office Excel Viewer Service Pack 1 and Microsoft Office Excel Viewer Service Pack 2 Microsoft Office SharePoint Server 2007 Service Pack 1 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 2 (32-bit editions) Microsoft Office SharePoint Server 2007 Service Pack 1 (64-bit editions) Refer to Microsoft Security Bulletin MS10-017 for further details. Workaround: 2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865. Impact of the workaround: Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted. 3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. Impact of the workaround: If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System. |
| Microsoft Internet Explorer Remote Code Execution Vulnerability |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 100083 |
| VENDOR REFERENCE: KB981374 |
| CVE REFERENCE: CVE-2010-0806 |
| CVSS SCORES: Base 7.5/ Temporal 7.1 |
| THREAT: Microsoft Internet Explorer is a Web browser for Microsoft Windows.
A vulnerability exists in Internet Explorer due to an invalid pointer reference. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
Affected Versions: NOTE: The vulnerability is currently being actively exploited. |
| IMPACT: Successful exploitation allows remote code execution. An attacker who successfully exploits this vulnerability could gain the same user rights as a logged on user. |
| SOLUTION: There are no vendor supplied patches available at this time. However, Internet Explorer 8 is not affected by these vulnerabilities.
Workarounds: 2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone Impact of workaround #1 and #2: On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently. 3) Modify the Access Control List (ACL) on iepeers.dll Impact of workaround #3: Extended MSHTML functionality such as printing and Web folders may be affected. 4) Enable DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer 7. Microsoft is providing a Microsoft Fix it solution to enable or disable this workaround. Refer to KB981374 for the Fix it solution. Impact of workaround #4: Some browser extensions may not be compatible with DEP and may exit unexpectedly. If this occurs, you can disable the extension, or revert the DEP setting using the Internet Control Panel. This is also accessible using the System Control panel. Detailed steps on applying the workarounds can be found at Workaround Section of Microsoft Security Advisory 981374. |
This new vulnerability check is included in Qualys vulnerability signatures v1.26.13-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 90588
- 110103
- 110104
- 110105
- 110106
- 100083
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
