Microsoft Security Bulletin: June 2006 Security Bulletin

Platform
OVERVIEW

Enterprise TruRisk Platform

Everything you need to measure, manage, and reduce your cyber risk in one place

CAPABILITIES

All

Asset Management

Vulnerability & Configuration Management

Risk Remediation

Threat Detection & Response

Compliance

Cloud Security

PLATFORM APPS

ASSET MANAGEMENT

CyberSecurity Asset Management (CSAM)
See entire attack surface, continuously maintain your CMDB, and track EOL/EOS software

External Attack Surface Management (EASM) - New
Gain an attacker’s view of your external internet-facing assets and unauthorized software

Vulnerability & Configuration Management

Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster

Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools

Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Risk REMEDIATION

Patch Management (PM)
Efficiently remediate vulnerabilities and patch systems

Custom Assessment and Remediation (CAR)
Quickly create custom scripts and controls for faster, more automated remediation

Threat Detection and Response

Multi-Vector EDR
Advanced endpoint threat protection, improved threat context, and alert prioritization

Context XDR
Extend detection and response beyond the endpoint to the enterprise

Compliance

Policy Compliance
Reduce risk, and comply with internal policies and external regulations with ease

File Integrity Monitoring (FIM)
Reduce alert noise and safeguard files from nefarious actors and cyber threats

Cloud Security

TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.

Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.

Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates

SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack

Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment

Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.

Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Solutions
Use Cases

Endpoint Security

Compliance

PCI Compliance

DORA Compliance

Cloud Security

Application Security

DevOps

Threat Protection

NIS2

Zero-Trust Security

Segments

Small Business

Mid-Sized Business

Enterprise

Federal
Resources
RESOURCES

Resources Library

Product Tours

Blog

Webinars

Qualys Stream

Fundamentals

RESEARCH

Threat Research Unit

Security Alerts

Security Advisories
Support
SUPPORT
More
Customers

Overview

Best Practices

Success Stories

Testimonials
Partners

Overview

Partner Program

VAD Partners

VAR Resellers

MSP/MSSP Partners

Integration Partners

Partner FAQs

Find a Partner
Company

About Us

Our Team

Investor Relations

News

Awards

Events

Careers

Community
- Overview
- Discuss
- Blog
- Training
- Docs
- Resources
Login
What’s my platform?
Contact us
Contact us below to request a quote, or for any product-related questions
Create Account. It’s Free!
Try PM for free
Try VMDR for free
Try VMDR TruRisk for free
Try CS for free
Sign up for TotalCloud
Sign up for CDR
Try CSAM for free
Try PCI for free
Try DORA for free
Try Policy Compliance for free
Try VMDR for Mobile Devices
Try SaaSDR for free
Try Multi-Vector EDR for Free
Try CAR for Free
Request a Demo
Try it
Enterprise TruRisk Platform
- Cloud Platform - Free Trial
Free Services

Try it

Overview
Platform Apps
Vulnerability Management, Detection & Response (VMDR) - Most Popular
Discover, assess, prioritize, and patch critical vulnerabilities up to 50% faster
Enterprise TruRisk Management (ETM) - New
Consolidate & translate security & vulnerability findings from 3rd party tools
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Web App Scanning (WAS)
Automate scanning in CI/CD environments with shift left DAST testing

Overview
Platform Apps
TotalCloud (CNAPP)
Cloud-Native Application Protection Platform (CNAPP) for multi-cloud environment.
Cloud Security Posture Management (CSPM)
Continuously discover, monitor, and analyze your cloud assets for misconfigurations and non-standard deployments.
Infrastructure as Code Security (IaC)
Detect and remediate security issues within IaC templates
SaaS Security Posture Management (SSPM) - New
Manage your security posture and risk across your entire SaaS application stack
Cloud Workload Protection (CWP)
Detect, prioritize, and remediate vulnerabilities in your cloud environment
Cloud Detection and Response (CDR)
Continuous real-time protection of the multi-cloud environment against active exploitation, malware, and unknown threats.
Container Security (CS)
Discover, track, and continuously secure containers – from build to runtime

Advisory overview

Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 20 vulnerabilities that were fixed in 11 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.

Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.

Vulnerability details

Microsoft has released 11 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:

Cumulative Security Update for Internet Explorer Missing (MS06-021)

Severity

Urgent 5

Qualys ID

100035

Vendor Reference

MS06-021

CVE Reference

CVE-2005-4089, CVE-2006-1303, CVE-2006-1626, CVE-2006-2218, CVE-2006-2382, CVE-2006-2383, CVE-2006-2384, CVE-2006-2385

CVSS Scores

Base 10 / Temporal 8.3

Description

Several vulnerabilities have been discovered in Microsoft Internet Explorer. The most severe of these vulnerabilities is caused due to an error in the processing of certain sequences of nested "object" HTML tags. The specific issues addressed by this update are: -- Exception Handling Memory Corruption Vulnerability
-- HTML Decoding Memory Corruption Vulnerability
-- ActiveX Control Memory Corruption Vulnerability
-- COM Object Instantiation Memory Corruption Vulnerability
-- CSS Cross-Domain Information Disclosure Vulnerability
Microsoft rates this vulnerability as critical. -- Address Bar Spoofing Vulnerability
-- MHT Memory Corruption Vulnerability
-- Address Bar Spoofing Vulnerability

Consequence

Successful exploitation of the most severe of these vulnerabilities can result in the attacker taking complete control of the target system. The others can be used to conduct phishing attacks.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=91A997DE-BAE4-4AC7-912D-79EF8ABAEF4F
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0EB17A41-FB43-413B-A5CC-41E1F3DEDE4F
Internet Explorer 6 for Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=85CABE87-C4A0-4F80-BD1C-210E23FD8D81
Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=CCE7C875-C9A4-4C3D-A37B-946EE5E781E7
Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=C8E4CFB6-1350-4AAE-B681-EE2ECAB41118
Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=1C7D5C6D-DDCF-485D-A1E3-60E55334FD74
Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=F91791AC-8185-4346-AA66-89F74D4B5EA7
Refer to Micrsoft Security Bulletin MS06-021 for further details.
Microsoft ART Image Rendering Remote Code Execution Vulnerability (MS06-022)

Severity

Serious 3

Qualys ID

90317

Vendor Reference

MS06-022

CVE Reference

CVE-2006-2378

CVSS Scores

Base 6.8 / Temporal 5.3

Description

There is a remote code execution vulnerability in the way that Windows handles ART images. An attacker could exploit this vulnerability by constructing a specially crafted ART image which could potentially allow remote code execution if a user visits a Web site or views a specially crafted email message.

Consequence

An attacker who successfully exploits this vulnerability could execute arbitrary code and take complete control of an affected system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Windows 2000 with the (Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=AE6D8DA7-B170-416D-8812-265FFA757301
Windows 2000 with the (Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=F6328F82-457E-44CB-95FB-2DB0E8C9EE3C
Microsoft Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=F6328F82-457E-44CB-95FB-2DB0E8C9EE3C
Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=71022EA1-94CB-4FE9-B89E-46876D068B9A
Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=A386523E-96AB-43ED-B189-E13AF497B685
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=56DF0CF2-9214-4B23-9034-C59E8B7126D6
Microsoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5E1B95C3-7E75-4468-829C-1DC7B4ECE5D0
Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=4DC13B7C-01AB-4BB6-9766-0FE0D02E410D
Refer to Microsoft Security Bulletin MS06-022 for further details.
Microsoft JScript Remote Code Execution Vulnerability (MS06-023)

Severity

Serious 3

Qualys ID

90320

Vendor Reference

MS06-023

CVE Reference

CVE-2006-1313

CVSS Scores

Base 6.8 / Temporal 5.3

Description

There is a remote code execution vulnerability in JScript. An attacker could exploit this vulnerability by constructing a specially crafted JScript that could potentially allow remote code execution if a user visits a Web site or views a specially crafted email message.

Consequence

An attacker who successfully exploits this vulnerability could execute arbitraty code remotely and take complete control of an affected system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft JScript 5.1 on Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=23E79ABD-B1FE-4734-B3D3-FB53D286C06F
Microsoft JScript 5.6 and 5.5 when installed on Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=16DD21A1-C4EE-4ECA-8B80-7BD1DFEFB4F8
Microsoft JScript 5.6 on Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=D28C02BE-CAC3-4579-9B93-939FD5D3CDE6
Microsoft JScript 5.6 on Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=2EE3DD28-7167-4A2C-941D-A236F8CC5C4B
Microsoft JScript 5.6 on Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=8963AE25-2230-47FE-AECE-49D7457D96D4
Microsoft JScript 5.6 on Microsoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=7764C7DC-A7E4-4B91-95C2-EF7D4DCE0A00
Microsoft JScript 5.6 on Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=BCF7AB2E-EE1C-45F9-8B1C-4B1CEF683082
Refer to Microsoft Security Bulletin MS06-023 for further details.
Microsoft Windows Media Player PNG Vulnerability (MS06-024)

Severity

Critical 4

Qualys ID

90314

Vendor Reference

MS06-024

CVE Reference

CVE-2006-0025

CVSS Scores

Base 9.3 / Temporal 7.3

Description

A remote code execution vulnerability exists in Windows Media Player due to the way it handles the processing of PNG images.
An attacker could exploit the vulnerability by constructing crafted Windows Media Player content that could allow remote code execution if a user visits a malicious Web site or opens an email message with malicious content.

Consequence

If successfully exploited, an could take complete control of an affected system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0f641572-74fd-4281-953f-6f2f12e001e0
Windows Media Player for XP on Microsoft Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=11372cc0-3da9-49ad-bb08-1493ce3cd0bd
Windows Media Player 9 on Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c00be4c3-34ba-4858-90d7-520b7d240e33
Windows Media Player 10 on Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=f59065ec-0279-48ec-ab27-8abca715ac01
Windows Media Player 9 on Microsoft Windows Server 2003 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c00be4c3-34ba-4858-90d7-520b7d240e33
Windows Media Player 10 on Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=4f933b0c-7d2d-4049-92da-bbbe97371594
Windows Media Player 10 on Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=facc7dfe-9b3b-48dd-a068-5bb9c6b60f87
Microsoft Windows Media Player 7.1 when installed on Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5abb6258-9468-4188-a178-aa46f100ab61
Microsoft Windows Media Player 9 when installed on Windows 2000 Service Pack 4 or Windows XP Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c00be4c3-34ba-4858-90d7-520b7d240e33
Refer to Micrsoft Security Bulletin MS06-024 for further details.
Windows Routing and Remote Access Could Allow Remote Code Execution (MS06-025)

Severity

Critical 4

Qualys ID

90319

Vendor Reference

MS06-025

CVE Reference

CVE-2006-2370, CVE-2006-2371

CVSS Scores

Base 7.5 / Temporal 6.2

Description

Microsoft Windows Routing and Remote Access Service (RRAS) makes it possible for a computer to function as a network router.
The Remote Access Service (RAS) lets users connect to a remote computer so they can work as if their system were physically connected to the remote network. The Remote Access Service is a native service in Windows 2000, Windows XP and Windows Server 2003.
There is an unchecked buffer in the Routing and Remote Access Service.

Consequence

If successfully exploited, an attacker could remotely take complete control of an affected system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c1af96b2-2807-444b-82df-b6b61ec63715
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=74838e2b-bd5f-4584-81f1-3250e6b69728
Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=09d1a284-6a16-44a5-a95e-8eb566401ce9
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b4264cb9-8979-40e8-b903-bc8deda00fec
Microsoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=890535c9-98cf-49a9-ae50-178e3c5fac6b
Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=bf9cef95-89fd-4ec3-be0a-93902f2bb768
Refer to Micrsoft Security Bulletin MS06-025 for further details.
Vulnerability in Microsoft Word Could Allow Remote Code Execution (MS06-027)

Severity

Urgent 5

Qualys ID

90312

Vendor Reference

MS06-027

CVE Reference

CVE-2006-2492

CVSS Scores

Base 7.6 / Temporal 6.6

Description

A vulnerability is known to exist in Microsoft Word that is actively being exploited. Exploitation relies on a user opening an email attachment from an attacker. The issue arises from the use of a malformed object pointer. Microsoft rates this vulnerability as critical.

Consequence

A successful exploit allows the attacker to create, read, write, delete and search for files and directories; access and modify the Registry; manipulate services; start and kill processes; take screenshots; enumerate open windows; create its own application window; and lock, restart or shut down Windows.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft Word 2000 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=507D97B5-8B20-41B2-AE8B-27F2BF5198CD
Microsoft Office XP Service Pack 3 (Microsoft Word 2002 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4CDE644B-BE05-4680-B0EF-DF563095563C
Microsoft Office 2003 Service Pack 1 or Service Pack 2 (Microsoft Word 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=ADEA09B4-481A-4908-8B77-0630AC679CAC
Microsoft Office 2003 Service Pack 1 or Service Pack 2 (Microsoft Word Viewer 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=6089B843-61FF-469F-A38B-BD4FFEFF0552
Microsoft Works Suites (Microsoft Works Suite 2000 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=507D97B5-8B20-41B2-AE8B-27F2BF5198CD
Microsoft Works Suites (Microsoft Works Suite 2001 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=507D97B5-8B20-41B2-AE8B-27F2BF5198CD
Microsoft Works Suites (Microsoft Works Suite 2002 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4CDE644B-BE05-4680-B0EF-DF563095563C
Microsoft Works Suites (Microsoft Works Suite 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4CDE644B-BE05-4680-B0EF-DF563095563C
Microsoft Works Suites (Microsoft Works Suite 2004 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4CDE644B-BE05-4680-B0EF-DF563095563C
Microsoft Works Suites (Microsoft Works Suite 2005 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4CDE644B-BE05-4680-B0EF-DF563095563C
Microsoft Works Suites (Microsoft Works Suite 2006 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=4CDE644B-BE05-4680-B0EF-DF563095563C
Refer to Micrsoft Security Bulletin MS06-027 for further details.
Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (MS06-028)

Severity

Serious 3

Qualys ID

90315

Vendor Reference

MS06-028

CVE Reference

CVE-2006-0022

CVSS Scores

Base 7.6 / Temporal 6.3

Description

There is a remote code execution vulnerability in PowerPoint that uses a malformed record. An attacker could exploit the vulnerability by constructing a specially crafted PowerPoint file that could allow remote code execution.

Consequence

If a user is logged on with administrative user rights, an attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Office 2000 Service Pack 3 (Microsoft PowerPoint 2000 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=F635F2CB-CFEE-4129-BB77-4779A3B05674
Microsoft Office XP Service Pack 3 (Microsoft PowerPoint 2002 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=60A1EB9F-F04B-4D21-A95E-CCC90D9782AB
Microsoft Office 2003 Service Pack 1 or Service Pack 2 (Microsoft PowerPoint 2003 ):
http://www.microsoft.com/downloads/details.aspx?FamilyId=FCED8804-45B4-4FD2-8FDB-4960C5BB8954
Microsoft Office 2004 for Mac (Microsoft PowerPoint 2004 for Mac ):
http://www.microsoft.com/mac/
Microsoft Office v. X for Mac (Microsoft PowerPoint v. X for Mac ):
http://www.microsoft.com/mac/
Refer to Micrsoft Security Bulletin MS06-028 for further details.
Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (MS06-029)

Severity

Critical 4

Qualys ID

90318

Vendor Reference

MS06-029

CVE Reference

CVE-2006-1193

CVSS Scores

Base 2.6 / Temporal 2

Description

Microsoft Exchange Server running Outlook Web Access is exposed to a remote script execution issue. An attacker can trick a user to execute a malicious script contained with an email message.
These versions are affected: Microsoft Exchange Server 2000 with Service Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup, Microsoft Exchange Server 2003 with Service Pack 1 and Microsoft Exchange Server 2003 with Service Pack 2.

Consequence

Remote code execution is possible.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Exchange 2000 Server Pack 3 with the August 2004 Exchange 2000 Server Post Service Pack 3 Update Rollup :
http://www.microsoft.com/downloads/details.aspx?FamilyId=746CE64E-3186-422B-A13B-004E7942189B
Microsoft Exchange Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=0E192781-847F-41C1-B32A-84218DB60942
Microsoft Exchange Server 2003 Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=C777BC9F-52B7-4F17-96C7-DAF3B9987D70
Refer to Microsoft Security Bulletin MS06-029 for further details.
Microsoft Windows SMB Could Allow Elevation of Privileges (MS06-030)

Severity

Serious 3

Qualys ID

90323

Vendor Reference

MS06-030

CVE Reference

CVE-2006-2373, CVE-2006-2374

CVSS Scores

Base 10 / Temporal 7.8

Description

Microsoft Windows Server Message Block (SMB), and its follow-on Common Internet File System (CIFS), is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and also to communicate between computers.
The target host is missing an update described in Microsoft Security Bulletin MS06-030. This update fixes an unspecified process when receiving SMB requests.

Consequence

If this vulnerability is successfully exploited, an attacker could remotely take complete control of the affected system or cause the affected system to stop responding.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=6ec86784-6b12-410b-8068-028c58ed5df7
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=c17ddc07-204b-4a7f-8c5a-36b7865a030c
Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=89fbbdd0-7504-4807-9337-08324aa457e7
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId= 43d69a41-6acb-4c64-89dc-2b9aef6e98fd
Microsoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=e1d13c18-72d1-40b8-95b3-08aef8db9213
Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b6018a61-b0ec-467e-9025-059d3c9f1c5f
Refer to Micrsoft Security Bulletin MS06-030 for further details.
Microsoft RPC Mutual Authentication Spoofing Vulnerability (MS06-031)

Severity

Serious 3

Qualys ID

90322

Vendor Reference

MS06-031

CVE Reference

CVE-2006-2380

CVSS Scores

Base 4.3 / Temporal 3.4

Description

There is a spoofing vulnerability in the way that RPC handles mutual authentication. This vulnerability affects custom RPC applications acting as RPC clients using SSL with mutual authentication option. An attacker who successfully exploited this vulnerability could impersonate a valid RPC server.
This issue affects Microsoft Windows 2000 Service Pack 4 and earlier.

Consequence

This vulnerability could allow an attacker to persuade a user to connect to a malicious RPC server which appears to be valid.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=5089d956-7d8d-4241-9ca2-107ce4f8c093
Refer to Microsoft Security Bulletin MS06-031 for further details.
Vulnerability in TCP/IP Could Allow Remote Code Execution (MS06-032)

Severity

Critical 4

Qualys ID

90316

Vendor Reference

MS06-032

CVE Reference

CVE-2006-2379

CVSS Scores

Base 9.3 / Temporal 7.3

Description

There is a remote code execution vulnerability in the TCP/IP Protocol driver that results from an unchecked buffer. IP source routing is a mechanism which allows the sender to determine the IP route that a datagram should take through the network. It is disabled by default in XP SP2 and W2K3 SP1 systems. An attacker could try to exploit the vulnerability by creating a specially crafted network packet and sending the packet to an affected system.

Consequence

An attacker who successfully exploits this vulnerability could take complete control of the affected system.

Solution

Patch:
Following are links for downloading patches to fix the vulnerabilities:
Microsoft Windows 2000 Service Pack 4 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=305e208c-d75c-471b-9e57-30d01e320ad1
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=b62abe8e-4735-4934-a66e-5b957986efbf
Microsoft Windows XP Professional x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=44213900-9082-45dc-b514-31d38717fe89
Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 :
http://www.microsoft.com/downloads/details.aspx?FamilyId=ea319c61-b405-41ab-9eee-d5b3488b90e0
Microsoft Windows Server 2003 for Itanium based Systems and Microsoft Windows Server 2003 with SP1 for Itanium based Systems :
http://www.microsoft.com/downloads/details.aspx?FamilyId=cd8b88b5-f90f-4c0c-a5ad-3641751381c9
Microsoft Windows Server 2003 x64 Edition :
http://www.microsoft.com/downloads/details.aspx?FamilyId=cd8699bc-6760-4f0e-b8e0-2e7d89092ce8
Refer to Micrsoft Security Bulletin MS06-032 for further details.

These new vulnerability checks are included in Qualys vulnerability signature 1.14.75-6. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.

Selective Scan Instructions Using Qualys

To perform a selective vulnerability scan, configure a scan profile to use the following options:

Ensure access to TCP ports 135 and 139 are available.
Enable Windows Authentication (specify Authentication Records).
Enable the following Qualys IDs:
- 100035
- 90317
- 90320
- 90314
- 90319
- 90312
- 90315
- 90318
- 90323
- 90322
- 90316
If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.

In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.

Access for Qualys Customers

Platforms and Platform Identification

Technical Support

For more information, customers may contact Qualys Technical Support.

About Qualys

The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.

OVERVIEW

CAPABILITIES

PLATFORM APPS

ASSET MANAGEMENT

Vulnerability & Configuration Management

Risk REMEDIATION

Threat Detection and Response

Compliance

Cloud Security

Use Cases

Segments

RESOURCES

RESEARCH

Customers

Partners

Company

Overview

CAPABILITIES

Platform Apps

Use Cases

Segments

Resources

Research

Enterprise TruRisk Platform

Free Services

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Platform Apps

Microsoft security alert.

June 13, 2006

Advisory overview

Vulnerability details

Cumulative Security Update for Internet Explorer Missing (MS06-021)

Microsoft ART Image Rendering Remote Code Execution Vulnerability (MS06-022)

Microsoft JScript Remote Code Execution Vulnerability (MS06-023)

Microsoft Windows Media Player PNG Vulnerability (MS06-024)

Windows Routing and Remote Access Could Allow Remote Code Execution (MS06-025)

Vulnerability in Microsoft Word Could Allow Remote Code Execution (MS06-027)

Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (MS06-028)

Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (MS06-029)

Microsoft Windows SMB Could Allow Elevation of Privileges (MS06-030)

Microsoft RPC Mutual Authentication Spoofing Vulnerability (MS06-031)

Vulnerability in TCP/IP Could Allow Remote Code Execution (MS06-032)

Selective Scan Instructions Using Qualys

Access for Qualys Customers

Technical Support

About Qualys