Microsoft Security Bulletin: February 2010 Security Bulletin

Platform
OVERVIEW

Enterprise TruRisk Platform

Everything you need to measure, manage, and reduce your cyber risk in one place

CAPABILITIES

All

Asset Management

Vulnerability & Configuration Management

Risk Remediation

Threat Detection & Response

Compliance

Cloud Security

PLATFORM APPS

ASSET MANAGEMENT

CyberSecurity Asset Management (CSAM)
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software

External Attack Surface Management (EASM) - New
Gain an attacker’s view of your external internet-facing assets and unauthorized software

Vulnerability & Configuration Management

Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster

Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools

Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Risk REMEDIATION

Patch Management (PM)
Efficiently remediate vulnerabilities and patch systems

Custom Assessment and Remediation (CAR)
Quickly create custom scripts and controls for faster, more automated remediation

Threat Detection and Response

Multi-Vector EDR
Advanced endpoint threat protection, improved threat context, and alert prioritization

Context XDR
Extend detection and response beyond the endpoint to the enterprise

Compliance

Policy Compliance
Reduce risk, and comply with internal policies and external regulations with ease

File Integrity Monitoring (FIM)
Reduce alert noise and safeguard files from nefarious actors and cyber threats

Cloud Security

TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.

Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.

Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates

SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.

Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Solutions
Use Cases

Endpoint Security

Compliance

PCI Compliance

DORA Compliance

Cloud Security

Application Security

DevOps

Threat Protection

NIS2

Zero-Trust Security

Segments

Small Business

Mid-Sized Business

Enterprise

Federal
Resources
RESOURCES

Resources Library

Product Tours

Blog

Webinars

Qualys Stream

Fundamentals

RESEARCH

Threat Research Unit

Security Alerts

Security Advisories
Support
SUPPORT
More
Customers

Overview

Best Practices

Success Stories

Testimonials
Partners

Overview

Partner Program

VAD Partners

VAR Resellers

MSP/MSSP Partners

Integration Partners

Partner FAQs

Find a Partner
Company

About Us

Our Team

Investor Relations

News

Awards

Events

Careers

Community
- Overview
- Discuss
- Blog
- Training
- Docs
- Resources
Login
What’s my platform?
Contact us
Contact us below to request a quote, or for any product-related questions
Create Account. It’s Free!
Try PM for free
Try VMDR for free
Try VMDR TruRisk for free
Try CS for free
Sign up for TotalCloud
Sign up for CDR
Try CSAM for free
Try PCI for free
Try DORA for free
Try Policy Compliance for free
Try VMDR for Mobile Devices
Try SaaSDR for free
Try Multi-Vector EDR for Free
Try CAR for Free
Request a Demo
Try it
Enterprise TruRisk Platform
- Cloud Platform - Free Trial
Free Services

Try it

Overview
Platform Apps
Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Overview
Platform Apps
TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates
SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 26 vulnerabilities that were fixed in 15 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 15 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

Microsoft Windows Cumulative Security Update of ActiveX Kill Bits (MS10-008)

Severity

Critical 4

Qualys ID

90583

Vendor Reference

MS10-008

CVE Reference

CVE-2010-0252

CVSS Scores

Base 9.3 / Temporal 6.9

Description

The Microsoft Data Analyzer ActiveX control allows programmatic control of the Data Analyzer from COM-based development applications such as Microsoft Visual Basic.
A remote code execution vulnerability exists in the Microsoft Data Analyzer ActiveX Control. An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution
Microsoft has released a security update to resolve this issue. The security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
Updates for Windows Embedded Standard 7 Are Now Available (KB978262)

Consequence

Successfully exploiting this vulnerability might allow a remote attacker to execute arbitrary code.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS10-008 for further details.
Workaround:
1) Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting.
2) Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
Impact of workaround #1 and #2:
On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
3) Prevent COM objects from running in Internet Explorer.
Refer to the advisory to obtain detailed information on enabling and disabling the workarounds.
Microsoft Office Remote Code Execution Vulnerability (MS10-003)

Severity

Critical 4

Qualys ID

110113

Vendor Reference

MS10-003

CVE Reference

CVE-2010-0243

CVSS Scores

Base 9.3 / Temporal 6.9

Description

Microsoft Office is an office suite of interrelated desktop applications and services for the Microsoft Windows and Mac OS X operating systems.
The mso.dll contains a buffer overflow. This could allow remote code execution if opening crafted office files. (CVE-2010-0243)
Microsoft has released a security update to resolve this issue.

Consequence

Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office XP Service Pack 3
Microsoft Office 2004 for Mac
Refer to Microsoft Security Bulletin MS10-003 for further details.
Workaround:
Do not open Office files from untrusted sources.
Microsoft PowerPoint LinkedSlideAtom Heap Overflow Vulnerability (MS10-004)

Severity

Critical 4

Qualys ID

110107

Vendor Reference

MS10-004

CVE Reference

CVE-2010-0030

CVSS Scores

Base 9.3 / Temporal 6.9

Description

Microsoft PowerPoint is a proprietary presentation application written and distributed by Microsoft.
The application is vulnerable to a heap-based buffer overflow issue when the application parses two related PowerPoint record types (LinkedSlideAtom and LinkedShapeAtom10) in a malicious file.
PowerPoint 2000 SP3, PowerPoint 2002 (XP) SP3 and PowerPoint 2003 SP3 are vulnerable.
Previously this was an iDefense exclusive detection.

Consequence

Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office XP Service Pack 3 (Microsoft Office PowerPoint 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office PowerPoint 2003 Service Pack 3)
Microsoft Office 2004 for Mac
Refer to Microsoft Security Bulletin MS10-004 for further details.
Workaround:
1) Avoid opening Office files received from untrusted sources.
2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources, because it protects Office 2003 installations by more securely opening Word, Excel and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
Note: Modifying the Registry incorrectly can cause serious problems that may require re-installation of the operating system.
For Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
For 2007 Office Systems:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
Impact of workaround #3:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
Microsoft PowerPoint OEPlaceholderAtom Use-After-Free Vulnerability (MS10-004)

Severity

Critical 4

Qualys ID

110108

Vendor Reference

MS10-004

CVE Reference

CVE-2010-0032

CVSS Scores

Base 9.3 / Temporal 6.9

Description

Microsoft PowerPoint is a proprietary presentation application written and distributed by Microsoft.
The application is vulnerable to a memory corruption issue (Use-After-Free) when the application parses multiple "OEPlaceholderAtom" records in a "msofbtClientData" container.
PowerPoint 2000 SP3, PowerPoint 2002 (XP) SP3 and PowerPoint 2003 SP3 are vulnerable.
Previously this was an iDefense exclusive detection.

Consequence

Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office XP Service Pack 3 (Microsoft Office PowerPoint 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office PowerPoint 2003 Service Pack 3)
Microsoft Office 2004 for Mac
Refer to Microsoft Security Bulletin MS10-004 for further details.
Workaround:
1) Avoid opening Office files received from untrusted sources.
2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources, because it protects Office 2003 installations by more securely opening Word, Excel and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
Note: Modifying the Registry incorrectly can cause serious problems that may require re-installation of the operating system.
For Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
For 2007 Office Systems:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
Impact of workaround #3:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
Microsoft PowerPoint Remote Code Execution Vulnerability (MS10-004)

Severity

Critical 4

Qualys ID

110109

Vendor Reference

MS10-004

CVE Reference

CVE-2010-0029, CVE-2010-0030, CVE-2010-0031, CVE-2010-0032, CVE-2010-0033, CVE-2010-0034

CVSS Scores

Base 9.3 / Temporal 7.7

Description

Microsoft PowerPoint is a proprietary presentation application written and distributed by Microsoft.
The application is vulnerable to the following issues.
- Several vulnerabilities exists in the way that Microsoft Office PowerPoint parses the PowerPoint file format when opening a specially crafted PowerPoint file. (CVE-2010-0034, CVE-2010-0033, CVE-2010-0029)
- The application is vulnerable to a corrupt stack memory in an array when the application parses an "OEPlaceholderAtom" record in a "msofbtClientData" container. (CVE-2010-0031)
- The application is vulnerable to a memory corruption issue (Use-After-Free) when the application parses multiple "OEPlaceholderAtom" records in a "msofbtClientData" container. (CVE-2010-0032)
- The application is vulnerable to a heap-based buffer overflow issue when the application parses two related PowerPoint record types (LinkedSlideAtom and LinkedShapeAtom10) in a malicious file. (CVE-2010-0030)
Previously this was an iDefense exclusive detection.

Consequence

Successful exploitation of this vulnerability can allow the attacker to execute arbitrary code with privileges of the current user.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office XP Service Pack 3 (Microsoft Office PowerPoint 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office PowerPoint 2003 Service Pack 3)
Microsoft Office 2004 for Mac
Refer to Microsoft Security Bulletin MS10-004 for further details.
Workaround:
1) Avoid opening Office files received from un-trusted sources.
2) Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or untrusted sources, because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of workaround #2:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
3) Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
Note: Modifying the Registry incorrectly can cause serious problems that may require re-installation of the operating system.
For Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
For 2007 Office system:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
Impact of workaround #3:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
Microsoft Windows Paint Remote Code Execution Vulnerability (MS10-005)

Severity

Critical 4

Qualys ID

90581

Vendor Reference

MS10-005

CVE Reference

CVE-2010-0028

CVSS Scores

Base 9.3 / Temporal 7.3

Description

Microsoft Paint is a tool used to create simple or elaborate drawings. In addition, Microsoft Paint can be used to view and edit scanned photos.
Microsoft Paint is prone to a vulnerability that could allow remote code execution if a user viewed a specially crafted JPEG image file using Microsoft Paint. This vulnerability is caused by memory corruption when decoding JPEG images processed by Microsoft Paint.
Microsoft has released a security update to resolve this issue. The update is rated Moderate for Microsoft Windows 2000, Windows XP, and Windows Server 2003.

Consequence

An attacker who successfully exploits this vulnerability could take complete control of an affected system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS10-005 for further details.
Workaround:
- Disable Microsoft Paint
- On Windows XP and Windows Server 2003, remove Microsoft Paint.
Impact of the workarounds: Users will not be able to run Microsoft Paint.
Refer to the advisory for further details on enabling and disabling the workarounds.
Microsoft SMB Client Remote Code Execution Vulnerability (MS10-006)

Severity

Urgent 5

Qualys ID

90577

Vendor Reference

MS10-006

CVE Reference

CVE-2010-0016, CVE-2010-0017

CVSS Scores

Base 9.3 / Temporal 7.3

Description

Microsoft Server Message Block (SMB) protocol is a Microsoft network file sharing protocol used in Microsoft Windows.
Microsoft SMB Client is prone to the following vulnerabilities:
A remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB responses. (CVE-2010-0016)
A remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. (CVE-2010-0017)
Microsoft has released a security update to address these issues.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
Updates for Windows Embedded Standard 7 Are Now Available (KB978251)

Consequence

Successful exploitation allows remote code execution. An attacker may be able to take complete control of the system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista Service Pack 2
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS10-006 for further details.
Workaround:
TCP ports 139 and 445 should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability.
Impact of workaround: Blocking the ports can cause Windows services or applications using those ports to stop functioning.
Microsoft Windows Shell Handler Remote Code Execution Vulnerability (MS10-007)

Severity

Urgent 5

Qualys ID

90578

Vendor Reference

MS10-007

CVE Reference

CVE-2010-0027

CVSS Scores

Base 9.3 / Temporal 7.3

Description

Microsoft has released a security update that resolves a vulnerability in Microsoft Windows 2000, Windows XP, and Windows Server 2003.
A remote code execution vulnerability exists in Microsoft Windows. The vulnerability results from the incorrect validation of input sent to the ShellExecute API function.
The security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
April 2012 Security Updates are Live on ECE for XPe and Standard 2009 (KB975713)

Consequence

Successfully exploiting this issue might allow a remote attacker to could take complete control of an affected system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS10-007 for further details.
Microsoft Windows TCP/IP Remote Code Execution Vulnerability (MS10-009)

Severity

Urgent 5

Qualys ID

116887

Vendor Reference

MS10-009

CVE Reference

CVE-2010-0239, CVE-2010-0240, CVE-2010-0241, CVE-2010-0242

CVSS Scores

Base 10 / Temporal 7.8

Description

Microsoft has released a security update that resolves the following vulnerabilities in Microsoft Windows:
- A remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Router Advertisement packets.
- A remote code execution vulnerability exists in the Windows TCP/IP stack due to the manner in which the TCP/IP stack handles specially crafted Encapsulating Security Payloads over UDP datagram fragments when running a custom network driver.
- A remote code execution vulnerability exists in the Windows TCP/IP stack due to insufficient bounds checking when processing specially crafted ICMPv6 Route Information packets.
- A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted TCP packets with a malformed selective acknowledgment value.
This security update is rated Critical for Windows Vista and Windows Server 2008.

Consequence

Successful exploitation allows remote code execution and can cause denial of service.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64 based Systems and Windows Server 2008 for x64 based Systems Service Pack 2
Windows Server 2008 for Itanium based Systems and Windows Server 2008 for Itanium based Systems Service Pack 2
Refer to Microsoft Security Bulletin MS10-009 for further details.
Workaround:
1) For CVE-2010-0239 and CVE-2010-0241: Disable the "Core Networking - Router Advertisement (ICMPv6-In)" inbound firewall rule.
Impact of workaround #1: ICMPv6 router advertisements will be blocked.
2) For CVE-2010-0240: Enable advanced TCP/IP filtering on systems that support this feature
Refer to the advisory to obtain additional details for applying these workarounds.
Microsoft Windows Server 2008 Hyper-V Denial of Service Vulnerability (MS10-010)

Severity

Critical 4

Qualys ID

90580

Vendor Reference

MS10-010

CVE Reference

CVE-2010-0026

CVSS Scores

Base 4 / Temporal 3

Description

Microsoft Hyper-V Server is a stand-alone product that provides a reliable and optimized virtualization solution enabling organizations to improve server utilization and reduce costs.
A denial of service vulnerability exists in Hyper-V on Windows Server 2008 and Windows Server 2008 R2. The vulnerability is due to insufficient validation of specific sequences of machine instructions by Hyper-V. An attacker who successfully exploits this vulnerability could cause the affected Hyper-V system to stop responding. This would affect all virtual machines hosted by that system.
Affected Operating Systems:
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems

Consequence

An attacker who successfully exploits this vulnerability could cause a users system to become non-responsive until the system is restarted.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems
Refer to Microsoft Security Bulletin MS10-010 for further details.
Microsoft Windows Client/Server Run-time Subsystem Elevation of Privilege Vulnerability (MS10-011)

Severity

Critical 4

Qualys ID

116886

Vendor Reference

MS10-011

CVE Reference

CVE-2010-0023

CVSS Scores

Base 6.9 / Temporal 5.4

Description

Microsoft has released a security update to resolve a vulnerability in Microsoft Windows Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000, Windows XP, and Windows Server 2003.
An elevation of privilege vulnerability exists because the Windows Client/Server Run-time Subsystem (CSRSS) does not properly terminate user processes when a user logs out.
The security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, and Windows Server 2003.

Consequence

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. This vulnerability can not be exploited by anonymous users. The vulnerability could allow elevation of privilege if an attacker logs on to the system and starts a specially crafted application designed to continue running after the attacker logs out.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS10-011 for further details.
Microsoft SMB Server Remote Code Execution Vulnerability (MS10-012)

Severity

Urgent 5

Qualys ID

90579

Vendor Reference

MS10-012

CVE Reference

CVE-2010-0020, CVE-2010-0021, CVE-2010-0022, CVE-2010-0231

CVSS Scores

Base 10 / Temporal 7.8

Description

Microsoft Server Message Block (SMB) Protocol is a Microsoft network file sharing protocol used in Microsoft Windows.
Microsoft SMB Server is prone to the following vulnerabilities:
An authenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB packets. (CVE-2010-0020)
A SMB memory corruption exists due to Microsoft Server Message Block (SMB) protocol software improperly handling a race condition that can occur when parsing SMB packets during the Negotiate phase. (CVE-2010-0021)
A null pointer vulnerability exists due to Microsoft Server Message Block (SMB) Protocol software improperly verifying the share and servername fields in malformed SMB packets. (CVE-2010-0022)
- A vulnerability is caused by a lack of cryptographic entropy when the SMB server generates challenges and presents them to a connecting client. This could cause an attacker to continuously attempt to authenticate against the SMB server and subsequently cause that server to generate duplicate values. (CVE-2010-0231)
Microsoft has released a security update to address these issues.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
Updates for Windows Embedded Standard 7 Are Now Available (KB971468)

Consequence

Successful exploitation allows remote code execution as well as cause denial of service conditions.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Refer to Microsoft Security Bulletin MS10-012 for further details.
Workaround:
TCP ports 139 and 445 should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability.
Impact of workaround: Blocking the ports can cause several windows services or applications using those ports to stop functioning.
Microsoft DirectShow Remote Code Execution Vulnerability (MS10-013)

Severity

Urgent 5

Qualys ID

90584

Vendor Reference

MS10-013

CVE Reference

CVE-2010-0250

CVSS Scores

Base 9.3 / Temporal 7.7

Description

Microsoft DirectShow is used for streaming media on Microsoft Windows operating systems. DirectShow is also integrated with other DirectX technologies.
A remote code execution vulnerability exists in the way that Microsoft DirectShow parses AVI media files. This vulnerability could allow remote code execution if a user opened a specially crafted AVI file. (CVE-2010-0250)
Microsoft has released a security update to resolve this issue.
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
Updates for Windows Embedded Standard 7 Are Now Available (KB975560)

Consequence

An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 (AVI Filter)
Microsoft Windows 2000 Service Pack 4 (Quartz)
Microsoft Windows 2000 Service Pack 4 (Quartz in DirectX 9.0)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (AVI Filter)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Quartz)
Windows XP Professional x64 Edition Service Pack 2 (AVI Filter)
Windows XP Professional x64 Edition Service Pack 2 (Quartz)
Windows Server 2003 Service Pack 2 (AVI Filter)
Windows Server 2003 Service Pack 2 (Quartz)
Windows Server 2003 x64 Edition Service Pack 2 (AVI Filter)
Windows Server 2003 x64 Edition Service Pack 2 (Quartz)
Windows Server 2003 with SP2 for Itanium-based Systems (AVI Filter)
Windows Server 2003 with SP2 for Itanium-based Systems (Quartz)
Windows Vista, Windows Vista Service Pack 1 and Windows Vista Service Pack 2 (Quartz)
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 (Quartz)
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 (Quartz)
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 (Quartz)
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 (Quartz)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS10-013.
Microsoft Windows Kerberos Denial of Service Vulnerability (MS10-014)

Severity

Critical 4

Qualys ID

90582

Vendor Reference

MS10-014

CVE Reference

CVE-2010-0035

CVSS Scores

Base 6.3 / Temporal 4.7

Description

Microsoft has released a security update that addresses a denial of service vulnerability for Microsoft Windows.
The vulnerability exists in implementations of Kerberos. The vulnerability is due to improper handling of Ticket-Granting-Ticket renewal requests by a client on a remote, non-Windows realm in a mixed-mode Kerberos implementation. (CVE-2010-0035)
The security update is rated Critical for all supported editions of Microsoft Windows 2000 and Windows XP, Important for all supported editions of Windows Vista and Windows 7, Moderate for all supported editions of Windows Server 2003, and Low for all supported editions of Windows Server 2008 and Windows Server 2008 R2.

Consequence

Successfully exploiting this vulnerability might allow a remote attacker to cause affected Windows domain controller to stop responding.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Server Service Pack 4
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Refer to Microsoft Security Bulletin MS10-014 for further details.
Microsoft Windows Kernel Elevation Privilege Vulnerability (MS10-015 and KB977165)

Severity

Critical 4

Qualys ID

90576

Vendor Reference

MS10-015

CVE Reference

CVE-2010-0232, CVE-2010-0233

CVSS Scores

Base 7.2 / Temporal 6

Description

Windows Kernel is the core of the operating system. It provides system level services such as device management and memory management, allocates processor time to processes, and manages error handling.
The kernel is prone to multiple elevation of privilege vulnerabilities. An attacker who successfully exploits this vulnerability could execute arbitrary code and take complete control of an affected system.
Affected Software:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows Server 2003 Service Pack 2
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows 7 for 32-bit Systems
Windows Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
Updates for Windows Embedded Standard 7 Are Now Available (KB977165)

Consequence

A successful exploit will allow arbitrary attacker-supplied code to run with kernel-level privileges.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems
Refer to Microsoft Security Bulletin MS10-015 for further details. Also refer to Microsoft Security Advisory (979682) to obtain additional details on one of the vulnerabilities that was resolved by MS10-015.
Workaround:
- Disable the NTVDM subsystem
See Microsoft Knowledge Base Article 979682 to use the automated Microsoft Fix it solution to enable or disable this workaround.
Manual Instructions are as follows:
1. Click Start, click Run, type gpedit.msc in the Open box, and then click OK. This opens the Group Policy console.
1. Expand the Administrative Templates folder and then click Windows Components.
2. Click the Application Compatibility folder.
3. In the details pane, double click the Prevent access to 16-bit applications policy setting. By default, this is set to Not Configured.
4. Change the policy setting to Enabled and then click OK.
Impact of Workaround - Users will not be able to run 16-bit applications.
There are reports of MS10-015 causing a blue screen in some systems due to presence of a rootkit. To determine whether the system is compatible with security update 977165, please refer to KB980966 for further information.

These new vulnerability checks are included in Qualys vulnerability signature 1.24.122-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

Ensure access to TCP ports 135 and 139 are available.
Enable Windows Authentication (specify Authentication Records).
Enable the following Qualys IDs:
- 90583
- 110113
- 110107
- 110108
- 110109
- 90581
- 90577
- 90578
- 116887
- 90580
- 116886
- 90579
- 90584
- 90582
- 90576
If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.

OVERVIEW

CAPABILITIES

PLATFORM APPS

ASSET MANAGEMENT

Vulnerability & Configuration Management

Risk REMEDIATION

Threat Detection and Response

Compliance

Cloud Security

Use Cases

Segments

RESOURCES

RESEARCH

Customers

Partners

Company

Overview

CAPABILITIES

Platform Apps

Use Cases

Segments

Resources

Research

Enterprise TruRisk Platform

Free Services

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Microsoft security alert.

February 9, 2010

Advisory overview

Vulnerability details

Microsoft Windows Cumulative Security Update of ActiveX Kill Bits (MS10-008)

Microsoft Office Remote Code Execution Vulnerability (MS10-003)

Microsoft PowerPoint LinkedSlideAtom Heap Overflow Vulnerability (MS10-004)

Microsoft PowerPoint OEPlaceholderAtom Use-After-Free Vulnerability (MS10-004)

Microsoft PowerPoint Remote Code Execution Vulnerability (MS10-004)

Microsoft Windows Paint Remote Code Execution Vulnerability (MS10-005)

Microsoft SMB Client Remote Code Execution Vulnerability (MS10-006)

Microsoft Windows Shell Handler Remote Code Execution Vulnerability (MS10-007)

Microsoft Windows TCP/IP Remote Code Execution Vulnerability (MS10-009)

Microsoft Windows Server 2008 Hyper-V Denial of Service Vulnerability (MS10-010)

Microsoft Windows Client/Server Run-time Subsystem Elevation of Privilege Vulnerability (MS10-011)

Microsoft SMB Server Remote Code Execution Vulnerability (MS10-012)

Microsoft DirectShow Remote Code Execution Vulnerability (MS10-013)

Microsoft Windows Kerberos Denial of Service Vulnerability (MS10-014)

Microsoft Windows Kernel Elevation Privilege Vulnerability (MS10-015 and KB977165)

Selective Scan Instructions Using Qualys

Access for Qualys Customers

Technical Support

About Qualys