SAINTwriter Assessment Report

Transcription

SAINTwriter Assessment Report
Report Generated: July 27, 2010
1.0 Background
The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the
President in December 2002 recognized the importance of information security to the economic and national
security interests of the United States. Title III of the E-Government Act, entitled the Federal Information
Security Management Act (FISMA) requires each federal agency to develop, document, and implement an
agency-wide program to provide information security for the information and information systems that support the
operations and assets of the agency, including those provided or managed by another agency, contractor, or
other source.
The first phase of the FISMA Implementation Project focuses on the development and updating of the security
standards and guidance required to effectively implement the provisions of the legislation. The implementation of
NIST standards and guidance will help agencies create and maintain robust information security programs and
effectively manage risk to agency operations, agency assets, and individuals.
The second phase of the FISMA Implementation Project is focused on providing information system
implementation and assessment reference materials for building common understanding in applying the NIST
suite of publications supporting the Risk Management Framework (RMF). One of key aspects phase two is the
use of support tools, checklists, etc:
(ii) Support Tools Initiative: for defining criteria for common reference programs, materials, checklists, (i.e
NVD, SCAP, etc.), technical guides, automated tools and techniques supporting implementation and
assessment of SP 800-53-based security controls.
Collectively, the FISMA project strives to combine standards and guidelines with the use of technologies, tools
and techniques to provide a holistic approach to information security.
2.0 Security Controls
The Office of Management and Budget (OMB) M-09-29, dated August 20, 2009, specifies that:
Agencies are required to use FIPS 200/NIST Special Publication 800-53 for the specification of
security controls and NIST Special Publications 800-37 and 800-53A for the assessment of security
control effectiveness.
FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory
federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations
must first determine the security category of their information system in accordance with FIPS 199, Standards
for Security Categorization of Federal Information and Information Systems, derive the information system
impact level from the security category in accordance with FIPS 200, and then apply the appropriately tailored
1
set of baseline security controls in NIST Special Publication 800-53, Security Controls for Federal Information
Systems and Organizations. Organizations have flexibility in applying the baseline security controls in accordance
with the guidance provided in Special Publication 800-53. This allows organizations to tailor the relevant security
control baseline so that it more closely aligns with their mission and business requirements and environments of
operation.
FIPS 200 and NIST Special Publication 800-53, in combination, help ensure that appropriate security
requirements and security controls are applied to all federal information and information systems. An
organizational assessment of risk validates the initial security control selection and determines if any additional
controls are needed to protect organizational operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, or the Nation. The resulting set of security controls
establishes a level of security due diligence for the organization.
NIST SP 800-53 specifies the security controls by unique Identifier, Family and Class (Reference SP800-83,
Revision 3, Section 2.1, Table 1-1, SECURITY CONTROL CLASSES, FAMILIES, AND IDENTIFIERS)
3.0 Consensus Audit Guidelines (CAG)
A central tenet of the US Comprehensive National Cybersecurity Initiative (CNCI) is that 'offense must inform
defense' (source: http://www.sans.org/critical-security-controls/cag.pdf) In other words, knowledge of actual
attacks that have compromised systems provides the essential foundation on which to construct effective
defenses. The US Senate Homeland Security and Government Affairs Committee moved to make this same
tenet central to the Federal Information Security Management Act in drafting the U.S. ICE Act of 2009 (the
new FISMA). That new proposed legislation calls upon Federal agencies to (and on the White House to ensure
that they):
monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and
exploitations. and .continuously test and evaluate information security controls and techniques to ensure
that they are effectively implemented.
The CAG, maintained by SANS (http://www.sans.org/), contains the list of Twenty Critical Controls for
Effective Cyber Defense (source: http://www.sans.org/critical-security-controls/user-tools.php. ). The CAG, in
contrast to security guidelines and controls within NIST SP 800-53, seeks to identify a subset of security control
activities that CISO.s, CIO.s and IG.s can focus on as their top, shared priority for cyber security based on
attacks occurring today and those anticipated in the future. Each control maps to specific corresponding areas
within SP 800-53. Within that guideline, the CAG describes Critical Control 10: Continuous Vulnerability
Assessment and Remediation. Critical Control 10 maps to the following technical controls within SP 800-53,
revision 3, Appendix D, Table D-1: Security Control Baselines:
CA-7 -- Continuous Monitoring
Enhanced Supplemental Guidelines: Examples of vulnerability mitigation procedures are
contained in Information Assurance Vulnerability Alerts.
RA-3 -- Risk Assessment (Control: The Organization)
A. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the
unauthorized access, use, disclosure, disruption, modification, or destruction of the information
system and the information it processes, stores, or transmits;
B. Documents risk assessment results in [Selection: security plan; risk assessment report;
2
[Assignment: organization-defined document]];
C. Reviews risk assessment results [Assignment: organization-defined frequency]; and
D. Updates the risk assessment [Assignment: organization-defined frequency] or whenever
there are significant changes to the information system or environment of operation (including
the identification of new threats
RA-5 -- Vulnerability Scanning (Control: The Organization)
Scans for vulnerabilities in the information system and hosted applications [Assignment
organization-defined frequency and/or randomly in accordance with organization-defined
process] and when new vulnerabilities potentially affecting the system/applications are
identified and reported;
Employs vulnerability scanning tools and techniques that promote interoperability among tools
and automate parts of the vulnerability management process by using standards for:
Enumerating platforms, software flaws, and improper configurations;
Formatting and making transparent, checklists and test procedures; and
Measuring vulnerability impact;
RA-5 -- Vulnerability Scanning (Control: Enhancements)
(1) The organization employs vulnerability scanning tools that include the capability to readily
update the list of information system vulnerabilities scanned.
(2) The organization updates the list of information system vulnerabilities scanned
[Assignment: organization-defined frequency] or when new vulnerabilities are identified and
reported.
(5) The organization includes privileged access authorization to [Assignment:
organization-identified information system components] for selected vulnerability scanning
activities to facilitate more thorough scanning.
(6) The organization employs automated mechanisms to compare the results of vulnerability
scans over time to determine trends in information system vulnerabilities.
This control and the specified technical controls within NIST 800-53 are the focus of this report.
4.0 Introduction
On July 13, 2010, at 10:51 AM, a heavy vulnerability assessment was conducted using the SAINT 7.4.3
vulnerability scanner. The scan discovered a total of one live host, and detected 22 critical problems, 95 areas of
concern, and 40 potential problems. The hosts and problems detected are discussed in greater detail in the
following sections.
5.0 Summary
The following vulnerability severity levels are used to categorize the vulnerabilities:
CRITICAL PROBLEMS
Vulnerabilities which pose an immediate threat to the network by allowing a remote attacker to directly
gain read or write access, execute commands on the target, or create a denial of service.
AREAS OF CONCERN
3
Vulnerabilities which do not directly allow remote access, but do allow privilege elevation attacks,
attacks on other targets using the vulnerable host as an intermediary, or gathering of passwords or
configuration information which could be used to plan an attack.
POTENTIAL PROBLEMS
Warnings which may or may not be vulnerabilities, depending upon the patch level or configuration of
the target. Further investigation on the part of the system administrator may be necessary.
SERVICES
Network services which accept client connections on a given TCP or UDP port. This is simply a count
of network services, and does not imply that the service is or is not vulnerable.
The sections below summarize the results of the scan.
5.1 Vulnerabilities by Severity
This section shows the overall number of vulnerabilities and services detected at each severity level.
5.2 Hosts by Severity
This section shows the overall number of hosts detected at each severity level. The severity level of a host is
defined as the highest vulnerability severity level detected on that host.
4
5.3 Vulnerabilities by Class
This section shows the number of vulnerabilities detected in each of the following classes.
Class
Web
Mail
File Transfer
Login/Shell
Print Services
RPC
DNS
Databases
Networking/SNMP
Windows OS
Passwords
Other
Description
Vulnerabilities in web servers, CGI programs, and any other software offering an HTTP interface
Vulnerabilities in SMTP, IMAP, POP, or web-based mail services
Vulnerabilities in FTP and TFTP services
Vulnerabilities in ssh, telnet, rlogin, rsh, or rexec services
Vulnerabilities in lpd and other print daemons
Vulnerabilities in Remote Procedure Call services
Vulnerabilities in Domain Name Services
Vulnerabilities in database services
Vulnerabilities in routers, switches, firewalls, or any SNMP service
Missing hotfixes or vulnerabilities in the registry or SMB shares
Missing or easily guessed user passwords
Any vulnerability which does not fit into one of the above classes
5
6.0 Overview
The following tables present an overview of the hosts discovered on the network and the vulnerabilities contained
therein.
6.1 Host List
This table presents an overview of the hosts discovered on the network.
Host Name
Netbios Name
IP Address
Host Type
10.7.0.2
SAINTLAB02
10.7.0.2
Windows 2000 SP2
6.2 Vulnerability List
6
Critical
Problems
22
Areas of
Concern
95
Potential
Problems
40
This table presents an overview of the vulnerabilities detected on the network.
Host
Name
10.7.0.2
Severity
Vulnerability / Service
Class
CVE
critical
Web
CVE-2001-0333 CVE-2010-1556
10.7.0.2
10.7.0.2
critical
critical
Folder traversal in IIS (Double
Decoding)
IPP Service integer overflow
multiple vulnerabilities in IIS 5.0
Web
Web
no
yes
10.7.0.2
critical
Windows
OS
10.7.0.2
critical
Web
CVE-2003-0718 CVE-2010-1556
no
10.7.0.2
critical
Microsoft Internet Information
Services FTP Server Remote
Buffer Overflow
WebDAV XML message handler
denial of service
buffer overflow in IIS 5.0 WebDAV
CVE-2008-1446 CVE-2010-1556
CVE-2002-0071 CVE-2002-0072
CVE-2002-0073 CVE-2002-0074
CVE-2002-0075 CVE-2002-0079
CVE-2002-0147 CVE-2002-0148
CVE-2002-0149 CVE-2002-0150
CVE-2010-1556
CVE-2009-2521 CVE-2009-3023
CVE-2010-1556
Web
yes
10.7.0.2
critical
Microsoft mail server vulnerabilities,
smtpsvc.dll dated 2001-5-4
Mail
10.7.0.2
critical
Mail
10.7.0.2
critical
denial of service in Windows SMTP
service
vulnerable Microsoft mail server
version: 5.0.2195.2966
10.7.0.2
critical
Other
10.7.0.2
critical
Databases
CVE-2000-1209 CVE-2010-1556
no
10.7.0.2
critical
critical
CVE-2006-3440 CVE-2006-3441
CVE-2010-1556
CVE-2010-0478 CVE-2010-1556
10.7.0.2
critical
CVE-2007-3039 CVE-2010-1556
yes
10.7.0.2
critical
CVE-2007-2228 CVE-2010-1556
no
10.7.0.2
critical
CVE-2006-3439 CVE-2010-1556
yes
10.7.0.2
critical
CVE-2008-4250 CVE-2010-1556
yes
10.7.0.2
critical
CVE-2005-4560 CVE-2010-1556
yes
10.7.0.2
critical
vulnerable version of SMB Server
(MS10-012)
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
no
10.7.0.2
vulnerable Microsoft NNTP version:
5.0.2195.2966
SQL Server account sa has no
password
Windows DNS Resolution Remote
Code Execution
Windows Media Unicast Service
transport information buffer overflow
Windows Message Queuing
validation vulnerability
Windows RPC authentication denial
of service
Windows Server Service Buffer
Overrun
Windows Server Service MS08-067
buffer overflow
Windows WMF gdi32.dll vulnerability
CVE-2001-0241 CVE-2001-0500
CVE-2003-0109 CVE-2010-1556
CVE-2010-0024 CVE-2010-0025
CVE-2010-1556 CVE-2010-1689
CVE-2010-1690
CVE-2002-0055 CVE-2003-1106
CVE-2010-1556
CVE-2010-0024 CVE-2010-0025
CVE-2010-1556 CVE-2010-1689
CVE-2010-1690
CVE-2004-0574 CVE-2010-1556
no
10.7.0.2
critical
vulnerable version of SMB Server
(MS10-012) dated 2001-5-8
Windows
OS
10.7.0.2
critical
10.7.0.2
critical
10.7.0.2
concern
WINS Could Allow Remote Code
Execution
pointer corruption vulnerability in
WINS replication service
ASP.NET application folder
information disclosure
Windows
OS
Windows
OS
Web
CVE-2010-0020 CVE-2010-0021
CVE-2010-0022 CVE-2010-0231
CVE-2010-1556
CVE-2010-0020 CVE-2010-0021
CVE-2010-0022 CVE-2010-0231
CVE-2010-1556
CVE-2009-1923 CVE-2009-1924
CVE-2010-1556
CVE-2004-0567 CVE-2004-1080
CVE-2010-1556
CVE-2006-1300 CVE-2010-1556
Mail
7
Exploit
Available?
yes
yes
no
no
no
no
yes
no
no
yes
no
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
concern
concern
concern
concern
Web server allows cross-site tracing
DNS cache snooping vulnerability
DNS server allows zone transfers
vulnerabilities in IIS 5
Web
DNS
DNS
Web
10.7.0.2
concern
Web
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
Microsoft IIS Authentication Method
Disclosed
Microsoft IIS WebDAV Request
Directory Security Bypass
Internet Explorer
ADODB.Connection ActiveX
Object Memory Corruption
Internet Explorer August 2006
CSU fixes
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
Internet Explorer COM Objects
Instantiation vulnerability
Internet Explorer COM object
memory corruption
Internet Explorer Cascading Style
Sheets vulnerability
Windows
OS
Windows
OS
Windows
OS
10.7.0.2
concern
Internet Explorer Create Text
Range code injection
Windows
OS
10.7.0.2
concern
Internet Explorer DHTML method
memory corruption
Windows
OS
10.7.0.2
concern
Internet Explorer Exception
Handling Memory Corruption
vulnerability
Windows
OS
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
Internet Explorer JPEG buffer
overflow
Internet Explorer JS remote code
execution
Internet Explorer JS stack overflow
10.7.0.2
concern
Internet Explorer JavaScript
vulnerability
Windows
OS
Windows
OS
Windows
OS
Windows
OS
10.7.0.2
concern
10.7.0.2
concern
Internet Explorer Nested OBJECT
tag memory corruption
Internet Explorer PNG buffer
overflow
Windows
OS
Windows
OS
Web
Windows
OS
Windows
OS
8
CVE-2010-1556
CVE-2010-1556
CVE-1999-0532 CVE-2010-1556
CVE-2000-0770 CVE-2001-0151
CVE-2001-0241 CVE-2001-0500
CVE-2001-0507 CVE-2002-0869
CVE-2002-1180 CVE-2002-1181
CVE-2002-1182 CVE-2003-0223
CVE-2003-0224 CVE-2003-0225
CVE-2003-0226 CVE-2006-0026
CVE-2010-1556
CVE-2002-0419 CVE-2010-1556
no
no
yes
yes
CVE-2009-1122 CVE-2009-1535
CVE-2010-1556
CVE-2006-5559 CVE-2010-1556
no
CVE-2004-1166 CVE-2006-3280
CVE-2006-3450 CVE-2006-3451
CVE-2006-3637 CVE-2006-3638
CVE-2006-3639 CVE-2006-3640
CVE-2010-1556
CVE-2006-4193 CVE-2006-4219
CVE-2010-1556
CVE-2005-2127 CVE-2010-1556
no
CVE-2004-0216 CVE-2004-0727
CVE-2004-0839 CVE-2004-0841
CVE-2004-0842 CVE-2004-0843
CVE-2004-0844 CVE-2004-0845
CVE-2010-1556
CVE-2006-1185 CVE-2006-1186
CVE-2006-1188 CVE-2006-1189
CVE-2006-1190 CVE-2006-1191
CVE-2006-1192 CVE-2006-1245
CVE-2006-1359 CVE-2006-1388
CVE-2010-1556
CVE-2005-0053 CVE-2005-0054
CVE-2005-0055 CVE-2005-0056
CVE-2010-1556
CVE-2005-4089 CVE-2006-1303
CVE-2006-1626 CVE-2006-2218
CVE-2006-2382 CVE-2006-2383
CVE-2006-2384 CVE-2006-2385
CVE-2010-1556
CVE-2005-1988 CVE-2005-1989
CVE-2005-1990 CVE-2010-1556
CVE-2006-1313 CVE-2010-1556
no
CVE-2006-0753 CVE-2006-0830
CVE-2010-1556
CVE-2005-1790 CVE-2005-2829
CVE-2005-2830 CVE-2005-2831
CVE-2010-1556
CVE-2006-1992 CVE-2006-2094
CVE-2006-2111 CVE-2010-1556
CVE-2002-0648 CVE-2005-1211
CVE-2010-1556
no
no
no
no
no
yes
no
no
yes
no
yes
no
no
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
10.7.0.2
concern
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
Internet Explorer URL parsing
buffer overflow
Internet Explorer VBScript and
JScript decoding vulnerability
Internet Explorer VML Remote
Code Execution
Internet Explorer VML buffer
overflow (MS07-004)
Internet Explorer vulnerable VML
version dated 2001-5-8
Jscript.dll buffer overflow
vulnerability
Windows 2000 IE6 VML vulnerable
version, vgx.dll dated 2001-5-8
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
CVE-2005-0553 CVE-2005-0554
CVE-2005-0555 CVE-2010-1556
CVE-2008-0083 CVE-2010-1556
yes
CVE-2006-4868 CVE-2010-1556
yes
CVE-2007-0024 CVE-2010-1556
yes
CVE-2007-1749 CVE-2010-1556
no
CVE-2009-1920 CVE-2010-1556
no
CVE-2007-5348 CVE-2008-3012
CVE-2008-3013 CVE-2008-3014
CVE-2010-1556
CVE-2004-0573 CVE-2010-1556
no
WordPerfect Converter buffer
overflow
Microsoft outlook ATL vulnerability
(MS09-037)
Windows
OS
Windows
OS
CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494 CVE-2010-1556
CVE-2010-0816 CVE-2010-1556
yes
Outlook Express Could Allow
Remote Code Execution
(MS10-030)
Microsoft SQL Server Distributed
Management Objects Buffer
Overflow
Microsoft SQL Server vulnerable
version, sqlservr.exe dated 2000-8-6
Windows
OS
Databases
CVE-2007-4814 CVE-2010-1556
yes
Databases
no
Login/Shell
Mail
CVE-2007-5348 CVE-2008-3012
CVE-2008-3013 CVE-2008-3014
CVE-2008-3015 CVE-2010-1556
CVE-2009-1930 CVE-2010-1556
CVE-2006-2386 CVE-2010-1556
Telnet Authentication Reflection
Outlook Express Contact Record
vulnerability
Outlook Express Windows Address
Book vulnerability
Outlook Express vulnerable version,
inetcomm.dll dated 2001-5-8
Mail
CVE-2006-0014 CVE-2010-1556
no
Mail
CVE-2006-2111 CVE-2007-2225
CVE-2007-2227 CVE-2007-3897
CVE-2010-1556
CVE-2008-4253 CVE-2010-1556
no
Microsoft VB6 FlexGrid ActiveX
control vulnerable version dated
1999-9-7
Elevation of Privilege Vulnerabilities
in Windows (MS09-012)
Elevation of Privilege Vulnerabilities
in Windows (MS10-015)
Jet Database Engine vulnerable
version, msjet40.dll dated 2001-5-8
Kodak Image Viewer remote code
execution
Microsoft Agent ACF memory
corruption
Microsoft Agent URL parsing
vulnerability
Microsoft Agent vulnerable version,
agentdpv.dll dated 2001-5-8
Microsoft Data Access Component
vulnerability
Microsoft Image Color Management
System vulnerable version,
mscms.dll dated 2001-5-8
Other
CVE-2008-1436 CVE-2009-0078
CVE-2010-1556
CVE-2010-0232 CVE-2010-0233
CVE-2010-1556
CVE-2005-0944 CVE-2007-6026
CVE-2008-1092 CVE-2010-1556
CVE-2007-2217 CVE-2010-1556
no
CVE-2006-3445 CVE-2010-1556
no
CVE-2007-1205 CVE-2010-1556
no
CVE-2007-3040 CVE-2010-1556
yes
CVE-2006-0003 CVE-2010-1556
yes
CVE-2008-2245 CVE-2010-1556
no
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
9
no
no
no
yes
no
no
no
yes
yes
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
Microsoft Paint Integer Overflow
vulnerability
Microsoft Windows DHTML remote
code execution vulnerability
(MS09-046)
Microsoft Windows vulnerable
version, msconv97.dll dated
2001-5-8
NetBIOS Name Service information
disclosure
Vulnerability in the OpenType
Compact Font Format Driver Could
Allow Elevation of Privilege
Vulnerable MFC Library FileFind
Class file mfc42.dll
Class file mfc42u.dll
Windows 2000 GDI vulnerable
version, gdi32.dll dated 2001-5-8
Windows
OS
Windows
OS
CVE-2010-0028 CVE-2010-1556
no
CVE-2009-2519 CVE-2010-1556
no
Windows
OS
CVE-2009-2506 CVE-2010-1556
no
Windows
OS
Windows
OS
CVE-2003-0661 CVE-2010-1556
no
CVE-2010-0819 CVE-2010-1556
no
Windows
OS
Windows
OS
Windows
OS
CVE-2007-4916 CVE-2010-1556
no
CVE-2007-4916 CVE-2010-1556
no
yes
Windows Authenticode Signature
Verification (MS10-019) version,
wintrust.dll dated 2001-5-8
Windows CSRSS Local (MS10-011)
vulnerable version, csrsrv.dll dated
2001-5-8
Windows CSRSS remote code
execution
Windows Cabinet File Viewer
(MS10-019) version, cabview.dll
dated 2001-5-8
Windows DNS Client Spoofing
vulnerability
Windows DNS Server Spoofing
vulnerability
Windows DNS Spoofing vulnerability
Windows
OS
CVE-2008-1083 CVE-2008-1087
CVE-2008-2249 CVE-2008-3465
CVE-2010-1556
CVE-2010-0486 CVE-2010-1556
Windows
OS
CVE-2010-0023 CVE-2010-1556
no
Windows
OS
Windows
OS
CVE-2006-6696 CVE-2006-6797
CVE-2010-1556
CVE-2010-0487 CVE-2010-1556
no
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
10
CVE-2008-1447 CVE-2010-1556
no
CVE-2008-1447 CVE-2008-1454
CVE-2010-1556
CVE-2008-0087 CVE-2010-1556
no
CVE-2010-0250 CVE-2010-1556
no
CVE-2010-0018 CVE-2010-1556
no
CVE-2007-3034 CVE-2010-1556
no
CVE-2007-1912 CVE-2010-1556
no
CVE-2006-1591 CVE-2010-1556
no
CVE-2009-3677 CVE-2010-1556
no
CVE-2006-3444 CVE-2010-1556
no
CVE-2007-1206 CVE-2010-1556
no
CVE-2005-2827 CVE-2010-1556
no
CVE-2009-3675 CVE-2010-1556
no
CVE-2007-5352 CVE-2010-1556
no
Windows DirectShow AVI Filter
buffer overflow
Windows Embedded OpenType
Font Engine Vulnerability
Windows GDI image handling buffer
overflow
Windows Help File Handling Heap
Buffer Overflow
Windows Help File Image
Processing Heap Buffer Overflow
Windows Internet Authentication
Service vulnerabilities
Windows Kernel privilege elevation
(ms06-049) vulnerability
(ms07-022) vulnerability
vulnerability
Windows LSASS IPSEC
Denial-of-Service Vulnerability
Windows LSASS vulnerability
no
no
no
10.7.0.2
concern
Windows MPEG layer 3 codec
vulnerable version, l3codecx.ax
dated 2001-5-8
Windows Media Player plug-in
EMBED vulnerability
Windows Media decompression
vulnerabilities
Windows OLE Automation remote
code execution vulnerability
Windows RPC Marshalling Engine
vulnerability
Windows SMB Client vulnerabilities
(MS10-020)
Windows
OS
CVE-2010-0480 CVE-2010-1556
no
10.7.0.2
concern
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
CVE-2006-0005 CVE-2010-1556
yes
10.7.0.2
concern
CVE-2010-1556 CVE-2010-1879
CVE-2010-1880
CVE-2007-0065 CVE-2007-2224
CVE-2010-1556
CVE-2009-0568 CVE-2010-1556
no
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
no
Windows SMB Remote Code
Execution
Windows Services for UNIX setuid
privilege elevation
Windows Shell Handler vulnerability
CVE-2007-3036 CVE-2010-1556
no
CVE-2010-0027 CVE-2010-1556
no
Windows VB script vulnerable
version, vbscript.dll dated 2001-5-8
Windows WMA Voice codec
vulnerability
Windows atl.dll vulnerable
(MS09-037)
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
CVE-2009-3676 CVE-2010-0269
CVE-2010-0270 CVE-2010-0476
CVE-2010-0477 CVE-2010-1556
CVE-2008-4038 CVE-2010-1556
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
CVE-2010-0483 CVE-2010-1556
no
10.7.0.2
concern
no
concern
Windows dhtmled.ocx vulnerable
(MS09-037)
Windows
OS
10.7.0.2
concern
10.7.0.2
concern
Windows kernel GDI validation
vulnerabilities
Windows kernel desktop validation
vulnerabilities
Windows
OS
Windows
OS
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
concern
Windows kernel embedded font
vulnerabilities
Windows kernel multiple privilege
elevation vulnerabilities (MS10-032)
Windows kernel property validation
vulnerabilities
Windows kernel user mode callback
vulnerability
Windows kernel vulnerable
(MS10-021) version, ntoskrnl.exe
dated 2001-5-8
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
CVE-2009-0555 CVE-2009-2525
CVE-2010-1556
CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494 CVE-2010-1556
CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494 CVE-2010-1556
CVE-2009-0081 CVE-2009-0082
CVE-2009-0083 CVE-2010-1556
CVE-2009-1123 CVE-2009-1124
CVE-2009-1125 CVE-2009-1126
CVE-2010-1556
CVE-2009-1127 CVE-2009-2513
CVE-2009-2514 CVE-2010-1556
CVE-2010-0484 CVE-2010-0485
CVE-2010-1255 CVE-2010-1556
CVE-2008-2250 CVE-2008-2251
CVE-2008-2252 CVE-2010-1556
CVE-2008-1084 CVE-2010-1556
10.7.0.2
concern
10.7.0.2
no
10.7.0.2
concern
10.7.0.2
concern
10.7.0.2
potential
10.7.0.2
potential
Windows
OS
Windows
OS
Windows
OS
Other
CVE-2010-1556
no
10.7.0.2
potential
Windows kernel vulnerable version,
ntoskrnl.exe dated 2001-5-8
Windows media file processing
vulnerable (MS09-038)
Possible buffer overflow in Active
Directory
AV Information: AntiVirus software
not found (AVG Symantec McAfee
TrendMicro)
possible vulnerability in Apple Filing
Protocol 2.0
CVE-2010-0234 CVE-2010-0235
CVE-2010-0236 CVE-2010-0237
CVE-2010-0238 CVE-2010-0481
CVE-2010-0482 CVE-2010-0810
CVE-2010-1556
CVE-2009-2515 CVE-2009-2516
CVE-2009-2517 CVE-2010-1556
CVE-2009-1545 CVE-2009-1546
CVE-2010-1556
CVE-2003-0507 CVE-2010-1556
CVE-2004-0430 CVE-2010-1556
no
Other
11
no
no
no
yes
yes
no
no
no
no
no
no
no
no
no
10.7.0.2
potential
Cookie Injection vulnerabilities in IE
Web
10.7.0.2
10.7.0.2
potential
potential
DNS server allows recursive queries
guessable read community string
10.7.0.2
10.7.0.2
potential
potential
10.7.0.2
potential
10.7.0.2
potential
ICMP timestamp requests enabled
Internet Explorer Modal Dialog
zone bypass
Internet Explorer Travel Log
vulnerability
Internet Explorer cross-domain
vulnerabilities
DNS
Networking
/SNMP
Other
Windows
OS
Windows
OS
Windows
OS
10.7.0.2
potential
Internet Explorer patch needed
Windows
OS
10.7.0.2
potential
Other
10.7.0.2
potential
Possible vulnerability in LDAP over
SSL
Is your LDAP secure?
10.7.0.2
potential
Mail
10.7.0.2
potential
Authentication flaw in Microsoft mail
server
Microsoft SQL Server vulnerable
version: 8.00.194
10.7.0.2
potential
Databases
10.7.0.2
potential
Possible vulnerability in MS SQL
Server Resolution Service
Possible vulnerability in Microsoft
Terminal Server
10.7.0.2
potential
10.7.0.2
potential
Windows
OS
Mail
10.7.0.2
potential
NetBIOS share enumeration using
null session
Outlook Express MHTML
vulnerability
Outlook Express NNTP buffer
overflow
Other
Databases
Other
Mail
12
CVE-2004-0866 CVE-2004-0869
CVE-2010-1556
CVE-2010-1556
CVE-1999-0516 CVE-1999-0517
CVE-2010-1556
CVE-1999-0524 CVE-2010-1556
CVE-2003-1048 CVE-2004-0549
CVE-2004-0566 CVE-2010-1556
CVE-2003-1025 CVE-2003-1026
CVE-2003-1027 CVE-2010-1556
CVE-2003-0814 CVE-2003-0815
CVE-2003-0816 CVE-2003-0817
CVE-2003-0823 CVE-2010-1556
CVE-2003-0113 CVE-2003-0114
CVE-2003-0115 CVE-2003-0116
CVE-2003-0309 CVE-2003-0344
CVE-2003-0530 CVE-2003-0531
CVE-2003-0532 CVE-2003-0701
CVE-2003-0809 CVE-2003-0838
CVE-2003-1025 CVE-2003-1026
CVE-2003-1027 CVE-2003-1326
CVE-2003-1328 CVE-2010-1556
CVE-2001-0502 CVE-2010-1556
no
CVE-2002-1378 CVE-2002-1379
CVE-2010-1556
CVE-2001-0504 CVE-2002-0054
CVE-2010-1556
CVE-1999-0652 CVE-1999-0999
CVE-2000-0199 CVE-2000-0202
CVE-2000-0402 CVE-2000-0485
CVE-2000-0603 CVE-2000-1081
CVE-2000-1082 CVE-2000-1083
CVE-2000-1084 CVE-2000-1085
CVE-2000-1086 CVE-2000-1087
CVE-2000-1088 CVE-2001-0344
CVE-2001-0542 CVE-2001-0879
CVE-2002-0056 CVE-2002-0154
CVE-2002-0186 CVE-2002-0187
CVE-2002-0624 CVE-2002-0641
CVE-2002-0642 CVE-2002-0644
CVE-2002-0645 CVE-2002-0695
CVE-2002-0721 CVE-2002-0859
CVE-2002-0982 CVE-2002-1123
CVE-2002-1137 CVE-2002-1138
CVE-2002-1145 CVE-2003-0230
CVE-2003-0231 CVE-2003-0232
CVE-2010-1556
CVE-2002-0649 CVE-2002-0650
CVE-2002-0729 CVE-2010-1556
CVE-2000-1149 CVE-2001-0663
CVE-2001-0716 CVE-2002-0863
CVE-2002-0864 CVE-2005-1218
CVE-2010-1556
CVE-2010-1556
no
CVE-2004-0380 CVE-2010-1556
no
CVE-2005-1213 CVE-2010-1556
yes
no
no
no
no
no
no
no
no
no
yes
yes
no
no
10.7.0.2
10.7.0.2
potential
potential
10.7.0.2
10.7.0.2
potential
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
potential
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
Outlook Express patch needed
chargen could be used in UDP
bomb
SMTP may be a mail relay
SNMP is enabled and may be
vulnerable
Mail
Networking
/SNMP
Mail
Networking
/SNMP
non-administrative users can act as
part of the operating system
non-administrative users can bypass
traverse checking
non-administrative users can replace
a process level token
auditing is disabled
Windows
OS
Windows
OS
Windows
OS
Windows
OS
DNS
Windows DNS lack of entropy
spoofing attack
Collaboration Data Objects
vulnerability
FTP Client vulnerability
Jet Database Engine buffer
overflow
Jet Database Engine input
validation problems
Microsoft Agent spoofing
vulnerability
Network Connection Manager
vulnerability
Windows 2000 VM ByteCode
Verifier vulnerability
Windows COM+ command
execution vulnerability
Windows HyperTerminal buffer
overflow
Windows Message Queuing
vulnerability
Windows RPC mutual authentication
spoofing
17/TCP
17/UDP
42/TCP
88/TCP
88/UDP
464/TCP
464/UDP
548/TCP
563/TCP
1028/TCP
1030/UDP
1031/TCP
1053/TCP
1054/UDP
1056/UDP
1059/TCP
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
Windows
OS
CVE-2002-1179 CVE-2010-1556
CVE-1999-0103 CVE-2010-1556
no
no
CVE-1999-0512 CVE-2010-1556
CVE-1999-0615 CVE-2002-0012
CVE-2002-0013 CVE-2002-0053
CVE-2002-0796 CVE-2002-0797
CVE-2010-1556
CVE-1999-0534 CVE-2010-1556
no
no
CVE-1999-0534 CVE-2010-1556
no
CVE-1999-0534 CVE-2010-1556
no
CVE-1999-0575 CVE-2010-1556
no
CVE-2007-3898 CVE-2010-1556
no
CVE-2005-1987 CVE-2010-1556
no
CVE-2005-2126 CVE-2010-1556
no
CVE-2004-0197 CVE-2010-1556
no
CVE-2005-0944 CVE-2010-1556
yes
CVE-2005-1214 CVE-2010-1556
no
CVE-2005-2307 CVE-2010-1556
no
CVE-2003-0111 CVE-2010-1556
no
CVE-2005-1978 CVE-2005-1979
CVE-2005-1980 CVE-2005-2119
CVE-2010-1556
CVE-2004-0568 CVE-2010-1556
no
CVE-2005-0059 CVE-2010-1556
yes
CVE-2006-2380 CVE-2010-1556
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
13
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
1063/UDP
1068/UDP
1073/UDP
1081/UDP
1090/TCP
1091/TCP
1101/UDP
1102/UDP
1104/TCP
1105/TCP
1106/UDP
1110/TCP
1111/TCP
1112/UDP
1113/TCP
1128/UDP
1129/UDP
1135/TCP
1138/UDP
1144/TCP
1150/UDP
1240/UDP
1369/UDP
1415/UDP
1433/TCP
1434/UDP
1638/UDP
1645/UDP
1646/UDP
1718/UDP
1719/UDP
1755/TCP
1755/UDP
1801/TCP
1801/UDP
1813/UDP
2101/TCP
2103/TCP
2107/TCP
3268/TCP
3269/TCP
3372/TCP
3389/TCP
6666/TCP
7007/TCP
DNS
FTP
FTP (with anonymous)
NNTP (Usenet news)
SMB
SMTP
SNMP
WWW
WWW (Secure)
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
14
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
service
info
info
info
10.7.0.2
info
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
10.7.0.2
info
info
info
info
info
WWW (non-standard port 5406)
XDM (X login)
bootpc (68/UDP)
bootps (67/UDP)
chargen (19/TCP)
chargen:UDP (19/UDP)
daytime (13/TCP)
daytime (13/UDP)
discard (9/TCP)
discard (9/UDP)
domain (53/UDP)
echo (7/TCP)
echo (7/UDP)
eklogin (2105/TCP)
isakmp (500/UDP)
ldap (389/TCP)
ldap (389/UDP)
microsoft-ds (445/TCP)
microsoft-ds (445/UDP)
name (42/UDP)
netbios-dgm (138/UDP)
netbios-ns (137/UDP)
ntp (123/UDP)
printer (515/TCP)
radius (1812/UDP)
ssl-ldap (636/TCP)
tftp (69/UDP)
Netbios Attribute: Domain Controller
Netbios Attribute: Master Browser
Netbios Attribute: Messenger
Service
Netbios Attribute: Primary Domain
Controller
Share: ADMIN$
Share: C$
Share: E$
Share: NETLOGON
Share: SYSVOL
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
no
7.0 Details
The following sections provide details on the specific vulnerabilities detected on each host.
7.1 10.7.0.2
IP Address: 10.7.0.2
Scan time: Jul 13 10:51:48 2010
Host type: Windows 2000 SP2
Netbios Name: SAINTLAB02
Folder traversal in IIS (Double Decoding)
Severity: Critical Problem
CVE: CVE-2001-0333 CVE-2010-1556
Impact
15
An attacker could send a specially constructed request which crashes the server or executes arbitrary code
with the privileges of the web server.
Resolutions
Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-006 (for
Windows 2003 and XP), and 08-062.
For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security
Bulletin 02-050 must also be installed if client side certificates are to function.
IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the
permanent redirection option under the Home Directory tab in the web site properties.
Where can I read more about this?
Technical Details
Service: http
Sent:
GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
Host: 10.7.0.2
User-Agent: Mozilla/4.0
Connection: Keep-alive
Received:
HTTP/1.1 200 OK
And:
04/03/2008 11:41a <DIR> ASFRoot
IPP Service integer overflow
CVE: CVE-2008-1446 CVE-2010-1556
Impact
Resolutions
More information on Integer Overflow in IPP Service is available at Microsoft Security Bulletin 08-062.
16
Technical Details
Service: netbios
IIS .printer is running and Msw3prt.dll older than 2008-9-8
multiple vulnerabilities in IIS 5.0
CVE: CVE-2002-0071 CVE-2002-0072
CVE-2002-0073 CVE-2002-0074
CVE-2002-0075 CVE-2002-0079
CVE-2002-0147 CVE-2002-0148
CVE-2002-0149 CVE-2002-0150
CVE-2010-1556
Impact
Resolutions
More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09,
Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.
More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and
01-033, CERT advisories 2001-10 and 2001-13. General information on securing IIS 5.0 can be found in the
IIS 5 security checklist.
Technical Details
Service: http
Sent: GET /n0nexi5tent_fi1e.html HTTP/1.0
Received: ?document.write( '<A HREF="' + escape(urlresult) + '">' + displayresult + "</a>");
Microsoft Internet Information Services FTP Server Remote Buffer Overflow
CVE: CVE-2009-2521 CVE-2009-3023
CVE-2010-1556
Impact
Vulnerabilities in IIS allow privilege elevation, and code execution.
17
Resolution
For the FTP Server Remote Buffer Overflow vulnerability, patch as designated in Microsoft Security Bulletin
09-053.
The FTP Server Remote Buffer Overflow vulnerability was reported in Microsoft Security Bulletin 09-053.
The FTP Server Remote Buffer Overflow was reported in Bugtraq ID 36189.
Technical Details
Service: http
IIS FTP server running and IIS 5 detected and KB975254 not applied
WebDAV XML message handler denial of service
CVE: CVE-2003-0718 CVE-2010-1556
Impact
An attacker could send a specially constructed request which crashes the server, executes arbitrary code with
the privileges of the web server, bypasses access restrictions on WebDAV server, or reveals the source code
of ASP pages.
Resolutions
Install the patch referenced in Microsoft Security Bulletin 04-030 on all platforms, and 03-007 on Windows
2000 prior to service pack 4 and Windows XP prior to service pack 2. Note that the latest patch does not
currently fix the IIS 5.1 WebDAV source disclosure vulnerability.
The IIS 5.1 WebDAV source code disclosure vulnerability was reported in Bugtraq ID 14764.
More information on the WebDAV XML message handler denial of service is available in Microsoft Security
Bulletin 04-030.
Technical Details
Service: http
buffer overflow in IIS 5.0 WebDAV
CVE: CVE-2001-0241 CVE-2001-0500
CVE-2003-0109 CVE-2010-1556
Impact
of ASP pages.
18
Resolutions
More information on the WebDAV buffer overflow is available in CERT Advisory 2003-09 and Microsoft
Security Bulletin 03-007.
Technical Details
Service: http
Microsoft mail server vulnerabilities, smtpsvc.dll dated 2001-5-4
CVE: CVE-2010-0024 CVE-2010-0025
CVE-2010-1556 CVE-2010-1689
CVE-2010-1690
Impact
A remote attacker could crash the mail service or gain user-level privileges to the service, including the ability
to use the server as a mail relay.
Resolution
To fix the MX Record Denial of Service and Memory Allocation vulnerabilities, apply the patch referenced in
Microsoft Security Bulletin 10-024.
To fix the vulnerabilities in the Windows Server 2003 mail service, apply the patch referenced in Microsoft
To fix the Windows 2000 mail server vulnerabilities, apply Windows 2000 service pack 4. If service pack 4
cannot be applied immediately, apply the patches referenced in Microsoft Security Bulletins 01-037, 02-011,
and 02-012, and Microsoft Knowledge Base Article 330716. Note that bulletins 02-011 and 02-012 reference
the same patch, which fixes two problems.
See Microsoft Security Bulletins 01-037, 02-011, 02-012, 04-035, and 10-024, and Microsoft Knowledge Base
Article 330716.
The predictable DNS query ID and missing validation of DNS responses were posted to Full Disclosure.
Technical Details
Service: smtp
Microsoft SMTP service running and smtpsvc.dll older than 2010-3-2
19
denial of service in Windows SMTP service
CVE: CVE-2002-0055 CVE-2003-1106
CVE-2010-1556
Impact
Resolution
Article 330716.
Technical Details
Service: smtp
Received: 220 saintlab02.saintlab.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Tue,
13 Jul 2010 10:48:01 -0400
vulnerable Microsoft mail server version: 5.0.2195.2966
CVE: CVE-2010-0024 CVE-2010-0025
CVE-2010-1556 CVE-2010-1689
CVE-2010-1690
Impact
Resolution
20
Article 330716.
Technical Details
Service: smtp
13 Jul 2010 10:48:01 -0400
vulnerable Microsoft NNTP version: 5.0.2195.2966
CVE: CVE-2004-0574 CVE-2010-1556
Impact
A remote attacker could take control of the server.
Resolution
Install the appropriate patch referenced in Microsoft Security Bulletin 04-036.
See Microsoft Security Bulletin 04-036.
Technical Details
Service: nntp
SQL Server account sa has no password
CVE: CVE-2000-1209 CVE-2010-1556
Impact
A remote attacker could execute arbitrary commands on the server.
Resolution
Set a password for the "sa" account in Microsoft SQL Server. A non-guessable password which is at least
eight characters long and composed of letters, digits, and non-alphanumeric characters is recommended.
For more information on this vulnerability, see US-CERT Vulnerability Note VU#635463.
21
For more information on securing Microsoft SQL Server, see the SQL Server security page.
Technical Details
Service: 1433:TCP
Windows DNS Resolution Remote Code Execution
CVE: CVE-2006-3440 CVE-2006-3441
CVE-2010-1556
Impact
The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers
or malicious web sites.
The Problems and Resolutions
One or more of the following security updates is not installed on the target system. The resolution is to install
the needed updates. This can be done either by following the links in the table, or by visiting the Windows
Update service which will automatically determine which updates are needed for your system and help you
install them. It is a good idea to make a backup of the system before installing an update, especially for
service packs. After the system has been brought up to date, check Microsoft's web site regularly for new
critical updates.
Note: The links below apply to the standard editions of Windows operating systems. If you are using a
Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding
Microsoft Security Bulletins for patch information.
Update Name
DNS Resolution Remote Code
Execution
Description
Fixes vulnerabilities in the Winsock
Hostname functionality and a DNS
Resolution Client Buffer Overrun.
(CVE 2006-3440 CVE 2006-3441)
Fix
Bulletin
2000: 920683
06-041
XP: 920683
2003: 920683 or
SP2
For more information on critical updates, see the Windows critical update pages which are available for
Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server
2008.
Technical Details
Service: netbios
dnsapi.dll older than 2006-6-24
Windows Media Unicast Service transport information buffer overflow
CVE: CVE-2010-0478 CVE-2010-1556
Impact
22
critical updates.
Update Name
Description
Windows Media Unicast Service
Fixes a remote code execution
transport information buffer overflow vulnerability in handling transport
information packets. (CVE
2010-0478)
Fix
2000: 980858
Bulletin
10-025
2008.
Technical Details
Service: 1755:TCP
MMS version = 4.1.0.3920
Windows Message Queuing validation vulnerability
CVE: CVE-2007-3039 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Fix
23
Bulletin
Message Queuing validation
vulnerability
Fixes a buffer overflow in Message 2000: 937894
Queuing which could allow remote XP: 937894
command execution for Windows
2000 and privilege elevation for
Windows XP. (CVE 2007-3039)
07-065
2008.
Technical Details
Service: netbios
mqutil.dll is out of date indicating Windows Message Queueing validation vulnerability and at least one of ports
2103:TCP, 2105:TCP, or 2107:TCP is open
Windows RPC authentication denial of service
CVE: CVE-2007-2228 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Windows RPC Authentication denial Fixes vulnerability in Windows RPC
of service
for Windows that allows for a denial
of service to be caused in the RPC
authentication. (CVE 2007-2228)
Fix
2000: 933729
XP: 933729
2003: 933729
Vista: 933729
Bulletin
07-058
2008.
Technical Details
24
Service: netbios
rpcrt4.dll older than 2007-7-7
Windows Server Service Buffer Overrun
CVE: CVE-2006-3439 CVE-2010-1556
Impact
critical updates.
Update Name
Server Service Buffer Overrun
Description
Fixes a vulnerability which could
allow command execution on a
buffer overrun on the Server
Service (CVE 2006-3439)
Fix
Bulletin
2000: 921883
06-040
XP: 921883
2003: 921883 or
SP2
2008.
Technical Details
Service: 445:TCP
Sent netrpPathCanonicalize call, response indicates patch not applied
Windows Server Service MS08-067 buffer overflow
CVE: CVE-2008-4250 CVE-2010-1556
Impact
25
critical updates.
Update Name
Description
Windows Server Service MS08-067 Fixes a buffer overflow in the
buffer overflow
Windows Server service which
could allow remote attackers to take
complete control of the computer.
(CVE 2008-4250)
Fix
2000: 958644
XP: 958644
2003: 958644
Vista: 958644
2008: 958644
Bulletin
08-067
2008.
Technical Details
Service: 445:TCP
NetprPathCompare returned 0
Windows WMF gdi32.dll vulnerability
CVE: CVE-2005-4560 CVE-2010-1556
Impact
critical updates.
Update Name
Windows WMF gdi32.dll
vulnerability
Description
vulnerability which exists in the
Graphics Rendering Engine
26
Fix
Bulletin
2000: 912919
06-001
XP: 912919
2003: 912919 or
because of the way that it handles SP2
Windows Metafile (WMF) images.
An attacker could exploit the
vulnerability to take complete control
of the affected system by
constructing a specially crafted
WMF image which is read by a
user on the system. (CVE
2005-4560)
2008.
Technical Details
Service: netbios
gdi32.dll older than 2005-12-25
vulnerable version of SMB Server (MS10-012)
CVE: CVE-2010-0020 CVE-2010-0021
CVE-2010-0022 CVE-2010-0231
CVE-2010-1556
Impact
critical updates.
Update Name
Description
Multiple vulnerabilities (MS10-012) Fixes 4 vulnerabilities announced in
Microsoft bulletin MS10-012, the
most critical of which could allow
remote code execution. The
vulnerabilities are due to weak
entropy used in encryption, bounds
checking on path names, and null
pointers. (CVE 2010-0020 CVE
27
Fix
2000 (all
versions):
971468
XP: 971468
2003 (all
versions):
971468
Vista (all
Bulletin
10-007
2010-0021 CVE 2010-0022 CVE
2010-0231)
versions): 971468
Windows 7 (all
versions):
971468
2008 (all
versions):
971468
2008.
Technical Details
Service: 445:TCP
Duplicate NTLM negotiation keys detected
vulnerable version of SMB Server (MS10-012) dated 2001-5-8
CVE: CVE-2010-0020 CVE-2010-0021
CVE-2010-0022 CVE-2010-0231
CVE-2010-1556
Impact
critical updates.
Update Name
Description
Multiple vulnerabilities (MS10-012) Fixes 4 vulnerabilities announced in
Microsoft bulletin MS10-012, the
most critical of which could allow
remote code execution. The
vulnerabilities are due to weak
entropy used in encryption, bounds
checking on path names, and null
pointers. (CVE 2010-0020 CVE
2010-0021 CVE 2010-0022 CVE
2010-0231)
28
Fix
2000 (all
versions):
971468
XP: 971468
2003 (all
versions):
971468
Vista (all
versions):
971468
Bulletin
10-007
Windows 7 (all
versions):
971468
2008 (all
versions):
971468
2008.
Technical Details
Service: netbios
srv.sys older than 2009-12-1
WINS Could Allow Remote Code Execution
CVE: CVE-2009-1923 CVE-2009-1924
CVE-2010-1556
Impact
A remote attacker could execute arbitrary code on the WINS server.
Resolution
Install the fix referenced in Microsoft Security Bulletin 09-039.
It is also advisable to use IPsec, block port 42 at the firewall, or disable WINS if it is not needed. These
workarounds are addressed in Microsoft Knowledge Base Article 890710.
The Remote Code Execution vulnerabilities were reported in Microsoft Security Bulletin 09-039.
Technical Details
Service: 42:TCP
Target running WINS service and accepts malformed requests
pointer corruption vulnerability in WINS replication service
CVE: CVE-2004-0567 CVE-2004-1080
CVE-2010-1556
Impact
A remote attacker could execute arbitrary code on the WINS server.
Resolution
Install the fix referenced in Microsoft Security Bulletin 09-039.
29
It is also advisable to use IPsec, block port 42 at the firewall, or disable WINS if it is not needed. These
workarounds are addressed in Microsoft Knowledge Base Article 890710.
The pointer corruption vulnerability in WINS replication was reported in Secunia Advisory SA13328. and
The name validation buffer overflow was reported in Microsoft Security Bulletin 04-045.
Technical Details
Service: wins
ASP.NET application folder information disclosure
Severity: Area of Concern
CVE: CVE-2006-1300 CVE-2010-1556
Impact
An attacker could gain unauthorized access to password-protected pages on the web server or create a
cross-site scripting attack.
Resolution
For ASP.NET version 2, the fixes described in Microsoft Security Bulletins 06-033 and 06-056 should also be
installed.
The Application folder information disclosure was reported in Microsoft Security Bulletin 06-033.
Technical Details
Service: 5406:TCP
Sent:
GET /app_code\invalid-file.txt HTTP/1.1
Host: 10.7.0.2:5406
User-Agent: Mozilla/4.0
Connection: Keep-alive
Received:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm
Web server allows cross-site tracing
CVE: CVE-2010-1556
Impact
A malicious web site could cause a user to reveal sensitive information through a specially crafted link to the
vulnerable server.
Resolution
30
Cross-site tracing can be fixed by disabling the TRACE request method. If this is not an option for your web
server, install a vendor fix or use one of the following workarounds:
Microsoft IIS: Use URL Scan to filter both TRACE and TRACK requests.
Apache: Enable the mod_rewrite module, and add the following lines to the configuration file:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
iPlanet: Disabling the TRACE request method currently requires making a change to a shared object
library. See the White Paper for details.
BEA WebLogic Server and Express: Upgrade and apply the appropriate patch described in
the BEA Advisory BEA04-48.01.
Sun Java System Application Server Upgrade to enterprise edition 8.2 or higher when
available.
Sun Java System Application Server cross-site tracing was reported in Bugtraq ID 37995, and US-CERT
Vulnerability Note VU#867593.
Mac OS cross-site tracing was reported in Apple article HT3937.
Cross-site tracing was reported in a White Paper from White Hat Security.
Technical Details
Service: http
Sent:
TRACE / HTTP/1.0
Cookie: SAINTtest
Received:
Cookie: SAINTtest
DNS cache snooping vulnerability
CVE: CVE-2010-1556
Impact
An attacker could determine what Internet domains have been recently visited. Sensitive information, such as
what bank a company uses, could be inferred from this information.
Resolution
Follow the recommendations described in the paper DNS Cache Snooping.
More information on DNS Cache Snooping is available in the paper DNS Cache Snooping.
Technical Details
31
Service: domain
Received: 5 answers from remote DNS server
DNS server allows zone transfers
CVE: CVE-1999-0532 CVE-2010-1556
Impact
Attackers could collect information about the domain.
Resolution
Configure the primary DNS server to allow zone transfers only from secondary DNS servers. In BIND, this
can be done in an allow-transfer block in the options section of the named.conf file.
Information on DNS zone transfers can be found here.
Information on securing DNS can be found here.
Technical Details
Service: dns
Received:; <<>> DiG 9.5.0b2 <<>> @10.7.0.2 SAINTLAB.com axfr; (1 server found);; global options:
printcmdSAINTLAB.com.\x09\x093600\x09IN\x09SOA\x09saintlab02.SAINTLAB.com. admin. 38 900 600
86400
3600SAINTLAB.com.\x09\x09600\x09IN\x09A\x0910.7.0.2SAINTLAB.com.\x09\x093600\x09IN\x09NS\
x09saintlab02.SAINTLAB.com.440183c6-def4-4912-8f3d-1db3d6f4cdbf._msdcs.SAINTLAB.com. 600 IN
CNAME saintlab02.SAINTLAB.com._kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.SAINTLAB.com.
600 IN SRV 0 100 88 saintlab0
vulnerabilities in IIS 5
CVE: CVE-2000-0770 CVE-2001-0151
CVE-2001-0241 CVE-2001-0500
CVE-2001-0507 CVE-2002-0869
CVE-2002-1180 CVE-2002-1181
CVE-2002-1182 CVE-2003-0223
CVE-2003-0224 CVE-2003-0225
CVE-2003-0226 CVE-2006-0026
CVE-2010-1556
Impact
Resolutions
32
More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.
More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09,
Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.
More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and
01-033, CERT advisories 2001-10 and 2001-13. General information on securing IIS 5.0 can be found in the
IIS 5 security checklist.
More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and
01-044.
Technical Details
Service: http
IIS 5 detected and KB917537 not applied
Microsoft IIS Authentication Method Disclosed
CVE: CVE-2002-0419 CVE-2010-1556
Impact
An attacker could determine which authentication scheme is required for confidential web pages. This can be
used for brute force attacks against known User IDs.
Resolutions
Use Fix information in Considerations for IIS authentication.
More information on the IIS Authorization method disclosure is available in Considerations for IIS
authentication.
Technical Details
Service: http
Sent:
GET / HTTP/1.1
Host: 10.7.0.2
Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=
Received:
401 Unauthorized returned indicating NTLM Authentication
33
Microsoft IIS WebDAV Request Directory Security Bypass
CVE: CVE-2009-1122 CVE-2009-1535
CVE-2010-1556
Impact
of ASP pages.
Resolutions
For the IIS WebDAV Authentication Bypass vulnerability, patch as designated in the Microsoft Security
Bulletin 09-020.
The IIS WebDAV Authentication Bypass vulnerability was reported in Microsoft Security Bulletin 09-020.
Technical Details
Service: http
Sent:
POST
/%25%34%39%25%34%39%25%35%33%25%34%31%25%36%34%25%36%64%25%36%39%25%36
%65%25%32%66%25%36%34%25%36%35%25%36%36%25%36%31%25%37%35%25%36%63%25%3
7%34%25%32%65%25%36%31%25%37%33%25%37%30%2500postinfo.html HTTP/1.0
IF:
Host: 10.7.0.2:80
Received:
HTTP/1.1 501 Not Implemented
Internet Explorer ADODB.Connection ActiveX Object Memory Corruption
CVE: CVE-2006-5559 CVE-2010-1556
Impact
A remote attacker could execute arbitrary commands on a client system when the client browses to a malicious
web site hosted by the attacker.
Resolution
To use Internet Explorer securely, take the following steps:
(The vulnerabilities in IE 8, Beta 1 have not yet been patched)
(The response splitting and smuggling related to setRequestHeader() has not yet been patched)
34
(The file focus stealing vulnerability has not yet been patched)
(The stack overflow vulnerability has not yet been patched.)
(The document.open spoofing vulnerability has not yet been patched.)
Install the appropriate cumulative patch for your version of Internet Explorer as outlined in Microsoft
Security Bulletin 07-009, Microsoft Security Bulletin 07-061, Microsoft Security Bulletin 08-022,
Microsoft Security Bulletin 08-032, Microsoft Security Bulletin 08-052, Microsoft Security Bulletin
09-045, Microsoft Security Bulletin 10-002, and Microsoft Security Bulletin 10-035.
Fix the Security Zone Bypass vulnerability (CVE-2010-0255) as described in Microsoft Security
Advisory (980088)
Prevent WPAD proxy server interception as described in Microsoft Knowledge Base Article 934864
Disable the Javaprxy.dll object
Disable the ADODB.Stream object
Disable the Shell.Explorer object
Instructions for disabling the ADODB.Stream object can be found in Microsoft Knowledge Base Article
870669. To disable the Shell.Explorer object, set the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}
Compatibility Flags = 400 (type dword, radix hex)
To disable the Javaprxy.dll object, install the update referenced in Microsoft Security Bulletin 05-037.
To fix the ADODB.connection vulnerability, install the fix at MS07-009. or mitigate the impact by setting the
kill bit for the following CLSID: 00000514-0000-0010-8000-00AA006D2EA4.
For more information on all Internet Explorer security fixes, see the Internet Explorer Critical Updates page.
For more information on specific vulnerabilities, see Microsoft Security Bulletins 03-004, 03-015, 03-020,
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Also see CERT advisories CA-2003-22, TA04-033A, TA04-163A, TA04-212A, TA04-293A, TA04-315A,
TA04-336A, TA05-165A, TA05-221A, and US-CERT Vulnerability Note VU#378604.
The IE 8, Beta 1 vulnerabilities were reported in Bugtraq ID 28580 and Bugtraq ID 28581.
Unfixed variants of the drag and drop vulnerability and the Shell.Explorer object were discussed in NTBugtraq
and Full Disclosure.
More information on the ADODB.connection vulnerability is reported in US-CERT Vulnerability Note
VU#589272 and Bugtraq ID 20704.
Technical Details
35
Service: netbios
msado15.dll older than 2006-12-15
Internet Explorer August 2006 CSU fixes
CVE: CVE-2004-1166 CVE-2006-3280
CVE-2006-3450 CVE-2006-3451
CVE-2006-3637 CVE-2006-3638
CVE-2006-3639 CVE-2006-3640
CVE-2010-1556
Impact
Resolution
Advisory (980088)
36
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
mshtml.dll older than 2006-6-28
Internet Explorer COM Objects Instantiation vulnerability
CVE: CVE-2006-4193 CVE-2006-4219
CVE-2010-1556
Impact
Resolution
Advisory (980088)
37
To mitigate the impact of the ActiveX instantiation heap memory corruption, set the kill bit for the following
CLSIDs:
3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D
4682C82A-B2FF-11D0-95A8-00A0C92B77A9
8E71888A-423F-11D2-876E-00A0C9082467
E2E9CAE6-1E7B-4B8E-BABD-E9BF6292AC29
233A9694-667E-11D1-9DFB-006097D50408
BE4191FB-59EF-4825-AEFC-109727951E42
6E3197A3-BBC3-11D4-84C0-00C04F7A06E5
606EF130-9852-11D3-97C6-0060084856D4
F849164D-9863-11D3-97C6-0060084856D4
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
More information on the ActiveX instantiation heap memory corruption may be found at XSec Security
Advisories: XSec-06-02, XSec-06-03, XSec-06-04, XSec-06-06, XSec-06-08.
Technical Details
Service: netbios
Internet Explorer COM object memory corruption
CVE: CVE-2005-2127 CVE-2010-1556
38
Impact
Resolution
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
39
Technical Details
Service: netbios
Internet Explorer Cascading Style Sheets vulnerability
CVE: CVE-2004-0216 CVE-2004-0727
CVE-2004-0839 CVE-2004-0841
CVE-2004-0842 CVE-2004-0843
CVE-2004-0844 CVE-2004-0845
CVE-2010-1556
Impact
Resolution
Advisory (980088)
40
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
urlmon.dll older than 2004-9-22
Internet Explorer Create Text Range code injection
CVE: CVE-2006-1185 CVE-2006-1186
CVE-2006-1188 CVE-2006-1189
CVE-2006-1190 CVE-2006-1191
CVE-2006-1192 CVE-2006-1245
CVE-2006-1359 CVE-2006-1388
CVE-2010-1556
Impact
Resolution
41
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Information on the createTextRange vulnerability may be found in Bugtraq ID 17196.
Technical Details
Service: netbios
Internet Explorer DHTML method memory corruption
CVE: CVE-2005-0053 CVE-2005-0054
CVE-2005-0055 CVE-2005-0056
CVE-2010-1556
42
Impact
Resolution
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
43
Technical Details
Service: netbios
Internet Explorer Exception Handling Memory Corruption vulnerability
CVE: CVE-2005-4089 CVE-2006-1303
CVE-2006-1626 CVE-2006-2218
CVE-2006-2382 CVE-2006-2383
CVE-2006-2384 CVE-2006-2385
CVE-2010-1556
Impact
Resolution
Advisory (980088)
44
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Internet Explorer JPEG buffer overflow
CVE: CVE-2005-1988 CVE-2005-1989
CVE-2005-1990 CVE-2010-1556
Impact
Resolution
45
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Internet Explorer JS remote code execution
CVE: CVE-2006-1313 CVE-2010-1556
Impact
Resolution
46
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
jscript.dll older than 2006-5-10
47
Internet Explorer JS stack overflow
CVE: CVE-2006-0753 CVE-2006-0830
CVE-2010-1556
Impact
Resolution
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
48
More information on the Stack overflow vulnerability may be found in Bugtraq ID 16687.
Technical Details
Service: netbios
Internet Explorer JavaScript vulnerability
CVE: CVE-2005-1790 CVE-2005-2829
CVE-2005-2830 CVE-2005-2831
CVE-2010-1556
Impact
Resolution
Advisory (980088)
49
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
The memory overflow error on the window() function is reported in a Computer Terrorism article.
Technical Details
Service: netbios
Internet Explorer Nested OBJECT tag memory corruption
CVE: CVE-2006-1992 CVE-2006-2094
CVE-2006-2111 CVE-2010-1556
Impact
Resolution
50
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Internet Explorer PNG buffer overflow
CVE: CVE-2002-0648 CVE-2005-1211
CVE-2010-1556
Impact
51
Resolution
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
52
Technical Details
Service: netbios
Internet Explorer URL parsing buffer overflow
CVE: CVE-2005-0553 CVE-2005-0554
CVE-2005-0555 CVE-2010-1556
Impact
Resolution
Advisory (980088)
53
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Internet Explorer VBScript and JScript decoding vulnerability
CVE: CVE-2008-0083 CVE-2010-1556
Impact
Resolution
Advisory (980088)
54
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Internet Explorer VML Remote Code Execution
CVE: CVE-2006-4868 CVE-2010-1556
Impact
Resolution
55
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
More information on the VML buffer overflow may be found in Bugtraq ID 20096.
Technical Details
Service: netbios
vgx.dll older than 2006-9-15
Internet Explorer VML buffer overflow (MS07-004)
CVE: CVE-2007-0024 CVE-2010-1556
56
Impact
Resolution
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
57
Technical Details
Service: netbios
Internet Explorer vulnerable VML version dated 2001-5-8
CVE: CVE-2007-1749 CVE-2010-1556
Impact
Resolution
Advisory (980088)
58
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Jscript.dll buffer overflow vulnerability
CVE: CVE-2009-1920 CVE-2010-1556
Impact
Resolution
Advisory (980088)
59
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Windows 2000 IE6 VML vulnerable version, vgx.dll dated 2001-5-8
CVE: CVE-2007-5348 CVE-2008-3012
CVE-2008-3013 CVE-2008-3014
CVE-2010-1556
Impact
Resolution
60
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
61
WordPerfect Converter buffer overflow
CVE: CVE-2004-0573 CVE-2010-1556
Impact
An attacker could run commands on a user's computer if the user opens a malformed document.
Resolution
All Microsoft Office for Windows users should install the patches referenced in Microsoft Security Bulletins
08-044, 08-055, 08-069, 09-027, 09-060 (supersedes 08-015 for Outlook in Office XP and Office 2003),
10-038 (supersedes 10-017), 09-068, 09-073, 10-004, 10-003, 10-023, and 10-036.
Users of Microsoft Office Outlook 2007 should also install the patch referenced in Microsoft Security Bulletin
08-026.
Users of Microsoft Office 2000, 2002, and 2003 should also install the patches referenced in Microsoft Security
Bulletins 07-013, and 09-074.
Users of Visio 2002 and 2003 should upgrade to Visio 2007, and users of Visio 2007 should install the
patches referenced in Microsoft Security Bulletin 09-005, 09-060, and 10-028.
Visio 2002 users should upgrade to Visio 2007 and Office XP and Project 2002 users should install the patch
referenced in Microsoft Security Bulletin 05-005.
Microsoft Office X for Mac users should upgrade to Microsoft Office 2004.
Microsoft Office 2004 for Mac users should upgrade to 11.5.9 or higher.
Microsoft Office 2008 for Mac users should upgrade to 12.2.5 or higher.
For more information, see Microsoft Security Bulletins 04-027, 04-033, 05-005, 05-023, 05-035, 06-009,
06-010, 06-012, 06-027, 06-028, 06-037, 06-038, 06-039, 06-048, 06-054, 06-058, 06-059, 06-060, 06-061,
06-062, 07-001, 07-002, 07-013, 07-014, 07-015, 07-023, 07-024, 07-025, 07-030, 07-036, 07-037, 07-042,
07-043, 07-044, 07-060, 08-009, 08-012, 08-014, 08-016, 08-018, 08-019, 08-026, 08-027, 08-042, 08-043,
08-044, 08-051, 08-055, 08-057, 08-069, 08-072, 08-074, 09-005, 09-009, 09-010, 09-017, 09-021, 09-027,
09-030, 09-060, 09-067, 09-068, 09-073, 09-074, 10-004, 10-003, 10-017, 10-023, 10-028, 10-036, 10-038,
and 10-039.
Technical Details
Service: netbios
msconv97.dll older than 2004-2-23
Microsoft outlook ATL vulnerability (MS09-037)
CVE: CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494 CVE-2010-1556
Impact
62
A vulnerability could allow remote attackers to bypass security restrictions and execute remote code.
Resolution
Apply the appropriate patch as indicated in Microsoft Security Bulletin MS10-030.
Technical Details
Service: netbios
msoe.dll older than 2009-7-8
Outlook Express Could Allow Remote Code Execution (MS10-030)
CVE: CVE-2010-0816 CVE-2010-1556
Impact
A vulnerability could allow remote attackers to bypass security restrictions and execute remote code.
Resolution
Apply the appropriate patch as indicated in Microsoft Security Bulletin MS10-030.
Technical Details
Service: netbios
Microsoft SQL Server Distributed Management Objects Buffer Overflow
CVE: CVE-2007-4814 CVE-2010-1556
Impact
Vulnerabilities in Microsoft SQL Server could allow a remote attacker to execute arbitrary code or crash the
server. Furthermore, the server could be susceptible to the Slammer worm, which could cause a denial of
service or infection of other servers.
Resolution
Install the appropriate cumulative patch for your version of Microsoft SQL Server as outlined in Microsoft
Security Bulletin 09-004, and Microsoft Security Bulletin 08-040.
To mitigate the impact of the ActiveX vulnerability, set the kill bit for the following CLSID:
10020100-E260-11CF-AE68-00AA004A34D5.
For SQL Server 7.0, install the SQL Server cumulative security patch referenced in Microsoft Security
Bulletin 03-031. For SQL Server 2000 or MSDE 2000, install SQL Server 2000 Service Pack 3 or 3a or
higher and the SQL Server cumulative security patch referenced in Microsoft Security Bulletin 03-031, and
install Microsoft Jet 4.0 Service Pack 6.
63
For more information, see CERT Advisory 2002-22, which summarizes a number of Microsoft SQL Server
vulnerabilities.
For details on specific vulnerabilities, see Microsoft Security Bulletins 09-004, 08-052, 08-040, 03-031, 02-061,
02-056, 02-043, 02-040, 02-039, 02-038, 02-034, 02-030, 02-020, 02-007, 01-060, 01-032, 00-092, 00-048,
00-041, 00-035, 00-014, 99-059, CIAC Bulletins M-094 and K-026, and NGSSoftware Advisories
#NISR25072002 and #NISR22002002A.
The Distributed Management Objects ActiveX Buffer Overflow was reported in Bugtraq ID 25594.
Technical Details
Service: netbios
sqldmo.dll older than 2007-2-11
Microsoft SQL Server vulnerable version, sqlservr.exe dated 2000-8-6
CVE: CVE-2007-5348 CVE-2008-3012
CVE-2008-3013 CVE-2008-3014
CVE-2008-3015 CVE-2010-1556
Impact
Resolution
vulnerabilities.
02-056, 02-043, 02-040, 02-039, 02-038, 02-034, 02-030, 02-020, 02-007, 01-060, 01-032, 00-092, 00-048,
#NISR25072002 and #NISR22002002A.
Technical Details
Service: netbios
sqlservr.exe older than 2008-8-2
64
Telnet Authentication Reflection
CVE: CVE-2009-1930 CVE-2010-1556
Impact
A remote user could execute arbitrary commands on the server, cause the telnet server to stop responding, or
gain information that could be used in an attempt to find Guest accounts.
Resolution
Apply the patches referenced in Microsoft Security Bulletins 09-042, 01-031 and 02-004.
For more information, see Microsoft Security Bulletins 09-042, 01-031 and 02-004.
Technical Details
Service: netbios
telnet.exe older than 2009-1-1
Outlook Express Contact Record vulnerability
CVE: CVE-2006-2386 CVE-2010-1556
Impact
There are several vulnerabilities in e-mail clients, the most severe of which could allow a remote attacker to
execute arbitrary commands by sending a specially crafted e-mail message.
Resolution
Install the patches referenced in Microsoft Security Bulletin 01-038 and 08-015 for Outlook. Also, for Outlook
2002, install the patches referenced in 02-067, 03-003, and 04-009, or Office XP service pack 3.
For Outlook Express:
Install the patches referenced in Microsoft Security Bulletin 07-034 and 07-056.
Windows XP users should also install patch 900930 for Outlook Express.
05-030, 06-003, 06-016, 06-043, 06-076, 07-003, 07-034, 07-056, and 08-015, US-CERT Alert TA04-070A,
and Microsoft Knowledge Base Article 900930.
Technical Details
Service: netbios
Inetcomm.dll older than 2006-11-1
Outlook Express Windows Address Book vulnerability
CVE: CVE-2006-0014 CVE-2010-1556
65
Impact
Resolution
Technical Details
Service: netbios
Outlook Express vulnerable version, inetcomm.dll dated 2001-5-8
CVE: CVE-2006-2111 CVE-2007-2225
CVE-2007-2227 CVE-2007-3897
CVE-2010-1556
Impact
Resolution
Technical Details
66
Service: netbios
Microsoft VB6 FlexGrid ActiveX control vulnerable version dated 1999-9-7
CVE: CVE-2008-4253 CVE-2010-1556
Impact
Vulnerabilities in Microsoft Visual Studio allow for execution of arbitrary code by processing a malformed dbp,
rtf or sln file. Also, an ActiveX component allows for crafted web pages to cause remote code execution.
Resolution
To mitigate the impact of the Microsoft VB6 ActiveX vulnerabilities, set the kill bit for the following CLSID:
msdatgrd.ocx = CDE57A43-8B86-11D0-B3C6-00A0C90AEA82,
msflxgrd.ocx = 6262d3a0-531b-11cf-91f6-c2863c385e30,
mshflxgd.ocx = 0ECD9B64-23AA-11d0-B351-00A0C9055D8E,
mscomct2.ocx = B09DE715-87C1-11d1-8BE3-0000F8754DA1,
mschrt20.ocx = 3A2B370C-BA0A-11d1-B137-0000F8753F5D or
update as referenced in Microsoft Security Bulletin 08-070.
The Microsoft VB6 ActiveX vulnerabilities were reported in Microsoft Security Bulletin 08-070.
Technical Details
Service: netbios
MSFLXGRD.OCX older than 2008-10-8
Elevation of Privilege Vulnerabilities in Windows (MS09-012)
CVE: CVE-2008-1436 CVE-2009-0078
CVE-2010-1556
Impact
critical updates.
67
Update Name
Description
Elevation of Privilege Vulnerabilities Fixes multiple privilege elevation
in Windows
vulnerabilities. (CVE 2008-4036
CVE 2008-1436 CVE 2009-0078
CVE 2009-0079 CVE 2009-0080 )
Fix
2000: 952004
XP: 952004
2003: 952004
Vista: 952004
2008: 952004
Bulletin
08-064
09-012
2008.
Technical Details
Service: netbios
msdtcprx.dll older than 2008-6-24
Elevation of Privilege Vulnerabilities in Windows (MS10-015)
CVE: CVE-2010-0232 CVE-2010-0233
CVE-2010-1556
Impact
critical updates.
Update Name
Description
Windows kernel vulnerable version Fixes multiple vulnerabilities which
allow authenticated users to elevate
privileges on Windows 2000,
Windows XP, Windows Server
2003, Windows Vista, Windows
Server 2008, and Windows 7.
(CVE 2009-2515 CVE 2009-2516
CVE 2009-2517 CVE 2010-0232
CVE 2010-0233 )
68
Fix
2000: 977165
XP: 977165
2003: 977165
Vista: 977165
2008: 977165
Windows 7:
977165
Bulletin
09-058
10-015
2008.
Technical Details
Service: netbios
ntoskrnl.exe older than 2009-12-7
Jet Database Engine vulnerable version, msjet40.dll dated 2001-5-8
CVE: CVE-2005-0944 CVE-2007-6026
CVE-2008-1092 CVE-2010-1556
Impact
critical updates.
Update Name
Jet Database Engine vulnerable
version
Description
allow an attacker to execute
arbitrary code by enticing a target
user to open a crafted MDB file.
(CVE 2007-6026 CVE 2008-1092 )
Fix
2000: 950749
XP: 950749
2003 SP1:
950749
Bulletin
08-028,
US-CERT
Vulnerability Note
VU#936529
2008.
Technical Details
Service: netbios
Msjet40.dll older than 2008-3-1
Kodak Image Viewer remote code execution
69
CVE: CVE-2007-2217 CVE-2010-1556
Impact
critical updates.
Update Name
Kodak Image Viewer remote code
execution
Description
Fixes a vulnerability in the Kodak
Image Viewer that allows for
remote code execution when
viewing a crafted file. (CVE
2007-2217)
Fix
2000: 923810
XP: 923810
2003: 923810
Bulletin
07-055
2008.
Technical Details
Service: netbios
kodakimg.exe older than 2007-5-1
Microsoft Agent ACF memory corruption
CVE: CVE-2006-3445 CVE-2010-1556
Impact
70
critical updates.
Update Name
Microsoft Agent ACF memory
corruption
Description
Fix
Microsoft Agent vulnerability causing 2000: 920213
remote code execution through
XP: 920213
read of crafted .ACF files read in
2003: 920213
web page. (CVE 2006-3445)
Bulletin
06-068
2008.
Technical Details
Service: netbios
agentdpv.dll older than 2006-8-17
Microsoft Agent URL parsing vulnerability
CVE: CVE-2007-1205 CVE-2010-1556
Impact
critical updates.
Update Name
Microsoft Agent URL parsing
vulnerability
Description
Fixes a vulnerability in Microsoft
Agent that allows remote code
execution when reading a crafted
URL (CVE 2007-1205)
Fix
2000: 932168
XP: 932168
2003: 932168
Bulletin
07-020
71
2008.
Technical Details
Service: netbios
Microsoft Agent vulnerable version, agentdpv.dll dated 2001-5-8
CVE: CVE-2007-3040 CVE-2010-1556
Impact
critical updates.
Update Name
Microsoft Agent ActiveX remote
code execution
Description
Fix
Fixes an additional vulnerability in 2000: 938827
Microsoft Agent that allows remote
code execution when reading a
crafted URL. (CVE 2007-3040)
Bulletin
07-051
2008.
Technical Details
Service: netbios
Microsoft Data Access Component vulnerability
CVE: CVE-2006-0003 CVE-2010-1556
Impact
72
critical updates.
Update Name
Description
Microsoft Data Access Component A remote code execution
vulnerability
vulnerability exists in the
RDS.Dataspace ActiveX control in
ADO distributed in MDAC.
Opening a file provided by an
attacker (Mail or Website) allows an
attacker to execute code with the
rights of that user. (CVE
2006-0003)
Fix
Bulletin
2000: 911562
06-014
XP: 911562
2003: 911562 or
SP2
2008.
Technical Details
Service: netbios
msadco.dll older than 2006-2-15
Microsoft Image Color Management System vulnerable version, mscms.dll dated 2001-5-8
CVE: CVE-2008-2245 CVE-2010-1556
Impact
critical updates.
73
Update Name
Description
Microsoft Image Color Management Fixes a vulnerability which could
System vulnerable version
allow remote command execution
on Windows 2000, Windows XP
and Windows Server 2003. (CVE
2008-2245)
Fix
2000: 952954
XP: 952954
2003: 952954
Bulletin
08-046
2008.
Technical Details
Service: netbios
Mscms.dll older than 2008-6-23
Microsoft Paint Integer Overflow vulnerability
CVE: CVE-2010-0028 CVE-2010-1556
Impact
critical updates.
Update Name
Microsoft Paint Integer Overflow
vulnerability
Description
Fix
2000: 978706
vulnerability if a user viewed a
XP: 978706
specially crafted JPEG image file
(32-bit), 978706
using Microsoft Paint in Windows
(64-bit)
2000, XP and Server 2003. An
2003: 978706
attacker who successfully exploited (32-bit), 978706
this vulnerability could take complete (64-bit), 978706
control of an affected system and
(Itanium)
74
Bulletin
10-005
could then install programs; view,
change, or delete data; or create
new accounts. (CVE 2010-0028)
2008.
Technical Details
Service: netbios
mspaint.exe older than 2009-12-27
Microsoft Windows DHTML remote code execution vulnerability (MS09-046)
CVE: CVE-2009-2519 CVE-2010-1556
Impact
critical updates.
Update Name
DHTML Editing Component
ActiveX Control Vulnerability
Description
vulnerability in the DHTML Editing
Component ActiveX Control
brought on by users visiting a
specially crafted web page. (CVE
2009-2519)
Fix
Windows
2000:956844
Windows
XP:956844
(32-bit), 956844
(64-bit)
Windows
2003:956844
(32-bit), 956844
(64-bit), 956844
(Itanium)
Bulletin
09-046
75
2008.
Technical Details
Service: netbios
triedit.dll older than 2009-8-1
Microsoft Windows vulnerable version, msconv97.dll dated 2001-5-8
CVE: CVE-2009-2506 CVE-2010-1556
Impact
critical updates.
Update Name
WordPad and Text converters
remote code execution
Description
Fixes Microsoft WordPad and
Microsoft Office text converters
memory corruption. (CVE
2008-4841 CVE 2009-0087 CVE
2009-0235 CVE 2009-2506)
Fix
2000: 973904
XP: 973904
2003: 973904
Bulletin
09-010
09-073
2008.
Technical Details
Service: netbios
msconv97.dll older than 2009-8-20
NetBIOS Name Service information disclosure
CVE: CVE-2003-0661 CVE-2010-1556
Impact
76
critical updates.
Update Name
NetBIOS Name Service
information disclosure
Description
Fixes an Information Disclosure
vulnerability which could allow an
attacker to receive random data
from the target system's memory.
(CVE 2003-0661)
Fix
NT: 824105
2000: 824105
XP: 824105
2003: 824105
Bulletin
03-034
2008.
Technical Details
Service: 137:UDP
vulnerability in NetBT Name Service
Vulnerability in the OpenType Compact Font Format Driver Could Allow Elevation of Privilege
CVE: CVE-2010-0819 CVE-2010-1556
Impact
critical updates.
77
Update Name
Vulnerability in the OpenType
Compact Font Format Driver
Could Allow Elevation of Privilege
Description
Fixes a vulnerability in the Windows
OpenType Compact Font Format
(CFF) driver. The vulnerability
could allow elevation of privilege if a
user views content rendered in a
specially crafted CFF font. An
attacker must have valid logon
credentials and be able to log on
locally to exploit this vulnerability.
The vulnerability could not be
exploited remotely or by
anonymous users. (CVE
2010-0819)
Fix
2000: 980218
XP: 980218
2003: 980218
Vista: 980218
2008: 980218
Windows 7:
980218
Bulletin
10-037
2008.
Technical Details
Service: netbios
atmfd.dll older than 2010-4-12
Vulnerable MFC Library FileFind Class file mfc42.dll
CVE: CVE-2007-4916 CVE-2010-1556
Impact
critical updates.
Update Name
Class file Heap Overflow
Description
A Heap Overflow exists in the
Microsoft Windows MFC Shared
Library - FileFind Class. (CVE
2007-4916)
78
Fix
To mitigate the
impact of the
known ActiveX
vector to this
Bulletin
US-CERT
Vulnerability Note
VU#611008
vulnerability, set
the kill bit for the
following CLSID:
F3F381A3-479541FF-8190-7AA2
A8102F85.
2008.
Technical Details
Service: netbios
mfc42.dll older than 2007-1-1
Vulnerable MFC Library FileFind Class file mfc42u.dll
CVE: CVE-2007-4916 CVE-2010-1556
Impact
critical updates.
Update Name
Class file Heap Overflow
Description
A Heap Overflow exists in the
Microsoft Windows MFC Shared
Library - FileFind Class. (CVE
2007-4916)
79
Fix
To mitigate the
impact of the
known ActiveX
vector to this
vulnerability, set
the kill bit for the
following CLSID:
F3F381A3-479541FF-8190-7AA2
A8102F85.
Bulletin
US-CERT
Vulnerability Note
VU#611008
2008.
Technical Details
Service: netbios
mfc42u.dll older than 2007-1-1
Windows 2000 GDI vulnerable version, gdi32.dll dated 2001-5-8
CVE: CVE-2008-1083 CVE-2008-1087
CVE-2008-2249 CVE-2008-3465
CVE-2010-1556
Impact
critical updates.
Update Name
Windows GDI remote code
execution
Description
Fix
Fixes several vulnerabilities:(1) stack2000: 956802
overflow vulnerability in the way
XP: 956802
Graphics Device Interface (GDI)
2003: 956802
handles filename parameters in
Vista: 956802
EMF image files; (CVE 2008-1087) 2008: 956802
(2) heap overflow vulnerability in the
way GDI handles integer
calculations;(CVE 2008-1083) (3)
remote code execution vulnerability
in the way that GDI handles
integer calculations;(CVE
2008-2249) (4) remote code
execution vulnerability in the way
that GDI handles file size
parameters in WMF files.(CVE
2008-3465)
80
Bulletin
08-071 08-021
2008.
Technical Details
Service: netbios
Windows Authenticode Signature Verification (MS10-019) version, wintrust.dll dated 2001-5-8
CVE: CVE-2010-0486 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Windows Authenticode Verification Fixes vulnerabilities which could
allow remote code execution when
a user modifies an existing signed
executable file. (CVE 2010-0486
CVE 2010-0487 )
81
Fix
Bulletin
For
10-019
Authenticode
Signature
Verification:
2000 978601
XP 978601
XP x64 978601
2003 978601
2003 x64
978601
Vista 978601
Vista x64
978601
2008 978601
2008 x64
978601
Windows 7
978601
Windows 7 x64
978601
Server 2008
R2 x64 978601
For Cabinet
File Viewer:
2000 979309
XP 979309
XP x64 979309
2003 979309
2003 x64
979309
Vista 979309
Vista x64
979309
2008 979309
2008 x64
979309
Windows 7
979309
Windows 7 x64
979309
Server 2008
R2 x64 979309
2008.
Technical Details
Service: netbios
wintrust.dll older than 2009-12-21
Windows CSRSS Local (MS10-011) vulnerable version, csrsrv.dll dated 2001-5-8
CVE: CVE-2010-0023 CVE-2010-1556
Impact
critical updates.
82
Update Name
CSRSS Local Privilege Elevation
Description
Fixes a vulnerability in Client
/Server Run-time Subsystem
(CSRSS). (CVE 2010-0023)
Fix
Bulletin
2000: 978037
10-011
XP: 978037
, 978037 (64-bit)
2003: 978037
, 978037 (64-bit)
2008.
Technical Details
Service: netbios
csrsrv.dll older than 2009-12-13
Windows CSRSS remote code execution
CVE: CVE-2006-6696 CVE-2006-6797
CVE-2010-1556
Impact
critical updates.
Update Name
Windows CSRSS remote code
execution
Description
Fixes vulnerabilities in the Windows
Client/Server Run-time Subsystem
(CSRSS) that include remote code
execution. (CVE 2006-6696 CVE
2006-6797 CVE 2007-1209)
Fix
2000: 930178
XP: 930178
2003: 930178
Vista: 930178
Bulletin
07-021
2008.
83
Technical Details
Service: netbios
winsrv.dll older than 2007-3-11
Windows Cabinet File Viewer (MS10-019) version, cabview.dll dated 2001-5-8
CVE: CVE-2010-0487 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Windows Authenticode Verification Fixes vulnerabilities which could
a user modifies an existing signed
executable file. (CVE 2010-0486
CVE 2010-0487 )
84
Fix
Bulletin
For
10-019
Authenticode
Signature
Verification:
2000 978601
XP 978601
XP x64 978601
2003 978601
2003 x64
978601
Vista 978601
Vista x64
978601
2008 978601
2008 x64
978601
Windows 7
978601
Windows 7 x64
978601
Server 2008
R2 x64 978601
For Cabinet
File Viewer:
2000 979309
XP 979309
XP x64 979309
2003 979309
2003 x64
979309
Vista 979309
Vista x64
979309
2008 979309
2008 x64
979309
Windows 7
979309
Windows 7 x64
979309
Server 2008
R2 x64 979309
2008.
Technical Details
Service: netbios
cabview.dll older than 2010-1-11
Windows DNS Client Spoofing vulnerability
CVE: CVE-2008-1447 CVE-2010-1556
Impact
critical updates.
Update Name
Windows DNS Client Spoofing
vulnerability
Description
Fix
Fixes a vulnerability in the Windows 2000: 951748
DNS client. This vulnerability could XP: 951748
85
Bulletin
08-037
allow a remote unauthenticated
2003: 951748
attacker to quickly and reliably spoof
responses and insert records into
the client cache, thereby redirecting
Internet traffic. (CVE 2008-1447)
2008.
Technical Details
Service: netbios
Windows DNS Server Spoofing vulnerability
CVE: CVE-2008-1447 CVE-2008-1454
CVE-2010-1556
Impact
critical updates.
Update Name
Windows DNS Server Spoofing
vulnerability
Description
Fixes two vulnerabilities in the
Windows DNS Server. The
vulnerabilities could allow spoofing
by poisoning the DNS cache.
(CVE 2008-1447 CVE 2008-1454)
Fix
2000: 951746
2003: 951746
2008: 951746
Bulletin
08-037
2008.
Technical Details
86
Service: netbios
Dns.exe older than 2008-5-31
Windows DNS Spoofing vulnerability
CVE: CVE-2008-0087 CVE-2010-1556
Impact
critical updates.
Update Name
Windows DNS Spoofing Attack
vulnerability
Description
DNS client that leads to a lack of
entropy in the randomness of the
choice of transaction IDs which
could allow an attacker to send
malicious responses to DNS
requests. (CVE 2008-0087)
Fix
2000: 945553
XP: 945553
2003: 945553
Vista: 945553
Bulletin
08-020
2008.
Technical Details
Service: netbios
Windows DirectShow AVI Filter buffer overflow
CVE: CVE-2010-0250 CVE-2010-1556
Impact
87
critical updates.
Update Name
DirectShow AVI buffer overflow
Description
Fixes vulnerabilities in DirectShow
which could allow code execution
when a user opens a crafted AVI
file. (CVE 2010-0250)
Fix
977914 and
975560
Bulletin
10-013
2008.
Technical Details
Service: netbios
avifil32.dll older than 2009-11-22
Windows Embedded OpenType Font Engine Vulnerability
CVE: CVE-2010-0018 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Fix
88
Bulletin
Windows Embedded OpenType
Font Engine Vulnerability
vulnerability in windows 2000, 2003,
XP, VISTA, 7 and Server 2008.
The vulnerability exists due to the
way Windows Embedded
OpenType (EOT) Font Engine
decompresses specially crafted
EOT fonts. (CVE 2010-0018)
2000: 972270
2003: 972270
(32-bit), 972270
(64-bit)
XP: 972270
(32-bit), 972270
(64-bit)
Vista: 972270
(32-bit), 972270
(64-bit)
Windows 7:
972270
2008: 972270
(32-bit), 972270
(64-bit)
10-001
2008.
Technical Details
Service: netbios
fontsub.dll older than 2009-10-13
Windows GDI image handling buffer overflow
CVE: CVE-2007-3034 CVE-2010-1556
Impact
critical updates.
Update Name
Windows GDI image handling
buffer overflow
Description
graphics device interface allowing
command execution when a
specially crafted image is rendered.
89
Fix
2000: 938829
XP: 938829
2003: 938829
Bulletin
07-046
(CVE 2007-3034)
2008.
Technical Details
Service: netbios
Windows Help File Handling Heap Buffer Overflow
CVE: CVE-2007-1912 CVE-2010-1556
Impact
critical updates.
Update Name
Windows Help File Handling Heap
Buffer Overflow
Description
Fix
Windows 2000, XP, and 2003 are
affected by a heap overflow issue
when handling a specially crafted
Windows Help (.hlp) file containing a
malicious bitmap. (CVE 2007-1912)
Bulletin
Bugtraq ID
23382
2008.
Technical Details
Service: netbios
winhlp32.exe older than 2005-4-1
Windows Help File Image Processing Heap Buffer Overflow
90
CVE: CVE-2006-1591 CVE-2010-1556
Impact
critical updates.
Update Name
Windows Help File Image
Processing Heap Buffer Overflow
Description
Fix
Windows 2000, XP, and 2003 are
affected by a heap overflow issue
when handling a specially crafted
Windows Help (.hlp) file containing a
malicious image. (CVE 2006-1591)
Bulletin
Bugtraq ID
17325
2008.
Technical Details
Service: netbios
winhlp32.exe older than 2003-1-1
Windows Internet Authentication Service vulnerabilities
CVE: CVE-2009-3677 CVE-2010-1556
Impact
91
critical updates.
Update Name
Windows Internet Authentication
Service vulnerabilities
Description
Fix
Fixes vulnerabilities in the Windows 2000: 974318
PEAP and MS-CHAPv2 protocol
XP: 974318
implementations, which could lead to2003: 974318
remote code execution in Windows Vista: 974318
2008, privilege elevation in other
2008: 974318
server operating systems, and
potential vulnerabilities in
workstations. (CVE 2009-2505
CVE 2009-3677)
Bulletin
09-071
2008.
Technical Details
Service: netbios
rastls.dll older than 2009-10-7
Windows Kernel privilege elevation (ms06-049) vulnerability
CVE: CVE-2006-3444 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Windows Kernel privilege elevation Fixes a vulnerability that allows an
vulnerability
attacker who has successfully
logged into the system to take
92
Fix
2000: 920958
Bulletin
06-049
control of a host. Note: Different
than MS05-055. (CVE 2006-3444)
2008.
Technical Details
Service: netbios
Ntoskrnl.exe older than 2006-6-14
Windows Kernel privilege elevation (ms07-022) vulnerability
CVE: CVE-2007-1206 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Windows Kernel privilege elevation Fixes a vulnerability that allows an
vulnerability
attacker who has successfully
logged into the system to take
control of a host. Note: Different
than MS05-055 and MS06-049.
(CVE 2007-1206)
Fix
2000: 931784
XP: 931784
2003: 931784
Bulletin
07-022
2008.
Technical Details
Service: netbios
93
Windows Kernel privilege elevation vulnerability
CVE: CVE-2005-2827 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Fix
Windows Kernel privilege elevation Fixes a vulnerability in the Windows 2000: 908523
vulnerability
2000 Kernel that allows an attacker
who has successfully logged into
the system to take control of a
host. (CVE 2005-2827)
Bulletin
05-055
2008.
Technical Details
Service: netbios
Windows LSASS IPSEC Denial-of-Service Vulnerability
CVE: CVE-2009-3675 CVE-2010-1556
Impact
94
critical updates.
Update Name
Windows LSASS IPSEC
Denial-of-Service Vulnerability
Description
Fixes a vulnerability in the Local
Security Authority Subsystem
Service (LSASS) which could allow
a denial of service. (CVE
2009-3675)
Fix
2000: 974392
2003: 974392
(32-bit), 974392
(64-bit), 974392
(Itanium)
XP: 974392
(32-bit), 974392
(64-bit)
Bulletin
09-069
2008.
Technical Details
Service: netbios
oakley.dll older than 2009-10-7
CVE: CVE-2007-5352 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Fix
Fixes a vulnerability that could allow 2000: 943485
an attacker to gain elevated
XP: 943485
95
Bulletin
08-002
privileges. (CVE 2007-5352)
2003: 943485
2008.
Technical Details
Service: netbios
lsasrv.dll older than 2007-10-13
Windows MPEG layer 3 codec vulnerable version, l3codecx.ax dated 2001-5-8
CVE: CVE-2010-0480 CVE-2010-1556
Impact
critical updates.
Update Name
Windows MPEG layer 3 codec
vulnerable
Description
Fixes remote code execution
vulnerability in MPEG Layer-3
codecs. (CVE 2010-0480)
Fix
2000: 977816,
XP: 977816
(32-bit), 977816
(64-bit), 2003:
977816 (32-bit),
977816 (64-bit),
VISTA: 977816
(32-bit), 977816
(64-bit), 2008:
977816 (32-bit),
977816 (64-bit)
Bulletin
10-026
2008.
96
Technical Details
Service: netbios
l3codecx.ax older than 2010-1-19
Windows Media Player plug-in EMBED vulnerability
CVE: CVE-2006-0005 CVE-2010-1556
Impact
critical updates.
Update Name
Windows Media Player plug-in
EMBED vulnerability
Description
Fix
Fixes a buffer overflow which could 911564
allow command execution when a
user plays media files through
non-Microsoft browsers. (CVE
2006-0005)
Bulletin
06-006
2008.
Technical Details
Service: netbios
npdsplay.dll older than 2005-11-29
Windows Media decompression vulnerabilities
CVE: CVE-2010-1556 CVE-2010-1879
CVE-2010-1880
Impact
97
critical updates.
Update Name
Windows Media decompression
vulnerabilities
Description
Fix
Fixes multiple vulnerabilities in
10-033
DirectX, Windows Media Format
and Encoder, and Asycfilt.dll
allowing command execution when
invalid compression data in media
files is processed. (CVE 2010-1879
CVE 2010-1880)
Bulletin
10-033
2008.
Technical Details
Service: netbios
asycfilt.dll older than 2010-3-7
Windows OLE Automation remote code execution vulnerability
CVE: CVE-2007-0065 CVE-2007-2224
CVE-2010-1556
Impact
critical updates.
98
Update Name
Windows OLE Automation remote
code execution
Windows OLE Automation Heap
Overrun
Description
Fixes a vulnerability in the OLE
automation which allowed for
remote code execution on
processing of a crafted file. (CVE
2007-2224)
Fixes a heap-based buffer overflow
in Object Linking and Embedding
(OLE) automation that could allow
remote attackers to execute
arbitrary code via a crafted request.
(CVE 2007-0065)
Fix
2000: 921503
XP: 921503
2003: 921503
Bulletin
07-043
2000: 943055
XP: 943055
2003: 943055
Vista: 943055
08-008
2008.
Technical Details
Service: netbios
oleaut32.dll older than 2007-12-4
Windows RPC Marshalling Engine vulnerability
CVE: CVE-2009-0568 CVE-2010-1556
Impact
critical updates.
Update Name
Windows RPC Marshalling Engine
vulnerability
Description
Fixes an elevation of privilege
vulnerability by correcting the way
RPC Marshalling Engine updates
its internal state. (CVE 2009-0568)
99
Fix
2000: 970238
XP: 970238
2003: 970238
Vista: 970238
Bulletin
09-026
2008: 970238
2008.
Technical Details
Service: netbios
Windows SMB Client vulnerabilities (MS10-020)
CVE: CVE-2009-3676 CVE-2010-0269
CVE-2010-0270 CVE-2010-0476
CVE-2010-0477 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Windows SMB Client vulnerabilities Fixes vulnerabilities which could
a user initiates an SMB connection
with a malicious server. (CVE
2009-3676 CVE 2010-0269 CVE
2010-0270 CVE 2010-0476 CVE
2010-0477)
100
Fix
Bulletin
2000: 980232
10-020
XP: 980232,
980232 (64-bit)
2003: 980232,
980232 (64-bit),
980232 (Itanium)
Vista: 980232,
980232 (64-bit)
2008: 980232,
980232 (64-bit),
980232 (Itanium)
Windows 7:
980232, 980232
(64-bit)
2008 R2:
980232 (64-bit),
980232 (Itanium)
2008.
Technical Details
Service: netbios
mrxsmb.sys older than 2010-2-22
Windows SMB Remote Code Execution
CVE: CVE-2008-4038 CVE-2010-1556
Impact
critical updates.
Update Name
Windows SMB Remote Code
Execution
Description
Fixes a vulnerability in Microsoft
Server Message Block (SMB)
Protocol. The vulnerability could
allow remote code execution on a
server that is sharing files or
folders. An attacker who
successfully exploited this
vulnerability could install programs;
view, change, or delete data; or
create new accounts with full user
rights. (CVE 2008-4038)
Also fixes other two vulnerabilities.
A null pointer dereference in
srv.sys allows an attacker to
remotely crash the system. A
validated attacker can execute code
as administrator. (CVE 2006-3942
CVE 2006-4696)
101
Fix
2000: 957095
XP: 957095
2003: 957095
Vista: 957095
2008: 957095
Bulletin
08-063
06-063
2008.
Technical Details
Service: netbios
srv.sys older than 2008-8-27
Windows Services for UNIX setuid privilege elevation
CVE: CVE-2007-3036 CVE-2010-1556
Impact
critical updates.
Update Name
Windows Services for UNIX 3.0
and 3.5, and Subsystem for
UNIX-based Applications setuid
privilege elevation
Description
Fix
Fixes a vulnerability in Windows
WS UNIX 3.0:
Services for UNIX where running
939778
certain setuid binary files could allow WS UNIX 3.5:
an attacker to gain elevated
938827
privileges. (CVE 2007-3036)
SfUA 2003:
938827
SfUA VISTA:
938827
Bulletin
07-053
2008.
Technical Details
Service: netbios
102
posix.exe older than 2007-6-30
Windows Shell Handler vulnerability
CVE: CVE-2010-0027 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Fix
Windows Shell Handler vulnerability Fixes a remote code execution
2000: 975713
vulnerability in Windows 2000, XP XP: 975713
and Server 2003; if an application (32-bit), 975713
such as a Web browser passes
(64-bit)
specially crafted data to the
2003: 975713
ShellExecute API function through (32-bit), 975713
the Windows Shell Handler. An
(64-bit), 975713
attacker who successfully exploited (Itanium)
this vulnerability could take complete
control of an affected system.
(CVE 2010-0027)
Bulletin
10-007
2008.
Technical Details
Service: netbios
shlwapi.dll older than 2009-10-14
Windows VB script vulnerable version, vbscript.dll dated 2001-5-8
CVE: CVE-2010-0483 CVE-2010-1556
Impact
103
critical updates.
Update Name
Windows VB script vulnerable
Description
Fix
Bulletin
Fixes remote code execution
Apply the
10-022
vulnerability which exists due to the appropriate patch
way VB Script interacts with help
files in Internet Explorer. (CVE
2010-0483)
2008.
Technical Details
Service: netbios
vbscript.dll older than 2010-3-10
Windows WMA Voice codec vulnerability
CVE: CVE-2009-0555 CVE-2009-2525
CVE-2010-1556
Impact
critical updates.
104
Update Name
Windows WMA Voice codec
vulnerability
Description
Fixes vulnerabilities in Windows
Media Runtime that could allow
remote code execution (CVE
2009-0555 CVE 2009-2525)
Fix
Bulletin
2000, XP and
09-051
2003 (Voice
codec): 969878
2000 WMF 9:
954155
2000 WMP 9:
975025
2000, XP and
2003 (Decoder):
969878
XP SP2 WMF
9, 9.5 and 11:
954155
XP
(Compression
Manager):
975025
2000 WMP 9:
975925
2008.
Technical Details
Service: netbios
msaud32.acm older than 2009-8-25
Windows atl.dll vulnerable (MS09-037)
CVE: CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494 CVE-2010-1556
Impact
critical updates.
105
Update Name
Description
Multiple Windows ATL vulnerability Fixes multiple vulnerabilities in
Windows Active Template Library
that could allow an attacker to
execute arbitrary code. (CVE
2008-0015 CVE 2008-0020 CVE
2009-0901 CVE 2009-2493 CVE
2009-2494)
Fix
Bulletin
Outlook:973354 09-037
Media
09-055
Player:973540
ATL
Component:973
507
DHTML
Component:973
869
ActiveX:
973525
2008.
Technical Details
Service: netbios
atl.dll older than 2009-7-15
Windows dhtmled.ocx vulnerable (MS09-037)
CVE: CVE-2008-0015 CVE-2008-0020
CVE-2009-0901 CVE-2009-2493
CVE-2009-2494 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Fix
106
Bulletin
Multiple Windows ATL vulnerability Fixes multiple vulnerabilities in
Windows Active Template Library
that could allow an attacker to
execute arbitrary code. (CVE
2008-0015 CVE 2008-0020 CVE
2009-0901 CVE 2009-2493 CVE
2009-2494)
Outlook:973354 09-037
Media
09-055
Player:973540
ATL
Component:973
507
DHTML
Component:973
869
ActiveX:
973525
2008.
Technical Details
Service: netbios
dhtmled.ocx older than 2009-7-25
Windows kernel GDI validation vulnerabilities
CVE: CVE-2009-0081 CVE-2009-0082
CVE-2009-0083 CVE-2010-1556
Impact
critical updates.
Update Name
Windows kernel validation
Description
Fixes vulnerabilities by validating
input passed from user mode
through the kernel component of
GDI, correcting the way that the
kernel validates handles, and
changing the way that the Windows
kernel handles specially crafted
107
Fix
2000: 958690
XP: 958690
2003: 958690
Vista: 958690
2008: 958690
Bulletin
09-006
08-061
invalid pointers. (CVE 2009-0081
CVE 2009-0082 CVE 2009-0083)
Fixes vulnerabilities by correcting
window property validation passed
during the new window creation
process, calls from multiple threads
are handled, and validation of
parameters passed to the Windows
Kernel from user mode. (CVE
2008-2250 CVE 2008-2251 CVE
2008-2252)
2008.
Technical Details
Service: netbios
win32k.sys older than 2009-2-7
Windows kernel desktop validation vulnerabilities
CVE: CVE-2009-1123 CVE-2009-1124
CVE-2009-1125 CVE-2009-1126
CVE-2010-1556
Impact
critical updates.
Update Name
Description
Windows kernel desktop validation Fixes four vulnerabilities by
vulnerabilities
correcting the methods used in
validating a change in kernel object,
the input passed from user mode to
the kernel and the argument passed
to the system call. (CVE
108
Fix
2000: 968537
XP: 968537
2003: 968537
Vista: 968537
2008: 968537
Bulletin
09-025
2009-1123 CVE 2009-1124 CVE
2009-1125 CVE 2009-1126)
2008.
Technical Details
Service: netbios
Windows kernel embedded font vulnerabilities
CVE: CVE-2009-1127 CVE-2009-2513
CVE-2009-2514 CVE-2010-1556
Impact
critical updates.
Update Name
Windows kernel embedded font
vulnerabilities
Description
vulnerability that could allow a
remote attacker to execute arbitrary
code with the permissions of the
user loading a specially crafted
Embedded OpenType (EOT) font.
(CVE 2009-1127) (CVE 2009-2513)
(CVE 2009-2514)
109
Fix
2000: 969947
XP: 969947
(32-bit), 969947
(64-bit)
2003: 969947
(32-bit), 969947
(64-bit), 969947
(Itanium)
Vista: 969947
(32-bit), 969947
(64-bit)
2008: 969947
(32-bit), 969947
(64-bit), 969947
(Itanium)
Bulletin
09-065
2008.
Technical Details
Service: netbios
Windows kernel multiple privilege elevation vulnerabilities (MS10-032)
CVE: CVE-2010-0484 CVE-2010-0485
CVE-2010-1255 CVE-2010-1556
Impact
critical updates.
Update Name
Windows kernel multiple privilege
elevation vulnerabilities
Description
Fixes multiple vulnerabilities which
Server 2008, and Windows 7. (
CVE 2010-0484 CVE 2010-0485
CVE 2010-1255 )
110
Fix
2000 SP 4
979559
XP SP 2 &
SP 3 979559
XP x64 SP 2
979559
Server 2003
SP 2 979559
Server 2003
x64 SP 2
979559
Server 2003
SP2 Itanium
979559
Vista SP 1 &
SP 2 979559
Vista x64 SP
1 & SP 2
Bulletin
10-032
979559
Server 2008
32 SP 2
979559
Server 2008
x64 SP 2
979559
Server 2008
Itanium SP 2
979559
Windows 7
32-bit 979559
Windows 7
x64-based
979559
Server 2008
R2 x64 979559
Server 2008
R2 Itanium
979559
2008.
Technical Details
Service: netbios
Windows kernel property validation vulnerabilities
CVE: CVE-2008-2250 CVE-2008-2251
CVE-2008-2252 CVE-2010-1556
Impact
critical updates.
111
Update Name
Windows kernel validation
Description
Fixes vulnerabilities by validating
input passed from user mode
through the kernel component of
GDI, correcting the way that the
kernel validates handles, and
changing the way that the Windows
kernel handles specially crafted
invalid pointers. (CVE 2009-0081
CVE 2009-0082 CVE 2009-0083)
Fixes vulnerabilities by correcting
window property validation passed
during the new window creation
process, calls from multiple threads
are handled, and validation of
parameters passed to the Windows
Kernel from user mode. (CVE
2008-2250 CVE 2008-2251 CVE
2008-2252)
Fix
2000: 958690
XP: 958690
2003: 958690
Vista: 958690
2008: 958690
Bulletin
09-006
08-061
2008.
Technical Details
Service: netbios
Windows kernel user mode callback vulnerability
CVE: CVE-2008-1084 CVE-2010-1556
Impact
critical updates.
112
Update Name
Description
Windows kernel user mode callback Fixes a privilege elevation
vulnerability
vulnerability caused by insufficient
validation of input passed from user
mode to the kernel. (CVE
2008-1084)
Fix
2000: 941693
XP: 941693
2003: 941693
Vista: 941693
2008: 941693
Bulletin
08-025
2008.
Technical Details
Service: netbios
Windows kernel vulnerable (MS10-021) version, ntoskrnl.exe dated 2001-5-8
CVE: CVE-2010-0234 CVE-2010-0235
CVE-2010-0236 CVE-2010-0237
CVE-2010-0238 CVE-2010-0481
CVE-2010-0482 CVE-2010-0810
CVE-2010-1556
Impact
critical updates.
Update Name
Description
Server 2008, and Windows 7. (
CVE 2010-0232 CVE 2010-0233
CVE 2010-0234 CVE 2010-0235
113
Fix
2000 SP 4
979683
XP SP 2 &
SP 3 979683
XP x64 SP 2
979683
Server 2003
SP 2 979683
Bulletin
10-021
CVE 2010-0236 CVE 2010-0237
CVE 2010-0238 CVE 2010-0481
CVE 2010-0481 CVE 2010-0482
CVE 2010-0810 )
Server 2003
x64 SP 2
979683
Server 2003
SP2 Itanium
979683
Vista 979683
Vista x64
979683
Server 2008
32 SP 2
979683
Server 2008
x64 SP 2
979683
Server 2008
Itanium SP 2
979683
Windows 7
32-bit 979683
Windows 7
x64-based
979683
Server 2008
R2 x64 979683
Server 2008
R2 Itanium
979683
2008.
Technical Details
Service: netbios
Windows kernel vulnerable version, ntoskrnl.exe dated 2001-5-8
CVE: CVE-2009-2515 CVE-2009-2516
CVE-2009-2517 CVE-2010-1556
Impact
114
critical updates.
Update Name
Description
Server 2008, and Windows 7.
(CVE 2009-2515 CVE 2009-2516
CVE 2009-2517 CVE 2010-0232
CVE 2010-0233 )
Fix
2000: 977165
XP: 977165
2003: 977165
Vista: 977165
2008: 977165
Windows 7:
977165
Bulletin
09-058
10-015
2008.
Technical Details
Service: netbios
Windows media file processing vulnerable (MS09-038)
CVE: CVE-2009-1545 CVE-2009-1546
CVE-2010-1556
Impact
critical updates.
115
Update Name
Windows media file processing
vulnerable
Description
Fixes a vulnerability that allows
remote code execution due to
improper handling of specially
crafted AVI format files. (CVE
2009-1545 CVE 2009-1546)
Fix
2000: 971557
XP: 971557
(32-bit), 971557
(64 bit)
2003: 971557
(32-bit), 971557
(64 bit), 971557
(Itanium)
Vista: 971557
(32-bit), 971557
(64-bit)
2008: 971557
(32-bit), 971557
(64-bit), 971557
(Itanium)
Bulletin
09-038
2008.
Technical Details
Service: netbios
avifil32.dll older than 2009-7-12
Possible buffer overflow in Active Directory
Severity: Potential Problem
CVE: CVE-2003-0507 CVE-2010-1556
Impact
A remote attacker could crash the Active Directory service and force a reboot of the server. It may also be
possible to execute commands on the server.
Resolution
Install the patches referenced in Microsoft Security Bulletin 09-066.
For more information, see Microsoft Security Bulletins 07-039, 08-003, 08-035, 08-060, 09-018, and 09-066.
The Windows 2000 Active directory denial of service vulnerability was reported in Microsoft Knowledge Base
Article 319709 and Secunia Advisory SA9171.
Technical Details
Service: ldap
AV Information: AntiVirus software not found (AVG Symantec McAfee TrendMicro)
116
CVE: CVE-2010-1556
Impact
The system may be susceptible to viruses, worms, and other types of malware.
Resolution
Install and enable anti-virus software. Turn on automatic updates and periodic scans. Enable logging.
If a anti-virus server or manager is present, make sure that all clients can communicate with it so that the client
is as up to date as possible and can send crucial information to the master installation.
If more information is needed about the anti-virus software running on the network and a server or manager is
present, it is a good place to look for information about the anti-virus clients.
If more than one instance of anti-virus software is installed on a system, remove all but one. Multiple anti-virus
programs may interfere with each other and cause the system to run poorly.
For additional information about viruses and anti-virus products, see Virus Bulletin.
Technical Details
Service: netbios
SAINT currently checks for AVG, Symantec, TrendMicro, and McAfee AV software; none were detected
possible vulnerability in Apple Filing Protocol 2.0
CVE: CVE-2004-0430 CVE-2010-1556
Impact
A remote attacker could execute arbitrary commands with root privileges, thereby taking complete control of
the vulnerable computer.
Resolution
Install Mac OS security update 2004-05-03, or deselect the Personal File Sharing box in the Sharing
Preferences.
This vulnerability was reported in an @stake security advisory.
Technical Details
Service: afp
Cookie Injection vulnerabilities in IE
CVE: CVE-2004-0866 CVE-2004-0869
CVE-2010-1556
117
Impact
A remote attacker could take over a user's session on a web application.
Resolution
As this is a particularly difficult issue to fix in web browsers, it is unknown when vendor fixes will be available.
Until a fix is available for your browser, extra caution should be used when browsing the Internet. Avoid
visiting untrusted sites or clicking on links in e-mail messages.
For more information on session fixation, see Session Fixation Vulnerability in Web-Based Applications by
ACROS Security.
More information on the cookie injection vulnerabilities is available from Bugtraq.
Technical Details
Service: netbios
DNS server allows recursive queries
CVE: CVE-2010-1556
Impact
Allowing recursive queries may make the DNS server more susceptible to denial-of-service and cache
poisoning attacks.
Resolution
Disable recursive queries on the DNS server.
For Windows DNS servers, this can be done by checking Disable Recursion from Start -> Control Panel ->
Administrative Tools -> DNS -> Properties -> Advanced -> Server Options.
For BIND DNS servers, add the following line to the options section of the named.conf file:
recursion no;
For more information about the risks of recursive queries, see the Go Daddy Help Center.
Technical Details
Service: domain
Recursion Available flag = 1
guessable read community string
CVE: CVE-1999-0516 CVE-1999-0517
118
CVE-2010-1556
Impact
A read community string for one of your systems can be easily guessed. The full impact will depend largely on
exactly what type of device this system is. In general, anyone guessing this read community string can obtain
an awful lot of information regarding the device in question, and possibly about the network(s) it is on. You
need to decide whether this is a security concern or not.
The Problem/Resolution
If you were notified of this vulnerability, a read or write community string was able to be guessed for a system
you scanned. This is currently done with a simple, brute force algorithm, repeatedly trying a few guesses. In
order to guess write community strings, it actually attempts to change the sysLocation oid (and then changes it
back if succeeded). If it guessed your community string, you should consider changing it.
Some SNMP clients will allow you to restrict which hosts can send some or all write SNMP commands from,
and possibly which hosts can get information as well. It is recommended that you configure such if available.
08/09/02
Previously released versions of Avaya P330, P130 and M770-ATM Cajun family of products contain an
undocumented hard-coded community read/write string that can be used to reset the switch. Hardware
versions that have been tested and confirmed affected include P330T software version 3.8.2 and 3.9.1, P333R
software version 3.8.1 and 3.9.1, P130, M770-ATM and M770 Supervisor (M-SPX, M-SPS). If an Avaya
user is unable to upgrade to a fixed version, one can mitigate the bug by restricting SNMP access using the
'set allowed managers' command, which appeared in recent Cajun firmware.
Other related CVE entries:
CVE 1999-0186 Solaris
CVE 1999-0254 HP OpenView
CVE 2001-0380 Crosscom/Olicom XLT-F
CVE 2001-0514 Atmel 802.11b VNET-B Access Point
CVE 2001-0711 Cisco IOS (ILMI)
CVE 2002-0540 Nortel CVX 1800
CVE 2002-1448 Avaya P330, P130, and M-770 ATM Cajun
CVE 2002-1555 Cisco ONS15454 and ONS15327
CVE 2003-0137 Nokia SGSN
CVE 2004-0616 BT Voyager 2000
CVE 2005-3803 Cisco IP Phone 7920
CVE 2007-2036 Cisco Wireless LAN Controller
For more information on SNMP, see Cisco's SNMP Reference. The Avaya vulnerabilities are discussed in
Bugtraq and the Avaya advisory.
Technical Details
Service: snmp
SNMP read access using community string public (sysDescr.0: Hardware: x86 Family 15 Model 4 Stepping 1
AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Multiprocessor Free))
ICMP timestamp requests enabled
119
CVE: CVE-1999-0524 CVE-2010-1556
Impact
A remote attacker could obtain sensitive information about the network.
Resolution
Configure the system or firewall not to allow ICMP timestamp requests (message type 13) or ICMP netmask
requests (message type 17). Instructions for doing this on specific platforms are as follows:
Windows:
Block these message types using the Windows firewall as described in Microsoft TechNet.
Linux:
Use ipchains or iptables to filter ICMP netmask requests using the command:
ipchains -A input -p icmp --icmp-type address-mask-request -j DROP
Use ipchains or iptables to filter ICMP timestamp requests using the commands:
ipchains -A input -p icmp --icmp-type timestamp-request -j DROP
ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP
To ensure that this change persists after the system reboots, put the above command into the system's
boot-up script (typically /etc/rc.local).
Cisco:
Block ICMP message types 13 and 17 as follows:
deny icmp any any 13
deny icmp any any 17
For more information about ICMP, see RFC792.
Technical Details
Service: icmp
timestamp=f8752d03
Internet Explorer Modal Dialog zone bypass
CVE: CVE-2003-1048 CVE-2004-0549
CVE-2004-0566 CVE-2010-1556
Impact
Resolution
120
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
More information on the object tag, modal dialog, and information disclosure vulnerabilities may be found in
Bugtraq ID 17658, Bugtraq ID 17713, and Bugtraq ID 17717.
The ADODB.Stream object vulnerability was reported in US-CERT alert 04-184A.
121
The three vulnerabilities which are exploited by the Download.Ject trojan were reported in Bugtraq ID 10472,
Bugtraq ID 10473, and Bugtraq ID 10514.
Technical Details
Service: netbios
Internet Explorer Travel Log vulnerability
CVE: CVE-2003-1025 CVE-2003-1026
CVE-2003-1027 CVE-2010-1556
Impact
Resolution
Advisory (980088)
122
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Internet Explorer cross-domain vulnerabilities
CVE: CVE-2003-0814 CVE-2003-0815
CVE-2003-0816 CVE-2003-0817
CVE-2003-0823 CVE-2010-1556
Impact
Resolution
123
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
Technical Details
Service: netbios
Internet Explorer patch needed
CVE: CVE-2003-0113 CVE-2003-0114
CVE-2003-0115 CVE-2003-0116
CVE-2003-0309 CVE-2003-0344
CVE-2003-0530 CVE-2003-0531
CVE-2003-0532 CVE-2003-0701
CVE-2003-0809 CVE-2003-0838
CVE-2003-1025 CVE-2003-1026
CVE-2003-1027 CVE-2003-1326
CVE-2003-1328 CVE-2010-1556
124
Impact
Resolution
Advisory (980088)
03-032, 03-040, 03-048, 04-004, 04-025, 04-038, 04-040, 05-014, 05-020, 05-025, 05-037, 05-038, 05-052,
05-054, 06-004, 06-013, 06-021, 06-023, 06-042, 06-055, 06-067, 06-072, 07-004, 07-009, 07-016, 07-027,
07-033, 07-045, 07-050, 07-057, 07-061, 07-069, 08-010, 08-022, 08-023, 08-024, 08-031, 08-032, 08-045,
08-052, 08-058, 08-073, 08-078, 09-002, 09-014, 09-019, 09-034, 09-045, 09-054, 09-072, 10-002, 10-018,
and 10-035.
125
Technical Details
Service: netbios
Possible vulnerability in LDAP over SSL
CVE: CVE-2001-0502 CVE-2010-1556
Impact
A remote attacker could take control of a domain administrator's account, thereby gaining administrative
privileges.
Resolution
Apply the patch referenced in Microsoft Security Bulletin 01-036.
For more information, see Microsoft Security Bulletin 01-036.
Technical Details
Service: ssl-ldap
Is your LDAP secure?
CVE: CVE-2002-1378 CVE-2002-1379
CVE-2010-1556
Impact
If an application uses a vulnerable implementation of LDAP, an attacker could cause a denial of service or
execute arbitrary commands.
Resolution
See CERT Advisory 2001-18 for information on obtaining a patch for your application. OpenLDAP 2.x users
may also need to fix a separate set of vulnerabilities which were reported in SuSE Security Announcement
2002:047. Consult your vendor for a fix.
If a patch is not available, then ports 389 and 636, TCP and UDP, should be blocked at the network
perimeter until a patch can be applied.
For more information, see CERT Advisory 2001-18 and SuSE Security Announcement 2002:047.
126
Technical Details
Service: ldap
Authentication flaw in Microsoft mail server
CVE: CVE-2001-0504 CVE-2002-0054
CVE-2010-1556
Impact
Resolution
Article 330716.
Technical Details
Service: smtp
13 Jul 2010 10:48:01 -0400
Microsoft SQL Server vulnerable version: 8.00.194
CVE: CVE-1999-0652 CVE-1999-0999
CVE-2000-0199 CVE-2000-0202
CVE-2000-0402 CVE-2000-0485
CVE-2000-0603 CVE-2000-1081
CVE-2000-1082 CVE-2000-1083
CVE-2000-1084 CVE-2000-1085
CVE-2000-1086 CVE-2000-1087
CVE-2000-1088 CVE-2001-0344
CVE-2001-0542 CVE-2001-0879
CVE-2002-0056 CVE-2002-0154
CVE-2002-0186 CVE-2002-0187
CVE-2002-0624 CVE-2002-0641
127
CVE-2002-0642 CVE-2002-0644
CVE-2002-0645 CVE-2002-0695
CVE-2002-0721 CVE-2002-0859
CVE-2002-0982 CVE-2002-1123
CVE-2002-1137 CVE-2002-1138
CVE-2002-1145 CVE-2003-0230
CVE-2003-0231 CVE-2003-0232
CVE-2010-1556
Impact
Resolution
To correct the MDAC buffer overflow vulnerability, database administrators using SQL Server 7.0 or 2000
should apply the MDAC patch referenced in Microsoft Security Bulletin 02-040.
If using SQL Server user accounts instead of Windows domain user accounts, Microsoft recommends using
the "always prompt for login name and password" option so that the weakly encrypted administrative password
will not be stored on the hard drive.
vulnerabilities.
02-056, 02-043, 02-040, 02-039, 02-038, 02-034, 02-030, 02-020, 02-007, 01-060, 01-032, 00-092, 00-048,
#NISR25072002 and #NISR22002002A.
Technical Details
Service: 1433:TCP
Received:
SAINTLAB02;InstanceName;MSSQLSERVER;IsClustered;No;Version;8.00.194;tcp;1433;np;\\SAINTLAB02
pipe\sql\query;;uage setting to us_english.
Possible vulnerability in MS SQL Server Resolution Service
CVE: CVE-2002-0649 CVE-2002-0650
CVE-2002-0729 CVE-2010-1556
128
Impact
Resolution
To correct the SQL Server 2000 Resolution Service vulnerabilities, download the SQL Server 2000 Service
Pack 2 Security Patch referenced in Microsoft Security Bulletin 02-039. You may also want to block UDP
port 1434 at the firewall, if feasible (see MS02-039 for details.)
vulnerabilities.
02-056, 02-043, 02-040, 02-039, 02-038, 02-034, 02-030, 02-020, 02-007, 01-060, 01-032, 00-092, 00-048,
#NISR25072002 and #NISR22002002A.
For more information on the worm which exploits buffer overflows in the SQL Server Resolution Service, see
CERT Advisory 2003-04.
Technical Details
Service: 1434:UDP
Possible vulnerability in Microsoft Terminal Server
CVE: CVE-2000-1149 CVE-2001-0663
CVE-2001-0716 CVE-2002-0863
CVE-2002-0864 CVE-2005-1218
CVE-2010-1556
Impact
Vulnerabilities in Microsoft Windows Terminal Server and Remote Desktop could allow a remote attacker to
execute arbitrary code or crash the server, or could allow an attacker who is able to capture network traffic to
decrypt sessions.
Resolution
There is no fix available to protect against the man-in-the-middle attack. Therefore, Terminal Services should
129
only be used on trusted networks.
For Windows NT 4.0 Terminal Server Edition, apply the patches referenced in Microsoft Security Bulletins
00-087 and 01-052. There is no fix available for the denial of service vulnerability on Windows NT.
For Windows 2000, apply the patches referenced in Microsoft Security Bulletins 01-052, 02-051, and 05-041.
For Windows XP, apply the patches referenced in Microsoft Security Bulletins 02-051 and 05-041.
For Windows Server 2003, apply the patch referenced in Microsoft Security Bulletin 05-041.
For Citrix MetaFrame, download a hotfix from the Citrix Solution Knowledge Base, under Hotfixes.
It is also a good idea to filter TCP port 3389 at the firewall or router, such that only connections from
legitimate users will be accepted.
For more information, see Microsoft Security Bulletins 00-087, 01-052, 02-051, and 05-041, and Bugtraq.
For more information on the Citrix MetaFrame vulnerability, see the Bugtraq ID 3440.
Technical Details
Service: 3389:TCP
port 3389/tcp open and KB899591 not applied or could not be checked
NetBIOS share enumeration using null session
CVE: CVE-2010-1556
Impact
A remote attacker could gain a list of shared resources or user names on the system.
Resolution
Mitigating this vulnerability will require editing the registry. The regedt32 command can be used for this
purpose. Keep in mind that erroneous changes to the registry could leave the system in an unstable and
unbootable state, so use due caution and have a working system backup and repair disk before editing the
registry.
The privileges of null sessions can be limited by changing the following registry value:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM/CurrentControlSet/Control/LSA
Value: RestrictAnonymous
Type: REG_DWORD
Setting this value to 1 will partially limit the amount of information which is available through a null session, but
will still allow access to some sensitive information, including the user account list. On Windows 2000 and XP,
this value can also be set to 2 for greater protection. However, a value of 2 could also disable some critical
Windows networking functions, so this setting is recommended only for Internet servers, and should be
thoroughly tested.
130
Windows XP and later also support a registry value called RestrictAnonymousSAM, which, if set to 1,
prevents enumeration of accounts using a null session.
In addition to the above changes, it is also advisable to block access to the NetBIOS ports at the firewall or
gateway router. There is usually no reason why a user outside the local network would have a legitimate need
for NetBIOS access. NetBIOS runs on ports 135, 137, 138, and 139 (TCP and UDP).
For more information about using the RestrictAnonymous registry value to limit the privileges of null
sessions, see Microsoft Knowledge Base articles Q143474 and Q246261.
Technical Details
Service: netbios-ssn
Shares: E$; NETLOGON; ADMIN$; SYSVOL; C$
Outlook Express MHTML vulnerability
CVE: CVE-2004-0380 CVE-2010-1556
Impact
Resolution
Technical Details
Service: netbios
Outlook Express NNTP buffer overflow
CVE: CVE-2005-1213 CVE-2010-1556
Impact
131
Resolution
Technical Details
Service: netbios
Outlook Express patch needed
CVE: CVE-2002-1179 CVE-2010-1556
Impact
Resolution
Technical Details
Service: netbios
chargen could be used in UDP bomb
CVE: CVE-1999-0103 CVE-2010-1556
Impact
132
Your machine may be vulnerable to certain types of Denial of Service attacks (Fraggle, Smurf, Papasmurf,
or UDP flood). These DoS attacks affect the entire network and may slow network activity to a crawl.
Furthermore, the network can be used as an intermediary to launch attacks on other networks.
Resolutions
The key to protecting against, and suppressing these types of attacks, is to ensure that your network will not
be used as an intermediary. This may be done by configuring routers to not allow IP directed-broadcast
transmissions (on Cisco routers, use the "no ip directed-broadcast" interface command). All routers which provide
routing to large multi-access broadcast networks, in other words LANs with more than 5 to 10 devices, should
be configured in this way. This resolution is indirect, but is, at this point, the surest method for eliminating these
types of attacks.
Unfortunately, there is no sure method for protecting against being the ultimate target for Smurf type attacks.
For the Smurf attack, the surest and safest fix is to configure routers to turn away all incoming ICMP
packets. Unfortunately, this will render several ICMP dependent services, such as ping and traceroute,
unusable. Other router configuration methods do exist, and you may read about them in PSI's Filter
Configuration page. Other methods, such as ICMP filtering and dropping excess packets at network border
routers, are not foolproof but may help alleviate the symptoms of Smurf type attacks. These methods are
described in InterNIC rfc2267. If you suspect that you have been the victim of a Smurf attack, you may want
to download the Smurf Logger, which will allow you to log future Smurf attacks (and other information, such
as the broadcast address being used as the intermediary).
As with the Smurf attack, the Fraggle attack is particularly hard to defend against. Some suggestions include
blocking broadcast UDP at the router, and perhaps blocking UDP at all terminal servers as well (to prevent
malicious network users from flooding out the network). Read the Smurf information above for more
information on router configuration tips and border router packet filtering techniques that may prove useful in
defending against these types of attacks.
Visit Packet Storm to read about the Fraggle and Papasmurf Denial of Service attacks.
You can read more about the Smurf attack at Packet Storm's Smurf page. Another good source of
information is Craig A. Huegen's Smurf Whitepaper. Be sure to also to read the Smurf information in CERT
Advisory 98.01.
For more information on the UDP Flood attack, see CERT Advisory 96.01.
Technical Details
Service: chargen
SMTP may be a mail relay
CVE: CVE-1999-0512 CVE-2010-1556
Impact
An e-mail spammer, or other unauthorized user, may be able to use the system to relay mail.
Resolution
133
UNIX mail servers should be upgraded to Sendmail 8.9 or higher, which does not allow relaying by default.
For non-UNIX mail servers, contact your vendor for fix information.
Where Can I Read More About this?
The MAPS Transport Security Initiative page is a good source of information on mail relaying. Also see
sendmail.org for information on the anti-relaying features in Sendmail 8.9. Users of Sendmail 8.8 who do not
wish to upgrade can refer to sendmail.org for information on preventing relaying in Sendmail 8.8.
Technical Details
Service: smtp
MAIL FROM: <[email protected]>
RCPT TO: <"saint%mail-abuse.org">
SNMP is enabled and may be vulnerable
CVE: CVE-1999-0615 CVE-2002-0012
CVE-2002-0013 CVE-2002-0053
CVE-2002-0796 CVE-2002-0797
CVE-2010-1556
Impact
If a vulnerable implementation of SNMP is running, a remote attacker could crash the device, cause the device
to become unstable, or gain unauthorized access.
Resolution
For the HMAC length 1 security bypass vulnerability, update to NET-SNMP 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1,
5.0.11.1, or UCD-snmp 4.2.7.1 or get updates for other products from your vendor.
There are a number of measures which can be taken to reduce the risk of this vulnerability being exploited.
Apply a patch from your vendor if one is available. (IRIX users should also refer to SGI Security Advisory
20020201-01-P, and Sun users should also refer to Sun Security Bulletin 219 for patch information.) Change
all community strings to non-default strings which are difficult to guess. Block access to UDP ports 161 and 162
at the network perimeter. Disable the SNMP service on machines where it can be disabled and is not needed.
There are a number of additional precautions which should also be taken wherever possible:
Filter SNMP traffic from unauthorized internal hosts
Segregate SNMP traffic onto a separate management network
Block incoming and outgoing traffic (ingress and egress filtering) on ports 161, 162, 199, 391, 705,
and 1993, both TCP and UDP
Block incoming traffic destined for broadcast addresses and internal loopback addresses
Disable stack execution
For more information on these precautions, see CERT Advisory 2002-03.
The HMAC length 1 security bypass vulnerability was reported in Secunia Advisory SA30574 and
Vulnerability Note VU#878044.
134
The initial vulnerabilities were discovered by the Oulu University Secure Programming Group using the
PROTOS Test Suite. For more information, see CERT Advisory 2002-03, the CERT SNMP FAQ, and
For more information on the Sun mibiisa vulnerability, see Sun Security Bulletin 219.
Technical Details
Service: snmp
non-administrative users can act as part of the operating system
CVE: CVE-1999-0534 CVE-2010-1556
Impact
Normal users could take actions which should be limited to administrators. These privileges could be used to
facilitate attacks or to make system resources unavailable to other users.
Resolution
Edit the user rights assignment, which is found in the Local Security Policy under Administrative Tools on
most systems.
Note that if there is an Effective Setting in the local security policy, it is this setting which is used. This setting
can only be changed on the domain controller.
See Microsoft's documentation on User Rights Assignment.
Technical Details
SeTcbPrivilege
non-administrative users can bypass traverse checking
CVE: CVE-1999-0534 CVE-2010-1556
Impact
Resolution
most systems.
135
Technical Details
SeChangeNotifyPrivilege
non-administrative users can replace a process level token
CVE: CVE-1999-0534 CVE-2010-1556
Impact
Resolution
most systems.
Technical Details
SeAssignPrimaryTokenPrivilege
auditing is disabled
CVE: CVE-1999-0575 CVE-2010-1556
Impact
Intrusion attempts or other unauthorized activities could go unnoticed.
Resolution
Edit the auditing policy, which is found in the Local Security Policy under Administrative Tools on most
systems.
See Microsoft's guide to setting up auditing and developing an auditing policy.
Technical Details
136
Windows DNS lack of entropy spoofing attack
CVE: CVE-2007-3898 CVE-2010-1556
Impact
The Windows DNS Server has a vulnerability that allows for remote code execution.
Resolution
Apply the patch referenced in Microsoft Security Bulletin 09-008.
For the management interface buffer overflow, remote management over RPC can be disabled by setting the
value of RpcProtocol in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters to 4. Setting this
value to 0 will disable all DNS RPC functionality and will protect against both local and remote attempts to
exploit the vulnerability.
For more information on specific vulnerabilities, see Microsoft Security Bulletins 07-029, 07-062, and 09-008.
The DNS server RPC management interface buffer overflow was reported in US-CERT Vulnerability Note
VU#555920 and Secunia Advisory SA24871.
Technical Details
Service: netbios
dns.exe older than 2007-10-14 but the Windows DNS Service is not turned on
Collaboration Data Objects vulnerability
CVE: CVE-2005-1987 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Fix
137
Bulletin
Collaboration Data Object
vulnerability
Fixes a vulnerability in Collaboration
Data Objects which could allow an
attacker to perform remote code
execution. (CVE 2005-1987)
2000: 901017
05-048
XP: 901017
2003: 901017 or
SP2
2008.
Technical Details
Service: netbios
cdosys.dll older than 2005-9-29
CVE: CVE-2005-2126 CVE-2010-1556
Impact
critical updates.
Update Name
Description
Fixes a vulnerability in Windows
FTP Client that could allow
tampering in File Transfer location.
(CVE 2005-2126)
Fix
2000: 905495
XP: 905495
2003: 905495
Bulletin
05-044
2008.
Technical Details
Service: netbios
msieftp.dll older than 2005-8-4
138
Jet Database Engine buffer overflow
CVE: CVE-2004-0197 CVE-2010-1556
Impact
critical updates.
Update Name
Jet Database Engine buffer
overflow
Description
allow an attacker to take control of
a computer by sending a specially
crafted database query to an
application using Jet. (CVE
2004-0197)
Fix
Bulletin
NT: 837001
04-014
2000: 837001 or TA04-104A
SP4 Update
Rollup 1
XP: 837001 or
SP2
2003: 837001 or
SP1
2008.
Technical Details
Service: netbios
Jet Database Engine input validation problems
CVE: CVE-2005-0944 CVE-2010-1556
Impact
139
critical updates.
Update Name
Jet Database Engine input
validation
Description
Fixes vulnerabilities which could
allow command execution by a
malformed database file. (CVE
2005-0944)
Fix
2000: 950749
XP: 950749
2003 SP1:
950749
Bulletin
Full Disclosure,
08-028,
US-CERT
Vulnerability Note
VU#936529
2008.
Technical Details
Service: netbios
Microsoft Agent spoofing vulnerability
CVE: CVE-2005-1214 CVE-2010-1556
Impact
critical updates.
Update Name
Microsoft Agent spoofing
Description
Prevents spoofing of trusted
140
Fix
2000: 890046
Bulletin
05-032
vulnerability
Internet content using a Microsoft
XP: 890046
Agent character which disguises
2003: 890046 or
security prompts. (CVE 2005-1214) SP2
2008.
Technical Details
Service: netbios
Network Connection Manager vulnerability
CVE: CVE-2005-2307 CVE-2010-1556
Impact
critical updates.
Update Name
Hotfix
Description
Fixes a vulnerability in the Network
Connection Manager which could
allow a local attacker to gain Local
System privileges. (CVE
2002-0720)
vulnerability
Fixes a vulnerability in Network
Connection Manager that could
allow Denial of Service. (CVE
2005-2307)
Fix
Bulletin
NT: Not
02-042
Affected
2000: Q326886
or SP4
XP: Not
Affected
2000: 905414
05-045
XP: 905414
2003: 905414 or
SP2
2008.
141
Technical Details
Service: netbios
netman.dll older than 2005-8-14
Windows 2000 VM ByteCode Verifier vulnerability
CVE: CVE-2003-0111 CVE-2010-1556
Impact
critical updates.
Update Name
VM ByteCode Verifier Hotfix
Description
Fixes the ByteCode Verifier to
check for illegal commands when
loading Java applets, thus
preventing attacks from remote web
pages and e-mail messages. (CVE
2003-0111)
Fix
Bulletin
NT: 816093
03-011
2000: 816093 or
SP4
XP: 816093 or
SP2
2008.
Technical Details
Service: netbios
msjava.dll older than 2003-3-16
Windows COM+ command execution vulnerability
CVE: CVE-2005-1978 CVE-2005-1979
CVE-2005-1980 CVE-2005-2119
CVE-2010-1556
Impact
142
critical updates.
Update Name
Windows COM+ command
execution vulnerability
Description
Fixes vulnerabilities which could
allow remote command execution
on Windows 2000 and XP SP1, or
privilege elevation on Windows XP
SP2 and 2003. (CVE 2005-1978
CVE 2005-1979 CVE 2005-1980
CVE 2005-2119)
Fix
Bulletin
2000: 902400
05-051
XP: 902400
2003: 902400 or
SP2
2008.
Technical Details
Service: 3372:TCP
3372/TCP open and host type is NT, 2000, XP SP0-1, or 2003 SP0
Windows HyperTerminal buffer overflow
CVE: CVE-2004-0568 CVE-2010-1556
Impact
critical updates.
143
Update Name
Windows HyperTerminal buffer
overflow
Description
allow code execution when a user
opens a malicious .ht file or
possibly a Telnet URL. (CVE
2004-0568)
Fix
Bulletin
NT: 873339
04-043
2000: 873339 or
SP4 Update
Rollup 1
XP: 873339
2003: 873339 or
SP1
2008.
Technical Details
Service: netbios
hypertrm.dll older than 2004-11-13
Windows Message Queuing vulnerability
CVE: CVE-2005-0059 CVE-2010-1556
Impact
critical updates.
Update Name
Message Queuing vulnerability
Description
Fixes a buffer overflow in Message
Queuing which could allow remote
command execution. (Sites using
only HTTP Message Delivery are
not affected.) (CVE 2005-0059)
144
Fix
Bulletin
2000: 892944 or 05-017
SP4 Update
Rollup 1
XP: 892944 or
SP2
2003: not
affected
2008.
Technical Details
Service: netbios
mqutil.dll older than 2005-2-16
Windows RPC mutual authentication spoofing
CVE: CVE-2006-2380 CVE-2010-1556
Impact
critical updates.
Update Name
Windows RPC Mutual
Authentication spoofing
Description
Fix
Fixes vulnerability in Windows RPC 2000: 917736
for Windows 2000 that allows for
spoofing of RPC authentication.
(CVE 2006-2380)
Bulletin
06-031
2008.
Technical Details
Service: netbios
17/TCP
Severity: Service
145
Technical Details
"Assassination is the extreme form of censorship."
17/UDP
Severity: Service
Technical Details
42/TCP
Severity: Service
Technical Details
88/TCP
Severity: Service
Technical Details
88/UDP
Severity: Service
Technical Details
464/TCP
Severity: Service
Technical Details
464/UDP
Severity: Service
Technical Details
548/TCP
Severity: Service
Technical Details
563/TCP
Severity: Service
Technical Details
1028/TCP
Severity: Service
Technical Details
146
1030/UDP
Severity: Service
Technical Details
1031/TCP
Severity: Service
Technical Details
ncacn_http/1.0
1053/TCP
Severity: Service
Technical Details
1054/UDP
Severity: Service
Technical Details
1056/UDP
Severity: Service
Technical Details
1059/TCP
Severity: Service
Technical Details
1063/UDP
Severity: Service
Technical Details
1068/UDP
Severity: Service
Technical Details
1073/UDP
Severity: Service
Technical Details
1081/UDP
Severity: Service
147
Technical Details
1090/TCP
Severity: Service
Technical Details
1091/TCP
Severity: Service
Technical Details
1101/UDP
Severity: Service
Technical Details
1102/UDP
Severity: Service
Technical Details
1104/TCP
Severity: Service
Technical Details
1105/TCP
Severity: Service
Technical Details
1106/UDP
Severity: Service
Technical Details
1110/TCP
Severity: Service
Technical Details
1111/TCP
Severity: Service
Technical Details
1112/UDP
Severity: Service
148
Technical Details
1113/TCP
Severity: Service
Technical Details
1128/UDP
Severity: Service
Technical Details
1129/UDP
Severity: Service
Technical Details
1135/TCP
Severity: Service
Technical Details
1138/UDP
Severity: Service
Technical Details
1144/TCP
Severity: Service
Technical Details
1150/UDP
Severity: Service
Technical Details
1240/UDP
Severity: Service
Technical Details
1369/UDP
Severity: Service
Technical Details
1415/UDP
Severity: Service
149
Technical Details
1433/TCP
Severity: Service
Technical Details
1434/UDP
Severity: Service
Technical Details
1638/UDP
Severity: Service
Technical Details
1645/UDP
Severity: Service
Technical Details
1646/UDP
Severity: Service
Technical Details
1718/UDP
Severity: Service
Technical Details
1719/UDP
Severity: Service
Technical Details
1755/TCP
Severity: Service
Technical Details
1755/UDP
Severity: Service
Technical Details
1801/TCP
Severity: Service
150
Technical Details
1801/UDP
Severity: Service
Technical Details
1813/UDP
Severity: Service
Technical Details
2101/TCP
Severity: Service
Technical Details
2103/TCP
Severity: Service
Technical Details
2107/TCP
Severity: Service
Technical Details
3268/TCP
Severity: Service
Technical Details
3269/TCP
Severity: Service
Technical Details
3372/TCP
Severity: Service
Technical Details
H\252\t\000x\001
3389/TCP
Severity: Service
Technical Details
151
6666/TCP
Severity: Service
Technical Details
7007/TCP
Severity: Service
Technical Details
DNS
Severity: Service
Technical Details
FTP
Severity: Service
Technical Details
220 saintlab02 Microsoft FTP Service (Version 5.0).
FTP (with anonymous)
Severity: Service
Technical Details
ANONYMOUS
NNTP (Usenet news)
Severity: Service
Technical Details
200 NNTP Service 5.00.0984 Version: 5.0.2195.2966 Posting Allowed
SMB
Severity: Service
Technical Details
\131\000\000\001\143
SMTP
Severity: Service
Technical Details
220 saintlab02.saintlab.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.2966 ready at Tue, 13 Jul
2010 10:48:01 -0400
152
SNMP
Severity: Service
Technical Details
WWW
Severity: Service
Technical Details
HTTP/1.1 500 Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 13 Jul 2010 14:48:01 GMT
Content-Type: text/html
Content-Length: 276
<html><head><title>Server Application
WWW (Secure)
Severity: Service
Technical Details
WWW (non-standard port 5406)
Severity: Service
Technical Details
HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/5.0
Date: Tue, 13 Jul 2010 14:48:03 GMT
Content-Length: 3295
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD
XDM (X login)
Severity: Service
Technical Details
bootpc (68/UDP)
Severity: Service
Technical Details
bootps (67/UDP)
Severity: Service
Technical Details
chargen (19/TCP)
Severity: Service
153
Technical Details
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefg
chargen:UDP (19/UDP)
Severity: Service
Technical Details
daytime (13/TCP)
Severity: Service
Technical Details
10:48:01 AM 7/13/2010
daytime (13/UDP)
Severity: Service
Technical Details
discard (9/TCP)
Severity: Service
Technical Details
discard (9/UDP)
Severity: Service
Technical Details
domain (53/UDP)
Severity: Service
Technical Details
echo (7/TCP)
Severity: Service
Technical Details
GET / HTTP/1.0
echo (7/UDP)
Severity: Service
Technical Details
eklogin (2105/TCP)
Severity: Service
154
Technical Details
isakmp (500/UDP)
Severity: Service
Technical Details
ldap (389/TCP)
Severity: Service
Technical Details
ldap (389/UDP)
Severity: Service
Technical Details
microsoft-ds (445/TCP)
Severity: Service
Technical Details
microsoft-ds (445/UDP)
Severity: Service
Technical Details
name (42/UDP)
Severity: Service
Technical Details
netbios-dgm (138/UDP)
Severity: Service
Technical Details
netbios-ns (137/UDP)
Severity: Service
Technical Details
ntp (123/UDP)
Severity: Service
Technical Details
printer (515/TCP)
Severity: Service
155
Technical Details
\001
radius (1812/UDP)
Severity: Service
Technical Details
ssl-ldap (636/TCP)
Severity: Service
Technical Details
tftp (69/UDP)
Severity: Service
Technical Details
Copyright 2001-2010 SAINT Corporation. All rights reserved.
156

SAINTwriter Assessment Report

Transcription

Similar documents

SVR302: Windows Server code name “Longhorn” Technical Overview

Khalil Abd El

Blackadders uses FloSuite Legal

Microsoft Windows Server Codename "Longhorn"

Microsoft - сервисна платформа за грађане

Untitled

Age of Empires III Age of Empires III

Computer

January 2015 - Con

quality software. on time. every time.