July 13, 2010 - Qualys® Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against 4 vulnerabilities present in Microsoft Windows that were announced today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.
Microsoft has released 4 security patches to fix newly discovered flaws in Microsoft Windows.
Qualys has released the following checks for these new vulnerabilities:
| Microsoft Windows Help and Support Center Remote Code Execution Vulnerability (MS10-042 and KB2219475) |
|---|
SEVERITY: Critical  4 |
| QUALYS ID: 90609 |
| VENDOR REFERENCE: MS10-042 |
| CVE REFERENCE: CVE-2010-1885 |
| CVSS SCORES: Base / Temporal |
| THREAT: Microsoft Windows Help and Support Center (HSC) is a feature in Windows that provides help on a variety of topics. The following remote code execution vulnerabilities exist because the Windows Help and Support Center does not properly validate URLs when using the HCP Protocol.
The first issue is caused by an error in the "MPC::HTML::UrlUnescapeW()" function within the Help and Support Center application (helpctr.exe) that does not properly check the return code of "MPC::HexToNum()" when escaping URLs. This could allow attackers to bypass whitelist restrictions and invoke arbitrary help files. The second vulnerability is caused by an input validation error in the "GetServerName()" function in the "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\commonFunc.js" script invoked via "ShowServerName()" in "C:\WINDOWS\PCHealth\HelpCtr\System\sysinfo\sysinfomain.htm". This vulnerability could be exploited by attackers to execute arbitrary scripting code in the security context of the Help and Support Center. By combining these vulnerabilities, a remote attacker can inject malicious code in the Help and Support Center and execute arbitrary commands on a vulnerable system by tricking a user into visiting a specially crafted Web page.
Affected software: Microsoft has released a security update that addresses the vulnerability by modifying the manner in which data is validated when passed to the Windows Help and Support Center. This security update is rated Critical for all supported editions of Windows XP, and Low for all supported editions of Windows Server 2003. |
| IMPACT: Successful exploitation could allow a remote attacker to execute arbitrary commands with the privileges of the current user. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Refer to Microsoft Security Bulletin MS10-042 for further details.
Workaround :
Unregister the HCP protocol using the following steps: Impact of the workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work. Refer to vendor advisories Microsoft Security Bulletin MS10-042 and Microsoft Security Advisory 2219475 to obtain more information about this vulnerability. |
| Microsoft Windows Canonical Display Driver Remote Code Execution Vulnerability (MS10-043 and Microsoft Security Advisory 2028859) |
|---|
SEVERITY: Urgent  5 |
| QUALYS ID: 90603 |
| VENDOR REFERENCE: MS10-043 |
| CVE REFERENCE: CVE-2009-3678 |
| CVSS SCORES: Base / Temporal |
| THREAT: The Microsoft Windows Canonical Display Driver (CDD or cdd.dll) is used by desktop composition to blend GDI and DirectX drawings. CDD emulates the interface of a Windows XP display driver for interactions with the Win32k GDI graphics engine. CDD is prone to a remote code execution vulnerability because it does not properly parse information copied from user mode to kernel mode.
Affected Operating Systems: Microsoft has released a security update that addresses the vulnerability by correcting the manner in which CDD parses information copied from user mode to kernel mode. This security update is rated Critical for x64-based editions of Windows 7 and Important for Windows Server 2008 R2. |
| IMPACT: Successfully exploiting this issue could allow a remote attacker to execute arbitrary code. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems Refer to Microsoft Security Bulletin MS10-043 for further details.
Workaround: |
| Microsoft Office Access ActiveX Controls Remote Code Execution Vulnerabilities (MS10-044) |
|---|
| SEVERITY: Urgent 5 |
| QUALYS ID: 110127 |
| VENDOR REFERENCE: MS10-044 |
| CVE REFERENCE: CVE-2010-0814 | CVE-2010-1881 |
| CVSS SCORES: Base 9.3/ Temporal 6.9 |
| THREAT: Microsoft Office Access is a pseudo relational database management system from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user interface and software development tools.
Office Access is exposed to multiple remote code execution vulnerabilities. A remote code execution vulnerability exists in Access ActiveX controls due to the way multiple ActiveX controls are loaded by Internet Explorer. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. (CVE-2010-0814) A remote code execution vulnerability exists in the way the FieldList ActiveX control is instantiated by Microsoft Office and Internet Explorer. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged on user. (CVE-2010-1881) Microsoft has released an update that addresses these vulnerabilities by updating specific Access ActiveX controls and by modifying the way memory is accessed by Microsoft Office and by Internet Explorer when loading Access ActiveX controls. This security update is rated Critical for supported editions of Microsoft Office Access 2003 and Microsoft Office Access 2007. |
| IMPACT: Successfully exploiting these issues might allow a remote attacker to execute arbitrary code. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office 2003 Service Pack 3 (Microsoft Office Access 2003 Service Pack 3) Refer to Microsoft Security Bulletin MS10-044 for further details.
Workarounds: 2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
Impact of workaround #1 and #2: 3) Prevent COM objects from running in Internet Explorer by setting the kill bit for the control in the registry. The COM object that will be prevented from instantiating in Internet Explorer by this workaround is the FieldList ActiveX control. Refer to KB240797 for information on preventing a control from running in Internet Explorer. Impact of workaround #3: The FieldList and ImexGrid controls are used in some of the Access wizards, a feature available in Microsoft Office Access only. After applying this workaround, a subset of wizards may not function properly. 4) Do not open untrusted Microsoft Office files Detailed instructions on applying the workarounds can be found at Microsoft Security Bulletin MS10-044. |
| Microsoft Office Outlook Remote Code Execution Vulnerability (MS10-045) |
|---|
| SEVERITY: Critical 4 |
| QUALYS ID: 110128 |
| VENDOR REFERENCE: MS10-045 |
| CVE REFERENCE: CVE-2010-0266 |
| CVSS SCORES: Base 9.3/ Temporal 7.3 |
| THREAT: Microsoft Office Outlook is prone to a remote code execution vulnerability.
The vulnerability is due to Microsoft Office Outlook not properly verifying an attachment that is attached using the ATTACH_BY_REFERENCE value of the PR_ATTACH_METHOD property in a specially crafted e-mail message. Microsoft has released a security update that addresses the vulnerability by modifying the way Microsoft Office Outlook verifies attachments in a specially crafted e-mail message. This security update is rated Important for all supported editions of Microsoft Office Outlook 2002, 2003 and 2007. |
| IMPACT: The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. |
| SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Office XP Service Pack 3 (Microsoft Office Outlook 2002 Service Pack 3) Microsoft Office 2003 Service Pack 3 (Microsoft Office Outlook 2003 Service Pack 3) Refer to Microsoft Security Bulletin MS10-045 for further details.
Workarounds: 2) Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. Impact of workaround #2: When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. Detailed instructions on applying the workarounds can be found at Microsoft Security Bulletin MS10-045. |
This new vulnerability check is included in Qualys vulnerability signatures v1.26.119-3. Each QualysGuard account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD:
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
- Enable the following Qualys IDs:
- 90609
- 90603
- 110127
- 110128
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if QualysGuard is unable to logon to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Matrix Report, available from the QualysGuard HOME page.
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102
Access for QualysGuard customers: https://qualysguard.qualys.com
Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/
