Microsoft Security Bulletin: June 2009 Security Bulletin

Platform
OVERVIEW

Enterprise TruRisk Platform

Everything you need to measure, manage, and reduce your cyber risk in one place

CAPABILITIES

All

Asset Management

Vulnerability & Configuration Management

Risk Remediation

Threat Detection & Response

Compliance

Cloud Security

PLATFORM APPS

ASSET MANAGEMENT

CyberSecurity Asset Management (CSAM)
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software

External Attack Surface Management (EASM) - New
Gain an attacker’s view of your external internet-facing assets and unauthorized software

Vulnerability & Configuration Management

Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster

Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools

Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Risk REMEDIATION

Patch Management (PM)
Efficiently remediate vulnerabilities and patch systems

Custom Assessment and Remediation (CAR)
Quickly create custom scripts and controls for faster, more automated remediation

Threat Detection and Response

Multi-Vector EDR
Advanced endpoint threat protection, improved threat context, and alert prioritization

Context XDR
Extend detection and response beyond the endpoint to the enterprise

Compliance

Policy Compliance
Reduce risk, and comply with internal policies and external regulations with ease

File Integrity Monitoring (FIM)
Reduce alert noise and safeguard files from nefarious actors and cyber threats

Cloud Security

TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.

Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.

Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates

SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.

Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Solutions
Use Cases

Endpoint Security

Compliance

PCI Compliance

DORA Compliance

Cloud Security

Application Security

DevOps

Threat Protection

NIS2

Zero-Trust Security

Segments

Small Business

Mid-Sized Business

Enterprise

Federal
Resources
RESOURCES

Resources Library

Product Tours

Blog

Webinars

Qualys Stream

Fundamentals

RESEARCH

Threat Research Unit

Security Alerts

Security Advisories
Support
SUPPORT
More
Customers

Overview

Best Practices

Success Stories

Testimonials
Partners

Overview

Partner Program

VAD Partners

VAR Resellers

MSP/MSSP Partners

Integration Partners

Partner FAQs

Find a Partner
Company

About Us

Our Team

Investor Relations

News

Awards

Events

Careers

Community
- Overview
- Discuss
- Blog
- Training
- Docs
- Resources
Login
What’s my platform?
Contact us
Contact us below to request a quote, or for any product-related questions
Create Account. It’s Free!
Try PM for free
Try VMDR for free
Try VMDR TruRisk for free
Try CS for free
Sign up for TotalCloud
Sign up for CDR
Try CSAM for free
Try PCI for free
Try DORA for free
Try Policy Compliance for free
Try VMDR for Mobile Devices
Try SaaSDR for free
Try Multi-Vector EDR for Free
Try CAR for Free
Request a Demo
Try it
Enterprise TruRisk Platform
- Cloud Platform - Free Trial
Free Services

Try it

Overview
Platform Apps
Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Overview
Platform Apps
TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates
SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 31 vulnerabilities that were fixed in 10 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 10 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

Microsoft Active Directory Remote Code Execution Vulnerability (MS09-018)

Severity

Serious 3

Qualys ID

90505

Vendor Reference

MS09-018

CVE Reference

CVE-2009-1138, CVE-2009-1139

CVSS Scores

Base 10 / Temporal 7.8

Description

Active Directory is used to provide central authentication and authorization services for Windows-based computers.
The following vulnerabilities exist in Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003:
- A remote code execution vulnerability exists because the LDAP service incorrectly frees memory when processing specially crafted LDAP or LDAPS requests. An attacker can exploit this flaw by sending a malicious LDAP or LDAPS packet to a domain controller. (CVE-2009-1138)
- A denial of service vulnerability exists because the LDAP service improperly manages memory while executing LDAP or LDAPS requests containing specific OID (Object Identifier) filters. An attacker can exploit this vulnerability by sending a specially crafted LDAP or LDAPS packet to the Active Directory or ADAM server and cause the affected system to stop responding and require it to be restarted. (CVE-2009-1139)
Microsoft has released a security update that addresses these vulnerabilities by correcting the way that the LDAP service allocates and frees memory while processing specially crafted LDAP or LDAPS requests.

Consequence

Successful exploitation of this vulnerability can cause arbitrary execution of code. An attacker who successfully exploits this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation can also cause the affected system to stop responding leading to denial of service.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Server Service Pack 4 (Active Directory)
Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3 (Active Directory Application Mode (ADAM))
Windows XP Professional x64 Edition Service Pack 2 (Active Directory Application Mode (ADAM))
Windows Server 2003 Service Pack 2 (Active Directory)
Windows Server 2003 Service Pack 2 (Active Directory Application Mode (ADAM))
Windows Server 2003 x64 Edition Service Pack 2 (Active Directory)
Windows Server 2003 x64 Edition Service Pack 2 (Active Directory Application Mode (ADAM))
Windows Server 2003 with SP2 for Itanium-based Systems (Active Directory)
Refer to Microsoft Security Bulletin MS09-018 for further details.
Workarounds:
- Block TCP ports 389, 636, 3268 and 3269 both inbound and outbound at the firewall since these ports are used to initiate a connection with the affected component.
- Disable anonymous LDAP access on Microsoft Windows 2000 servers. Refer to KB837964 to get information on anonymous LDAP connections.
Note: Applying this workaround will not prevent exploitation of the vulnerability by authenticated users.
Microsoft Internet Explorer Cumulative Security Update (MS09-019)

Severity

Critical 4

Qualys ID

100073

Vendor Reference

MS09-019

CVE Reference

CVE-2007-3091, CVE-2009-1140, CVE-2009-1141, CVE-2009-1528, CVE-2009-1529, CVE-2009-1530, CVE-2009-1531, CVE-2009-1532

CVSS Scores

Base 9.3 / Temporal 7.3

Description

Microsoft Internet Explorer is a Web browser for Microsoft Windows. The following vulnerabilities have been identified in Internet Explorer:
- An information disclosure vulnerability exists in Internet Explorer which can cause a script to create a race condition that could break the same-origin policy of Internet Explorer allowing an attacker to view the content in another browser window in a domain or Internet Explorer zone distinct from the attacker's domain or zone. (CVE-2007-3091)
- An information disclosure vulnerability exists in the way that Internet Explorer caches data and incorrectly allows the cached content to be rendered as HTML, bypassing domain restriction. An attacker can exploit this issue to view content from the local computer or browser window in another domain or Internet Explorer zone. (CVE-2009-1140)
- A remote code execution vulnerability exists when Internet Explorer displays a Web page that contains unexpected method calls to HTML objects. When a user visits a specially crafted Web site, it corrupts system memory allowing an attacker to execute arbitrary code. (CVE-2009-1141)
- Multiple remote code execution vulnerabilities exist in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted. This can be exploited by enticing an unsuspecting user into viewing a specially crafted Web page leading to memory corruption in such a way that an attacker could execute arbitrary code. (CVE-2009-1528, CVE-2009-1529, CVE-2009-1530, CVE-2009-1531, CVE-2009-1532)
Microsoft has released a security update that addresses these vulnerabilities by modifying the way that Internet Explorer handles scripts and cached content and initializes memory.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The June 2009 Security Updates Are Now Available on the ECE (KB969897)

Consequence

Successful exploitation of these vulnerabilities allows arbitrary execution of code in the context of the logged on user. Exploitation also allows an attacker to view data from a Web page.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 5.01 Service Pack 4)
Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Explorer 6 Service Pack 1)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Microsoft Internet Explorer 6)
Windows XP Professional x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)
Windows Server 2003 Service Pack 2 (Microsoft Internet Explorer 6)
Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Explorer 6)
Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Explorer 6)
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Internet Explorer 7)
Windows XP Professional x64 Edition Service Pack 2 (Windows Internet Explorer 7)
Windows Server 2003 Service Pack 2 (Windows Internet Explorer 7)
Windows Server 2003 x64 Edition Service Pack 2 (Windows Internet Explorer 7)
Windows Server 2003 with SP2 for Itanium-based Systems (Windows Internet Explorer 7)
Windows Vista and Windows Vista Service Pack 1 (Windows Internet Explorer 7)
Windows Vista Service Pack 2 (Windows Internet Explorer 7)
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-019.
Workaround:
- Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting.
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
Detailed steps on applying the workarounds can be found at Microsoft Security Bulletin MS09-019.
Impact of the Workaround -
On visiting Web sites on the Internet or Intranet that use ActiveX or Active Scripting to provide additional functionality, you will be prompted frequently when you enable this workaround.
Internet Information Services (IIS) Could Allow Elevation of Privilege (MS09-020)

Severity

Critical 4

Qualys ID

86837

Vendor Reference

MS09-020

CVE Reference

CVE-2009-1122, CVE-2009-1535

CVSS Scores

Base 7.5 / Temporal 5.9

Description

Internet Information Services (IIS) is a set of Internet-based services for servers created by Microsoft for use with Microsoft Windows. Web-based Distributed Authoring and Versioning (WebDAV) is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files on remote Web servers.
IIS is prone to the following vulnerabilities:
- A security vulnerability exists within the WebDAV functionality of Internet Information Server (IIS) because the Web server fails to properly handle unicode tokens when parsing the URI and sending back data. An attacker can exploit this issue to access password protected resources via specially crafted HTTP GET or PROPFIND requests that contain Unicode-encoded characters with a "Translate: f" header. (CVE-2009-1535)
- An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that should require authentication. (CVE-2009-1122)
Microsoft Internet Information Services (IIS) Version 5.0, 5.1, and 6.0 with WebDAV is vulnerable.
Note: By default WebDAV is not enabled on Windows Server 2003 systems running IIS 6.0. Unless WebDAV has been enabled by an administrator on these systems, the vulnerability is not exposed.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The June 2009 Security Updates Are Now Available on the ECE (KB970483)

Consequence

Successful exploitation of this vulnerability allows an attacker to bypass authentication of password protected folders. An attacker could list, download or upload any protected files on the target.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 (Microsoft Internet Information Services 5.0)
Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3 (Microsoft Internet Information Services 5.1)
Windows XP Professional x64 Edition Service Pack 2 (Microsoft Internet Information Services 6.0)
Windows Server 2003 Service Pack 2 (Microsoft Internet Information Services 6.0)
Windows Server 2003 x64 Edition Service Pack 2 (Microsoft Internet Information Services 6.0)
Windows Server 2003 with SP2 for Itanium-based Systems (Microsoft Internet Information Services 6.0)
Refer to Microsoft Security Bulletin MS09-020 for further details.
This security update addresses the vulnerability listed in Microsoft Security Advisory 971492.
Workaround:
A: Disabling WebDAV will mitigate this issue, but this may not be possible for sites using Web applications that depend on WebDAV, such as SharePoint.
For IIS 5.0 and IIS 5.1, instructions on disabling WebDav can be found at KB241520
For IIS 6.0, WebDAV can be disabled using the following steps:
1) Launch the IIS Manager MMC snap-in.
2) In the left-hand pane, expand the local computer icon.
3) Click on Web Service Extensions beneath this item.
4) In the right-hand pane, select WebDAV and click the Prohibit button.

Impact of workaround: WebDAV requests will not be served by IIS.
B: Use the IIS Lockdown Tool 2.1 to disable WebDAV on IIS 5.0 and IIS 5.1: Instructions on downloading and installing the tool can be found at KB325864.
Impact of workaround. This method achieves its results by installing UrlScan. By default, UrlScan blocks requests to WebDAV by detecting either HTTP verbs or headers that would be mapped to WebDAV.
C: Use Microsoft UrlScan Filter v3.1 to disable WebDAV on IIS 5.1 and IIS 6.0: Download Microsoft UrlScan Filter v3.1 from one of the following:
32-bit systems
64-based systems
Impact of workaround. This method achieves its results by installing UrlScan. By default, UrlScan blocks requests to WebDAV by detecting either HTTP verbs or headers that would be mapped to WebDAV.
D: If WebDAV functionality is required, change file system ACLs to deny access to the anonymous user account. Detailed information on setting ACLs for IIS content can be found at Article ID 271071 or KB812614.
Microsoft Excel Remote Code Execution Vulnerability (MS09-021)

Severity

Critical 4

Qualys ID

110100

Vendor Reference

MS09-021

CVE Reference

CVE-2009-0549, CVE-2009-0557, CVE-2009-0558, CVE-2009-0559, CVE-2009-0560, CVE-2009-0561, CVE-2009-1134

CVSS Scores

Base 9.3 / Temporal 7.7

Description

Microsoft Excel is a proprietary spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. Excel is prone to the following vulnerabilities:
- A remote code execution vulnerability is caused by the improper parsing of the Excel spreadsheet file format. An attacker can exploit this issue via a specially crafted Excel file containing a malformed record pointer. (CVE-2009-0549, CVE-2009-1134)
- A remote code execution vulnerability that is caused by the improper parsing of Excel files can be exploited by an attacker via a specially crafted Excel file containing a malformed object record. (CVE-2009-0557)
- Excel is prone to an array indexing error when parsing the Excel spreadsheet file format. An attacker can exploit this issue via a specially crafted Excel file containing a malformed object record. (CVE-2009-0558)
- A stack-based buffer overflow exists due to improper boundary checking when parsing Excel files. An attacker can exploit this issue by persuading an unsuspecting user into opening a specially-crafted Excel file containing an overly long string copy. (CVE-2009-0559)
- A memory corruption vulnerability related to field sanitization occurs when parsing Excel files. An attacker can exploit this issue by persuading an unsuspecting user into opening a specially-crafted Excel file containing a malformed record object. (CVE-2009-0560)
- Excel is prone to a record integer overflow vulnerability which can be exploited via a specially-crafted Excel file containing a malformed object record. (CVE-2009-0561)
Microsoft has released an update that addresses the vulnerabilities by modifying the way that Excel parses Excel files.

Consequence

Successful exploitation of these vulnerabilities allows an attacker to run arbitrary code as the logged-on user. An attacker with administrative rights can take complete control of the affected system and then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft Office Excel 2000 Service Pack 3)
Microsoft Office XP Service Pack 3 (Microsoft Office Excel 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Excel 2003 Service Pack 3)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Excel 2007 Service Pack 1)
2007 Microsoft Office System Service Pack 2 (Microsoft Office Excel 2007 Service Pack 2)
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer 2003 Service Pack 3
Microsoft Office Excel Viewer
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-021.
Workarounds:
For CVE-2009-0549,CVE-2009-0557,CVE-2009-0558,CVE-2009-0559,CVE-2009-0560,CVE-2009-0561,CVE-2009-1134:
- Avoid opening Office files received from un-trusted sources.
For CVE-2009-0549,CVE-2009-0557,CVE-2009-0560,CVE-2009-0561,CVE-2009-1134:
- Use the Microsoft Office Isolated Conversion Environment (MOICE) when opening files from unknown or un-trusted sources because it protects Office 2003 installations by more securely opening Word, Excel, and PowerPoint binary format files. Information on MOICE can be found at KB935865.
Impact of the workaround:
Office 2003 and earlier formatted documents that are converted to the 2007 Microsoft Office System Open XML format by MOICE lose their macro functionality. Documents protected with passwords and Digital Rights Management cannot be converted.
For CVE-2009-0549,CVE-2009-0560,CVE-2009-0561,CVE-2009-1134:
- Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources.
Impact of the workaround:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
Microsoft Windows Print Spooler Could Allow Remote Code Execution (MS09-022)

Severity

Serious 3

Qualys ID

90508

Vendor Reference

MS09-022

CVE Reference

CVE-2009-0228, CVE-2009-0229, CVE-2009-0230

CVSS Scores

Base 10 / Temporal 7.8

Description

The Print Spooler service manages the printing process.
The following vulnerabilities exist in the Windows Print Spooler.
- The Windows Print Spooler is prone to a buffer overflow vulnerability that exists due to improper parsing of certain printing data structures. The attacker can exploit this flaw by sending a specially crafted RPC request to an affected system causing it to improperly parse the "ShareName" on a malicious print server during enumeration. This would allow the attacker to perform remote code execution on the affected system with system-level privileges. (CVE-2009-0228)
- An information disclosure vulnerability exists in the Windows Printing Service because the service does not properly check the files that can be included with separator pages. An attacker can exploit this flaw to read or print any file on the system via a specially crafted separator page. (CVE-2009-0229)
- A privilege elevation vulnerability exists in the Windows Print Spooler because it does not properly validate the paths from which a DLL may be loaded. An attacker can exploit this issue via a specially crafted RPC message sent to an affected system. The message would cause the print spooler to load a malicious DLL that was created by the attacker and execute code with elevated privileges. (CVE-2009-0230)
Microsoft has released an update that addresses these vulnerabilities by changing the way the print spooler parses certain printing data structures, limiting the location where separator pages or embedded files can be read by the Windows Printing Service, and restricting the paths from which the print spooler can load a DLL.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The June 2009 Security Updates Are Now Available on the ECE (KB961501)

Consequence

Successful exploitation of this vulnerability allows arbitrary execution of code. Exploitation could allow a user to read or print any file on the system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Refer to Microsoft Security Bulletin MS09-022 for further details.
Workarounds:
For CVE-2009-0228:
- TCP ports 139 and 445 should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability.
Impact of the workaround: Blocking the ports can cause several Windows services or applications using those ports to stop functioning.
- On Microsoft Windows 2000 Server Service Pack 4, remove the Print Spooler service from the NullSessionPipes registry key to prevent attempts to exploit this vulnerability by anonymous attackers.
Note: This workaround will not prevent attacks from authenticated users.
Impact of the workaround: Anonymous connections to the Print Spooler service will not be allowed.
For CVE-2009-0228 and CVE-2009-0229:
- Disable the Print Spooler service. Steps to disable the service are listed as follows:
1) Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
2) Double-click Administrative Tools.
3) Double-click Services.
4) Double-click Print Spooler.
5) In the Startup type list, click Disabled.
6) Click Stop, and then click OK.
Impact of the workaround. Printing locally or remotely will not be allowed.
Additional details on applying the workarounds are available at Microsoft Security Bulletin MS09-022.
Windows Search Information Disclosure Vulnerability (MS09-023)

Severity

Serious 3

Qualys ID

90507

Vendor Reference

MS09-023

CVE Reference

CVE-2009-0239

CVSS Scores

Base 4.3 / Temporal 3.2

Description

Windows Search allows instant search capabilities for most common file and data types such as e-mail, contacts, calendar appointments, documents, photos, multimedia, and other formats extended by third parties.
An information disclosure vulnerability exists in Windows Search due to the way file previews are generated. Windows Search does not properly restrict the environment within which scripts execute allowing an attacker to run a malicious client-side script that is placed on the system. (CVE-2009-0239)
If a user performs a search that returns the malicious file as the first result, arbitrary HTML script execution could occur. If the specially crafted file is not the first result, the user would need to select and preview the file in order for the exploit to occur.
Microsoft has released an update that addresses this vulnerability by modifying how Windows Search restricts the environment within which scripts execute.

Consequence

An attacker who successfully exploits this vulnerability could run a malicious HTML script that could disclose information, forward user data to a third party, or access any data on the affected systems that was accessible to the logged-on user.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Windows XP Service Pack 2 and Windows XP Service Pack 3 (Windows Search 4.0)
Windows XP Professional x64 Edition Service Pack 2 (Windows Search 4.0)
Windows Server 2003 Service Pack 2 (Windows Search 4.0)
Windows Server 2003 x64 Edition Service Pack 2 (Windows Search 4.0)
Refer to Microsoft Security Bulletin MS09-023 for further details.
Microsoft Works Converters Remote Code Execution Vulnerability (MS09-024)

Severity

Critical 4

Qualys ID

110098

Vendor Reference

MS09-024

CVE Reference

CVE-2009-1533

CVSS Scores

Base 9.3 / Temporal 7.3

Description

Microsoft Works is an office suite produced by Microsoft.
Microsoft Office Works for Windows document converters is prone to a remote code execution vulnerability because of the way the application handles specially crafted Works files. When a user opens a specially crafted Works file (.wps), it may corrupt system memory allowing an attacker could execute arbitrary code. (CVE-2009-1533)
Microsoft has released a security update that addresses the vulnerability by modifying the way that Microsoft Office opens Works files.

Consequence

A malicious attacker can execute arbitrary code on the vulnerable target machine.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft Office Word 2000 Service Pack 3)
Microsoft Office XP Service Pack 3 (Microsoft Office Word 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Word 2003 Service Pack 3 with the Microsoft Works 6–9 File Converter)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Word 2007 Service Pack 1)
Microsoft Works 8.5
Microsoft Works 9
Refer to Microsoft Security Bulletin MS09-024 for further details.
Workaround:
- For Word 2000 and Word 2002: Apply access control lists to disable the Works 4.x converter by restricting access. This will prevent the converters from being loaded by Works and Office.
Impact of the workaround: The user will not be able to open or save Works 4.x documents.
- For Word 2003 with the Microsoft Works 6-9 File Converter and Word 2007: Apply access control lists to disable the Works 6-9 converter by restricting access. This will prevent the converters from being loaded by Works and Office.
Impact of the workaround: The user will not be able to open or save Works 6-9 documents.
Additional details on applying the workarounds are available at Microsoft Security Bulletin MS09-024.
Microsoft Windows Kernel Elevation of Privilege Vulnerability (MS09-025)

Severity

Serious 3

Qualys ID

90509

Vendor Reference

MS09-025

CVE Reference

CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126

CVSS Scores

Base 7.2 / Temporal 5.6

Description

The Windows kernel is the core of the operating system that handles device management and memory management, allocates processor time to processes, and manages error handling.
The Windows kernel is prone to the following privilege escalation vulnerabilities:
- An error in the Windows kernel causes changes in certain kernel objects to not be properly validated. (CVE-2009-1123)
- An error in the Windows kernel causes certain pointers passed from user mode to not be properly validated. (CVE-2009-1124)
- An error exists because the Windows kernel does not properly validate an argument passed to a Windows kernel system call. (CVE-2009-1125)
- An error exists because the Windows kernel does not properly validate input passed from user mode to the kernel when editing a specific desktop parameter. (CVE-2009-1126)
Microsoft has released an update that addresses these vulnerabilities by correcting the methods used for validating a change in specific kernel objects, for validating the input passed from user mode to the kernel, and for validating the argument passed to the system call.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The June 2009 Security Updates Are Now Available on the ECE (KB968537)

Consequence

Successful exploitation of this vulnerability allows an attacker to run arbitrary code in kernel mode. An attacker can gain elevated privileges and could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista Service Pack 2
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems Service Pack 2
Refer to Microsoft Security Bulletin MS09-025 for further details.
Microsoft Windows RPC Elevation of Privilege Vulnerabilities (MS09-026)

Severity

Urgent 5

Qualys ID

90506

Vendor Reference

MS09-026

CVE Reference

CVE-2009-0568

CVSS Scores

Base 10 / Temporal 7.4

Description

The RPC Marshalling Engine provides a common RPC interface between RPC clients and servers.
An elevation of privilege vulnerability exists in the Windows Remote Procedure Call (RPC) facility where the RPC Marshalling Engine does not update its internal state appropriately. The failure to update internal state could lead to a pointer being read from an incorrect location. This issue can be exploited by an attacker via a specially crafted RPC message that is sent to an affected system over an affected TCP or UDP port. The message could then allow the client to write arbitrary data to memory in the RPC server address space. (CVE-2009-0568)
Microsoft has released an update that addresses this vulnerability by correcting the way that the RPC Marshalling Engine updates its internal state.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The June 2009 Security Updates Are Now Available on the ECE (KB970238)

Consequence

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code and take complete control of an affected system.
An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista
Windows Vista Service Pack 1 and Windows Vista Service Pack 2
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Refer to Microsoft Security Bulletin MS09-026 for further details.
Microsoft Word Remote Code Execution Vulnerability (MS09-027)

Severity

Critical 4

Qualys ID

110099

Vendor Reference

MS09-027

CVE Reference

CVE-2009-0563, CVE-2009-0565

CVSS Scores

Base 9.3 / Temporal 7.7

Description

Microsoft Word is a proprietary word processing application written and distributed by Microsoft for Microsoft Windows and Mac OS X.
A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker can entice an unsuspecting user into opening a maliciously crafted Word file which may corrupt system memory in such a way that arbitrary code can be executed. (CVE-2009-0563, CVE-2009-0565)
Microsoft has released an update that addresses the vulnerabilities by modifying the way that Word opens and parses files.

Consequence

An attacker who successfully exploits these vulnerabilities can execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft Office Word 2000 Service Pack 3)
Microsoft Office XP Service Pack 3 (Microsoft Office Word 2002 Service Pack 3)
Microsoft Office 2003 Service Pack 3 (Microsoft Office Word 2003 Service Pack 3)
2007 Microsoft Office System Service Pack 1 (Microsoft Office Word 2007 Service Pack 1)
2007 Microsoft Office System Service Pack 2 (Microsoft Office Word 2007 Service Pack 2)
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Word Viewer 2003 Service Pack 3
Microsoft Office Word Viewer
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Refer to Microsoft Security Bulletin MS09-027 for further details.
Workaround:
- Microsoft Office File Block policy should be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources. The following registry scripts can be used to set the File Block policy.
For Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
For 2007 Office system:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office.0\Excel\Security\FileOpenBlock]
"BinaryFiles"=dword:00000001
Impact of the workaround:
If File Block policy is configured without special "exempt directory" configuration (see KB922848), Office 2003 files or earlier versions will not open in Office 2003 or 2007 Microsoft Office System.
- Avoid opening or saving Word files received from untrusted sources.

These new vulnerability checks are included in Qualys vulnerability signature 1.23.0-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

Ensure access to TCP ports 135 and 139 are available.
Enable Windows Authentication (specify Authentication Records).
Enable the following Qualys IDs:
- 90505
- 100073
- 86837
- 110100
- 90508
- 90507
- 110098
- 90509
- 90506
- 110099
If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.

OVERVIEW

CAPABILITIES

PLATFORM APPS

ASSET MANAGEMENT

Vulnerability & Configuration Management

Risk REMEDIATION

Threat Detection and Response

Compliance

Cloud Security

Use Cases

Segments

RESOURCES

RESEARCH

Customers

Partners

Company

Overview

CAPABILITIES

Platform Apps

Use Cases

Segments

Resources

Research

Enterprise TruRisk Platform

Free Services

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Microsoft security alert.

June 9, 2009

Advisory overview

Vulnerability details

Microsoft Active Directory Remote Code Execution Vulnerability (MS09-018)

Microsoft Internet Explorer Cumulative Security Update (MS09-019)

Internet Information Services (IIS) Could Allow Elevation of Privilege (MS09-020)

Microsoft Excel Remote Code Execution Vulnerability (MS09-021)

Microsoft Windows Print Spooler Could Allow Remote Code Execution (MS09-022)

Windows Search Information Disclosure Vulnerability (MS09-023)

Microsoft Works Converters Remote Code Execution Vulnerability (MS09-024)

Microsoft Windows Kernel Elevation of Privilege Vulnerability (MS09-025)

Microsoft Windows RPC Elevation of Privilege Vulnerabilities (MS09-026)

Microsoft Word Remote Code Execution Vulnerability (MS09-027)

Selective Scan Instructions Using Qualys

Access for Qualys Customers

Technical Support

About Qualys