Microsoft Security Bulletin: March 10 2009 Security Bulletin

Platform
OVERVIEW

Enterprise TruRisk Platform

Everything you need to measure, manage, and reduce your cyber risk in one place

CAPABILITIES

All

Asset Management

Vulnerability & Configuration Management

Risk Remediation

Threat Detection & Response

Compliance

Cloud Security

PLATFORM APPS

ASSET MANAGEMENT

CyberSecurity Asset Management (CSAM)
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software

External Attack Surface Management (EASM) - New
Gain an attacker’s view of your external internet-facing assets and unauthorized software

Vulnerability & Configuration Management

Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster

Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools

Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Risk REMEDIATION

Patch Management (PM)
Efficiently remediate vulnerabilities and patch systems

Custom Assessment and Remediation (CAR)
Quickly create custom scripts and controls for faster, more automated remediation

Threat Detection and Response

Multi-Vector EDR
Advanced endpoint threat protection, improved threat context, and alert prioritization

Context XDR
Extend detection and response beyond the endpoint to the enterprise

Compliance

Policy Compliance
Reduce risk, and comply with internal policies and external regulations with ease

File Integrity Monitoring (FIM)
Reduce alert noise and safeguard files from nefarious actors and cyber threats

Cloud Security

TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.

Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.

Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates

SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.

Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Solutions
Use Cases

Endpoint Security

Compliance

PCI Compliance

DORA Compliance

Cloud Security

Application Security

DevOps

Threat Protection

NIS2

Zero-Trust Security

Segments

Small Business

Mid-Sized Business

Enterprise

Federal
Resources
RESOURCES

Resources Library

Product Tours

Blog

Webinars

Qualys Stream

Fundamentals

RESEARCH

Threat Research Unit

Security Alerts

Security Advisories
Support
SUPPORT
More
Customers

Overview

Best Practices

Success Stories

Testimonials
Partners

Overview

Partner Program

VAD Partners

VAR Resellers

MSP/MSSP Partners

Integration Partners

Partner FAQs

Find a Partner
Company

About Us

Our Team

Investor Relations

News

Awards

Events

Careers

Community
- Overview
- Discuss
- Blog
- Training
- Docs
- Resources
Login
What’s my platform?
Contact us
Contact us below to request a quote, or for any product-related questions
Create Account. It’s Free!
Try PM for free
Try VMDR for free
Try VMDR TruRisk for free
Try CS for free
Sign up for TotalCloud
Sign up for CDR
Try CSAM for free
Try PCI for free
Try DORA for free
Try Policy Compliance for free
Try VMDR for Mobile Devices
Try SaaSDR for free
Try Multi-Vector EDR for Free
Try CAR for Free
Request a Demo
Try it
Enterprise TruRisk Platform
- Cloud Platform - Free Trial
Free Services

Try it

Overview
Platform Apps
Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Overview
Platform Apps
TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates
SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 8 vulnerabilities that were fixed in 3 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 3 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

Windows Kernel Vulnerability Could Allow Remote Code Execution (MS09-006)

Severity

Urgent 5

Qualys ID

90484

Vendor Reference

MS09-006

CVE Reference

CVE-2009-0081, CVE-2009-0082, CVE-2009-0083

CVSS Scores

Base 9.3 / Temporal 7.3

Description

The Windows kernel is the core of the operating system that handles device management and memory management, allocates processor time to processes, and manages error handling.
The following security vulnerabilities exist in the Windows kernel:
- The Windows kernel is prone to a remote code execution vulnerability that is caused due to improper input validation of data passed from user mode through the kernel component of GDI. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted EMF or WMF image file. (CVE-2009-0081)
- The Windows kernel is prone to a privilege elevation vulnerability that is caused because it does not correctly validate handles when performing certain actions. An attacker can exploit this issue to run arbitrary code in kernel mode. For successful exploitation, an attacker would first have to log on to the system. This issue cannot be exploited remotely or by anonymous users. (CVE-2009-0082)
- The Windows kernel is prone to a privilege elevation vulnerability that is caused due to improper handling of a specially crafted invalid pointer. An attacker can exploit this issue to run arbitrary code in kernel mode. For successful exploitation, an attacker would first have to log on to the system. This issue cannot be exploited remotely or by anonymous users.(CVE-2009-0083)
Microsoft has rated these issues as Critical. A security update has been released by Microsoft to addresses the above vulnerabilities by validating input passed from user mode through the kernel component of GDI, correcting the way that the kernel validates handles, and changing the way that the Windows kernel handles specially crafted invalid pointers. .
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The March 2009 Security Updates For Runtimes Are Now Available (KB958690)
April 2009 Security Updates Are Now Available On the ECE (KB958690)

Consequence

CVE-2009-0081: Successful exploitation could allow remote code execution if a user views a specially crafted EMF or WMF image file from an affected system.
CVE-2009-0082, CVE-2009-0083: Successful exploitation allows arbitrary code execution in kernel mode. An attacker can gain elevated privileges and could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Workaround:
CVE-2009-0081: Systems that have the update for Microsoft Security Bulletin MS07-017 applied, or systems running Windows Vista or Windows Server 2008 can disable metafile processing by modifying the registry.
Impact of the workaround: Disabling metafile processing can cause the appearance of the output from software or system components to decrease in quality or cause software or system components to fail completely.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=98bb7d40-89a0-470a-8eb7-06f15072a635
Windows XP Service Pack 2 and Windows XP Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?familyid=e09641ba-6cbe-4095-82b5-703d3a7dc33b
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=d0d704c6-48c2-4907-b6c3-2455d7cf21c8
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=f5cfb8da-e7cc-4183-8631-507c2a406500
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=ecf75c70-8489-41ad-9759-3a07e13957be
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=04be3d7e-7dda-4dca-887a-e7a8156ede1c
Windows Vista and Windows Vista Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=4b1aaaba-f355-4265-83c0-50b901856ced
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=0fcac480-d6db-4a94-8c7d-b7319282cf56
Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=38851df2-4fb5-4d28-9d15-181c260cf8cf
Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=ec15acc4-3e0f-4414-9383-61c122ff1382
Windows Server 2008 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=eead6f93-10fd-4492-8137-481d9876a5fe
Refer to Microsoft Security Bulletin MS09-006 for further details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-006 Microsoft Windows 2000 Service Pack 4
MS09-006 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MS09-006 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS09-006 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
MS09-006 Windows Server 2008 for 32-bit Systems
MS09-006 Windows Server 2008 for Itanium-based Systems
MS09-006 Windows Server 2008 for x64-based Systems
MS09-006 Windows Vista and Windows Vista Service Pack 1
MS09-006 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
MS09-006 Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2
MS09-006 Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows Schannel Security Package Could Allow Spoofing Vulnerability (MS09-007)

Severity

Critical 4

Qualys ID

116281

Vendor Reference

MS09-007

CVE Reference

CVE-2009-0085

CVSS Scores

Base 7.1 / Temporal 5.3

Description

The Secure Channel (SChannel) security package is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.
A spoofing vulnerability exists in the Microsoft Windows SChannel authentication component when using certificate based authentication because it fails to perform sufficient validation of certain Transport Layer Security (TLS) handshake messages to verify that the client has access to the private key linked to the certificate used for authentication. This issue can be exploited by an attacker with access to the public component of the certificate used for authentication by an end user to bypass the SChannel validation via a crafted TLS packet. (CVE-2009-0085)
This vulnerability affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Microsoft has rated this issue as Important.
Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):
The March 2009 Security Updates For Runtimes Are Now Available (KB960225)
April 2009 Security Updates Are Now Available On the ECE (KB960225)

Consequence

Successful exploitation of this vulnerability allows a malicious user to conduct spoofing attacks by authenticating against a protected server using the public component of the authentication credential of another user.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4:
http://www.microsoft.com/downloads/details.aspx?familyid=bf7065bc-c183-4a78-8d46-72fe7385c07c
Windows XP Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=942d87f6-3cb1-4d36-a70a-70d9c34488f3
Windows XP Service Pack 3:
http://www.microsoft.com/downloads/details.aspx?familyid=942d87f6-3cb1-4d36-a70a-70d9c34488f3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=6d02306e-9e2e-4ae8-bd21-8a2c1a229472
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=0b3f6fdd-276e-4267-99d8-8f00d91ad6a2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?familyid=ce98ff55-f565-469d-bbd2-32b681faf908
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5ca3c72c-cadb-4b0a-b3a3-fb81d0bfd7b3
Windows Vista and Windows Vista Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=21086a04-402a-4940-8358-7fa63508102b
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=c75a2ea9-b42f-457b-be09-5c8fa0339388
Windows Server 2008 for 32-bit Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=47b361ce-624b-466c-b5c5-8703f6532615
Windows Server 2008 for x64-based Systems:
http://www.microsoft.com/downloads/details.aspx?familyid=5c81ac45-60e6-4121-ab6b-d3b3179aacc4
For a complete list of patch download links, please refer to Microsoft Security Bulletin MS09-007 for further details.Workaround:
- Implement Active Directory certificate mapping which enables a user with a trusted public key to access domain resources without typing a user name and a password. A client certificate can be directly mapped to an Active Directory user account.
Impact of the workaround: Implementing the workaround will not fix the vulnerability, but will help in blocking attack vectors until the update is applied.
Vulnerabilities in DNS and WINS Server Could Allow Spoofing (MS09-008)

Severity

Critical 4

Qualys ID

90481

Vendor Reference

MS09-008

CVE Reference

CVE-2009-0093, CVE-2009-0094, CVE-2009-0233, CVE-2009-0234

CVSS Scores

Base 6.4 / Temporal 4.7

Description

Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. Windows Internet Name Service (WINS) is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names.
The following security vulnerabilities have been identified in Windows DNS and WINS servers:
- An error in the Windows DNS server causes it to not properly reuse cached responses. An attacker can exploit this issue by sending specific queries to a vulnerable DNS server and at the same time responding back in a manner that allows insertion of false or misleading DNS data resulting in redirection of network traffic. (CVE-2009-0233)
- An error in the Windows DNS server causes it to incorrectly cache specifically crafted DNS responses. An attacker can exploit this vulnerability by sending multiple specifically crafted queries to the DNS server so that the server makes unnecessary lookups allowing a greater predictability of subsequent transaction IDs used by the server. (CVE-2009-0234)
- The Windows DNS server does not properly validate who can register WPAD entries on the DNS server when dynamic update is used and ISATAP and WPAD are not registered in DNS. This issue can be exploited to launch man-in-the-middle attacks against any browsers configured to use WPAD to discover proxy server settings if an attacker registers "WPAD" in the DNS database and points it to an IP address controlled by the attacker. (CVE-2009-0093)
- The Windows WINS server does not properly validate who can register WPAD or ISATAP entries on the WINS server. This issue can be exploited to launch man-in-the-middle attacks against any browsers configured to use WPAD to discover proxy server settings if an attacker registers WPAD or ISATP in the WINS database and points it to an IP address controlled by the attacker. (CVE-2009-0094)
Microsoft has rated these issues as Important.

Consequence

CVE-2009-0233, CVE-2009-0234: Successfully exploitation of this vulnerability allows an attacker to conduct spoofing attacks, insert arbitrary addresses into the DNS cache causing DNS cache poisoning and redirection of Internet traffic.
CVE-2009-0093, CVE-2009-0094: Successful exploitation of this vulnerability allows a remote authenticated attacker to spoof a Web proxy and redirect Internet traffic to an IP controlled by the attacker.

Solution

Refer to MS09-008 for more information. Workaround:

CVE-2009-0093, CVE-2009-0094: Create a WPAD.DAT proxy auto configuration file:
1) Create a WPAD.DAT file that adheres to the Proxy auto-config specification.
2) Place the WPAD.DAT file in the root directory of a Web server in the organization and ensure the file can be requested anonymously.
3) Create a MIME type for the WPAD.DAT file on the Web server of "application/x-ns-proxy-autoconfig".
4) Create the appropriate entries in the DHCP or DNS server to allow discovery of the WPAD server.
For detailed steps, please refer to the advisory.

Patches:
The following are links for downloading patches to fix these vulnerabilities:
MS09-008 DNS server on Microsoft Windows 2000 Server Service Pack 4
MS09-008 DNS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MS09-008 DNS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS09-008 DNS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
MS09-008 DNS server on Windows Server 2008 for 32-bit Systems
MS09-008 DNS server on Windows Server 2008 for x64-based Systems
MS09-008 WINS server on Microsoft Windows 2000 Server Service Pack 4
MS09-008 WINS server on Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
MS09-008 WINS server on Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
MS09-008 WINS server on Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

These new vulnerability checks are included in Qualys vulnerability signature 1.22.153-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

Ensure access to TCP ports 135 and 139 are available.
Enable Windows Authentication (specify Authentication Records).
Enable the following Qualys IDs:
- 90484
- 116281
- 90481
If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.

OVERVIEW

CAPABILITIES

PLATFORM APPS

ASSET MANAGEMENT

Vulnerability & Configuration Management

Risk REMEDIATION

Threat Detection and Response

Compliance

Cloud Security

Use Cases

Segments

RESOURCES

RESEARCH

Customers

Partners

Company

Overview

CAPABILITIES

Platform Apps

Use Cases

Segments

Resources

Research

Enterprise TruRisk Platform

Free Services

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Microsoft security alert.

March 10, 2009

Advisory overview

Vulnerability details

Windows Kernel Vulnerability Could Allow Remote Code Execution (MS09-006)

Windows Schannel Security Package Could Allow Spoofing Vulnerability (MS09-007)

Vulnerabilities in DNS and WINS Server Could Allow Spoofing (MS09-008)

Selective Scan Instructions Using Qualys

Access for Qualys Customers

Technical Support

About Qualys