<%=MASTERHEADER%>

Retina Network Security Scanner
Network Vulnerability Assessment & Remediation Management

1/9/2012 - Report created by version 5.14.1.2451

 
Remediation Report

CONFIDENTIAL INFORMATION


The following report contains company confidential information. Do not distribute, email, fax, or transfer via any electronic mechanism unless it has been approved by the recipient company's security policy. All copies and backups of this document should be saved on protected storage at all times. Do not share any of the information contained within this report with anyone unless they are authorized to view the information. Violating any of the previous instructions is grounds for termination.




Retina Network Security Scanner
Network Vulnerability Assessment & Remediation Management

1/9/2012 - Report created by version 5.14.1.2451

 
Metrics for '119'
File name: C:\Program Files\eEye Digital Security\Retina 5\Scans\119.rtd
Audits revision: 2451
Scanner version: 5.14.1
Start time: 1/9/2012 1:36:02 PM
Duration: 0d 0h 5m 17s
Credentials: Adm, drenad
Audit groups: All Audits
Address groups: N/A
IP ranges: 10.10.10.119
Total hosts attempted: 1
Total hosts scanned: 1
No access: 0



Retina Network Security Scanner
Network Vulnerability Assessment & Remediation Management

1/9/2012 - Report created by version 5.14.1.2451

 
10.10.10.119 TBOCDRENTEST01 Windows 7

Microsoft .NET Framework Remote Code Execution (2514842) - Silverlight
Audit ID: 14861
Vul ID:
Risk Level: High
Sev Code: Category I
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft .NET Framework (2.0, 3.5, 4.0) and Microsoft Silverlight contain a vulnerability when handling arrays in crafted XAML Browser Applications (XBAPs) or Silverlight applications. Successful exploitation could allow execution of arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2514842 (http://support.microsoft.com/kb/2514842)
Microsoft Security Bulletin MS11-039 (http://www.microsoft.com/technet/security/bulletin/MS11-039.mspx)
CVE: CVE-2011-0664 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0664)
 - .NET Framework Array Offset Vulnerability
CCE:
IAV:
BugtraqID: 48212 (http://www.securityfocus.com/bid/48212)
 - Microsoft Silverlight & .NET Framework Invalid Array Offset Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-0664NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:REGEX,T,WB,^((4\.0+\.(0*(([1-5]?[0-9]?[0-9]?[0-9]?[0-9]|60([0-4][0-9]{2}|5([0-2][0-9]|30))))(\..*)?))|([0-3]\..*))($|[^0-9.])
Found Value:4.0.50917.0

Microsoft .NET Framework Remote Code Execution (2604930) - Silverlight
Audit ID: 15378
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft .NET Framework (2.0, 3.5, 4.0) and Microsoft Silverlight contain a vulnerability when handling inheritance within classes in crafted XAML Browser Applications (XBAPs) and Silverlight applications. Successful exploitation could allow remote attackers to bypass Code Access Security (CAS) restrictions and execute arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2604930 (http://support.microsoft.com/kb/2604930)
Microsoft Security Bulletin MS11-078 (http://technet.microsoft.com/en-us/security/bulletin/ms11-078)
CVE: CVE-2011-1253 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1253)
 - .NET Framework Class Inheritance Vulnerability
CCE:
IAV: 2011-A-0137 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0137.htm)
 - Microsoft .NET Framework and Microsoft Silverlight Remote Code Execution Vulnerability
- NAVCIRT: 2011-A-0137
BugtraqID: 49999 (http://www.securityfocus.com/bid/49999)
 - Microsoft Silverlight & .NET Framework Inheritance Restriction Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1253NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:REGEX,T,WB,^(4\.0\.([1-5]?[0-9]?[0-9]?[0-9]?[0-9]|60([0-7][0-9]{2}|8([0-2][0-9]|30)))\..*)($|[^0-9.])
Found Value:4.0.50917.0

Microsoft DLL Preloading Vulnerability (Zero-Day) - BitLocker
Audit ID: 13386
Vul ID:
Risk Level: High
Sev Code: Category I
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Multiple Microsoft products contain a vulnerability when loading DLLs, causing susceptibility to DLL preloading attacks. Files that are opened with these products from attacker controlled locations (e.g. a webdav server) could allow the attacker to execute arbitrary code at the logged-in user's privilege level.
How To Fix: Currently no patch is available from the vendor. It may be possible to limit exploitation by restricting access to known attack vectors (e.g. WebDAV client). Although restricting access will assist in deterring potential exploitation, avoid opening files from untrusted network locations, local directories, archive folders, and any location that could potentially be compromised with malicious DLL files.

See Microsoft Security Advisory 2269637, referenced below, for a potential workaround. Please note that applying the workaround in Microsoft Security Advisory 2269637 may stop existing applications from functioning correctly.
Related Links: eEye Digital Security Advisory ZD20100823 (http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20100823)
Microsoft Advisory - 2269637 (http://www.microsoft.com/technet/security/advisory/2269637.mspx)
Microsoft TechNet - Security Research & Defense (http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx)
SANS - Internet Storm Center (http://isc.sans.edu/diary.html?storyid=9445)
CVE: CVE-2010-3139 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3139)
 - Untrusted search path vulnerability in Microsoft Windows Progman Group Converter (grpconv.exe) allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse imm.dll that is located in the same folder as a .grp file.
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2010-3139NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BitLocker
Tested Value:equals 0
Found Value:0

Microsoft DLL Preloading Vulnerability (Zero-Day) - Group Converter
Audit ID: 13384
Vul ID:
Risk Level: High
Sev Code: Category I
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Multiple Microsoft products contain a vulnerability when loading DLLs, causing susceptibility to DLL preloading attacks. Files that are opened with these products from attacker controlled locations (e.g. a webdav server) could allow the attacker to execute arbitrary code at the logged-in user's privilege level.
How To Fix: Currently no patch is available from the vendor. It may be possible to limit exploitation by restricting access to known attack vectors (e.g. WebDAV client). Although restricting access will assist in deterring potential exploitation, avoid opening files from untrusted network locations, local directories, archive folders, and any location that could potentially be compromised with malicious DLL files.

See Microsoft Security Advisory 2269637, referenced below, for a potential workaround. Please note that applying the workaround in Microsoft Security Advisory 2269637 may stop existing applications from functioning correctly.
Related Links: eEye Digital Security Advisory ZD20100823 (http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20100823)
Microsoft Advisory - 2269637 (http://www.microsoft.com/technet/security/advisory/2269637.mspx)
Microsoft TechNet - Security Research & Defense (http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx)
SANS - Internet Storm Center (http://isc.sans.edu/diary.html?storyid=9445)
CVE: CVE-2010-3139 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3139)
 - Untrusted search path vulnerability in Microsoft Windows Progman Group Converter (grpconv.exe) allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse imm.dll that is located in the same folder as a .grp file.
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2010-3139NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Windows\system32\grpconv.exe

Microsoft Excel Remote Code Execution (2489279) - 2007 Compatibility Pack
Audit ID: 14465
Vul ID:
Risk Level: High
Sev Code: Category I
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Excel contains multiple vulnerabilities when parsing crafted Excel files. Successful exploitation could allow remote execution of arbitrary code in the context of the logged-in user.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2489279 (http://support.microsoft.com/kb/2489279)
Microsoft Security Bulletin MS11-021 (http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx)
CVE: CVE-2011-0097 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0097)
 - Excel Integer Overrun Vulnerability
CVE-2011-0098 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0098)
 - Excel Heap Overflow Vulnerability
CVE-2011-0101 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0101)
 - Excel Record Parsing WriteAV Vulnerability
CVE-2011-0103 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0103)
 - Excel Memory Corruption Vulnerability
CVE-2011-0104 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0104)
 - Excel Buffer Overwrite Vulnerability
CVE-2011-0105 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0105)
 - Excel Data Initialization Vulnerability
CVE-2011-0978 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0978)
 - Excel Array Indexing Vulnerability
CVE-2011-0979 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0979)
 - Excel Linked List Corruption Vulnerability
CVE-2011-0980 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0980)
 - Excel Dangling Pointer Vulnerability
CCE:
IAV:
BugtraqID: 46225 (http://www.securityfocus.com/bid/46225)
 - Microsoft Excel Axis Properties Remote Code Execution Vulnerability
46226 (http://www.securityfocus.com/bid/46226)
 - Microsoft Excel Office Art Object Remote Code Execution Vulnerability
47201 (http://www.securityfocus.com/bid/47201)
 - Microsoft Excel Buffer Allocation Integer Overflow Remote Code Execution Vulnerability
47235 (http://www.securityfocus.com/bid/47235)
 - Microsoft Excel CVE-2011-0098 Heap Based Buffer Overflow Vulnerability
47243 (http://www.securityfocus.com/bid/47243)
 - Microsoft Excel 'RealTimeData' Record Parsing Remote Code Execution Vulnerability
47244 (http://www.securityfocus.com/bid/47244)
 - Microsoft Excel CVE-2011-0103 Memory Corruption Vulnerability
47245 (http://www.securityfocus.com/bid/47245)
 - Microsoft Excel CVE-2011-0104 Buffer Overflow Vulnerability
47256 (http://www.securityfocus.com/bid/47256)
 - Microsoft Excel Data Validation Record Parsing Buffer Overflow Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploitMicrosoft Exploitability Index
CVE-2011-0097NoNoNo1 - Consistent exploit code likely
CVE-2011-0098NoNoNo1 - Consistent exploit code likely
CVE-2011-0101NoNoNo1 - Consistent exploit code likely
CVE-2011-0103NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0104NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0105NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0978YesNoNo1 - Consistent exploit code likely
CVE-2011-0979NoNoNo1 - Consistent exploit code likely
CVE-2011-0980NoNoNo1 - Consistent exploit code likely
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Excelcnv.exe
Tested Value:12.0.6550.5004
Found Value:12.0.6545.5000

Microsoft Excel Remote Code Execution (2489279) - Excel 2007
Audit ID: 14462
Vul ID:
Risk Level: High
Sev Code: Category I
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Excel contains multiple vulnerabilities when parsing crafted Excel files. Successful exploitation could allow remote execution of arbitrary code in the context of the logged-in user.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2489279 (http://support.microsoft.com/kb/2489279)
Microsoft Security Bulletin MS11-021 (http://www.microsoft.com/technet/security/Bulletin/MS11-021.mspx)
CVE: CVE-2011-0097 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0097)
 - Excel Integer Overrun Vulnerability
CVE-2011-0098 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0098)
 - Excel Heap Overflow Vulnerability
CVE-2011-0101 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0101)
 - Excel Record Parsing WriteAV Vulnerability
CVE-2011-0103 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0103)
 - Excel Memory Corruption Vulnerability
CVE-2011-0104 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0104)
 - Excel Buffer Overwrite Vulnerability
CVE-2011-0105 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0105)
 - Excel Data Initialization Vulnerability
CVE-2011-0978 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0978)
 - Excel Array Indexing Vulnerability
CVE-2011-0979 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0979)
 - Excel Linked List Corruption Vulnerability
CVE-2011-0980 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0980)
 - Excel Dangling Pointer Vulnerability
CCE:
IAV:
BugtraqID: 46225 (http://www.securityfocus.com/bid/46225)
 - Microsoft Excel Axis Properties Remote Code Execution Vulnerability
46226 (http://www.securityfocus.com/bid/46226)
 - Microsoft Excel Office Art Object Remote Code Execution Vulnerability
47201 (http://www.securityfocus.com/bid/47201)
 - Microsoft Excel Buffer Allocation Integer Overflow Remote Code Execution Vulnerability
47235 (http://www.securityfocus.com/bid/47235)
 - Microsoft Excel CVE-2011-0098 Heap Based Buffer Overflow Vulnerability
47243 (http://www.securityfocus.com/bid/47243)
 - Microsoft Excel 'RealTimeData' Record Parsing Remote Code Execution Vulnerability
47244 (http://www.securityfocus.com/bid/47244)
 - Microsoft Excel CVE-2011-0103 Memory Corruption Vulnerability
47245 (http://www.securityfocus.com/bid/47245)
 - Microsoft Excel CVE-2011-0104 Buffer Overflow Vulnerability
47256 (http://www.securityfocus.com/bid/47256)
 - Microsoft Excel Data Validation Record Parsing Buffer Overflow Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploitMicrosoft Exploitability Index
CVE-2011-0097NoNoNo1 - Consistent exploit code likely
CVE-2011-0098NoNoNo1 - Consistent exploit code likely
CVE-2011-0101NoNoNo1 - Consistent exploit code likely
CVE-2011-0103NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0104NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0105NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0978YesNoNo1 - Consistent exploit code likely
CVE-2011-0979NoNoNo1 - Consistent exploit code likely
CVE-2011-0980NoNoNo1 - Consistent exploit code likely
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\excel.exe
Tested Value:12.0.6550.5004
Found Value:12.0.6545.5000

Microsoft Excel Remote Code Execution (2537146) - 2007 Compatibility Pack
Audit ID: 14848
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Excel contains multiple vulnerabilities when parsing crafted Excel files. Successful exploitation could allow remote execution of arbitrary code in the context of the logged-in user.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2537146 (http://support.microsoft.com/kb/2537146)
Microsoft Security Bulletin MS11-045 (http://www.microsoft.com/technet/security/bulletin/MS11-045.mspx)
CVE: CVE-2011-1272 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1272)
 - Excel Insufficient Record Validation Vulnerability
CVE-2011-1273 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1273)
 - Excel Improper Record Parsing Vulnerability
CVE-2011-1274 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1274)
 - Excel Out of Bounds Array Access Vulnerability
CVE-2011-1275 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1275)
 - Excel Memory Heap Overwrite Vulnerability
CVE-2011-1276 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1276)
 - Excel Buffer Overrun Vulnerability
CVE-2011-1277 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1277)
 - Excel Memory Corruption Vulnerability
CVE-2011-1278 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1278)
 - Excel WriteAV Vulnerability
CVE-2011-1279 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1279)
 - Excel Out of Bounds WriteAV Vulnerability
CCE:
IAV: 2011-A-0086 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0086.htm)
 - Microsoft Excel Remote Code Execution Vulnerabilities
- NAVCIRT: 2011-A-0086
BugtraqID: 48157 (http://www.securityfocus.com/bid/48157)
 - Microsoft Excel Insufficient Record Validation CVE-2011-1272 Remote Code Execution Vulnerability
48158 (http://www.securityfocus.com/bid/48158)
 - Microsoft Improper Record Parsing CVE-2011-1273 Remote Code Execution Vulnerability
48159 (http://www.securityfocus.com/bid/48159)
 - Microsoft Excel Array Out Of Bounds Access CVE-2011-1274 Remote Code Execution Vulnerability
48160 (http://www.securityfocus.com/bid/48160)
 - Microsoft Excel Heap Memory Corruption CVE-2011-1275 Remote Code Execution Vulnerability
48161 (http://www.securityfocus.com/bid/48161)
 - Microsoft Excel Buffer Overflow CVE-2011-1276 Remote Code Execution Vulnerability
48162 (http://www.securityfocus.com/bid/48162)
 - Microsoft Excel Memory Corruption CVE-2011-1277 Remote Code Execution Vulnerability
48163 (http://www.securityfocus.com/bid/48163)
 - Microsoft Excel WriteAV Memory Corruption CVE-2011-1278 Remote Code Execution Vulnerability
48164 (http://www.securityfocus.com/bid/48164)
 - Microsoft Excel Out of Bounds WriteAV CVE-2011-1279 Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1272NoNoNo
CVE-2011-1273NoNoNo
CVE-2011-1274NoNoNo
CVE-2011-1275NoNoNo
CVE-2011-1276NoNoNo
CVE-2011-1277NoNoNo
CVE-2011-1278NoNoNo
CVE-2011-1279NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Excelcnv.exe
Tested Value:12.0.6557.5000
Found Value:12.0.6545.5000

Microsoft Excel Remote Code Execution (2537146) - Excel 2007
Audit ID: 14845
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Excel contains multiple vulnerabilities when parsing crafted Excel files. Successful exploitation could allow remote execution of arbitrary code in the context of the logged-in user.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2537146 (http://support.microsoft.com/kb/2537146)
Microsoft Security Bulletin MS11-045 (http://www.microsoft.com/technet/security/bulletin/MS11-045.mspx)
CVE: CVE-2011-1272 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1272)
 - Excel Insufficient Record Validation Vulnerability
CVE-2011-1273 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1273)
 - Excel Improper Record Parsing Vulnerability
CVE-2011-1274 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1274)
 - Excel Out of Bounds Array Access Vulnerability
CVE-2011-1275 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1275)
 - Excel Memory Heap Overwrite Vulnerability
CVE-2011-1276 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1276)
 - Excel Buffer Overrun Vulnerability
CVE-2011-1277 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1277)
 - Excel Memory Corruption Vulnerability
CVE-2011-1278 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1278)
 - Excel WriteAV Vulnerability
CVE-2011-1279 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1279)
 - Excel Out of Bounds WriteAV Vulnerability
CCE:
IAV: 2011-A-0086 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0086.htm)
 - Microsoft Excel Remote Code Execution Vulnerabilities
- NAVCIRT: 2011-A-0086
BugtraqID: 48157 (http://www.securityfocus.com/bid/48157)
 - Microsoft Excel Insufficient Record Validation CVE-2011-1272 Remote Code Execution Vulnerability
48158 (http://www.securityfocus.com/bid/48158)
 - Microsoft Improper Record Parsing CVE-2011-1273 Remote Code Execution Vulnerability
48159 (http://www.securityfocus.com/bid/48159)
 - Microsoft Excel Array Out Of Bounds Access CVE-2011-1274 Remote Code Execution Vulnerability
48160 (http://www.securityfocus.com/bid/48160)
 - Microsoft Excel Heap Memory Corruption CVE-2011-1275 Remote Code Execution Vulnerability
48161 (http://www.securityfocus.com/bid/48161)
 - Microsoft Excel Buffer Overflow CVE-2011-1276 Remote Code Execution Vulnerability
48162 (http://www.securityfocus.com/bid/48162)
 - Microsoft Excel Memory Corruption CVE-2011-1277 Remote Code Execution Vulnerability
48163 (http://www.securityfocus.com/bid/48163)
 - Microsoft Excel WriteAV Memory Corruption CVE-2011-1278 Remote Code Execution Vulnerability
48164 (http://www.securityfocus.com/bid/48164)
 - Microsoft Excel Out of Bounds WriteAV CVE-2011-1279 Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1272NoNoNo
CVE-2011-1273NoNoNo
CVE-2011-1274NoNoNo
CVE-2011-1275NoNoNo
CVE-2011-1276NoNoNo
CVE-2011-1277NoNoNo
CVE-2011-1278NoNoNo
CVE-2011-1279NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\excel.exe
Tested Value:12.0.6557.5000
Found Value:12.0.6545.5000

Microsoft Excel Remote Code Execution (2587505) - 2007 Compatibility Pack
Audit ID: 15188
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Excel contains multiple vulnerabilities when parsing crafted Excel files. Successful exploitation could allow remote execution of arbitrary code in the context of the logged-in user.
How To Fix: Install the appropriate patch(es) from Microsoft or through Windows Update.
Related Links: KB2587505 (http://support.microsoft.com/kb/2587505)
Microsoft Security Bulletin MS11-072 (http://www.microsoft.com/technet/security/bulletin/ms11-072.mspx)
CVE: CVE-2011-1986 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1986)
 - Excel Use after Free WriteAV Vulnerability
CVE-2011-1987 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1987)
 - Excel Out of Bounds Array Indexing Vulnerability
CVE-2011-1988 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1988)
 - Excel Heap Corruption Vulnerability
CVE-2011-1989 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1989)
 - Excel Conditional Expression Parsing Vulnerability
CVE-2011-1990 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1990)
 - Excel Out of Bounds Array Indexing Vulnerability
CCE:
IAV: 2011-A-0124 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0124.htm)
 - Multiple Vulnerabilities in Microsoft Office Excel
- NAVCIRT: 2011-A-0124
BugtraqID: 49476 (http://www.securityfocus.com/bid/49476)
 - Microsoft Excel Malformed Object CVE-2011-1986 Remote Code Execution Vulnerability
49477 (http://www.securityfocus.com/bid/49477)
 - Microsoft Excel Array Indexing CVE-2011-1987 Remote Code Execution Vulnerability
49478 (http://www.securityfocus.com/bid/49478)
 - Microsoft Excel Malformed Record CVE-2011-1988 Remote Code Execution Vulnerability
49517 (http://www.securityfocus.com/bid/49517)
 - Microsoft Excel Array Index CVE-2011-1990 Remote Code Execution Vulnerability
49518 (http://www.securityfocus.com/bid/49518)
 - Microsoft Excel Conditional Expression CVE-2011-1989 Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1986NoNoNo
CVE-2011-1987NoNoNo
CVE-2011-1988NoNoNo
CVE-2011-1989NoNoNo
CVE-2011-1990NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Excelcnv.exe
Tested Value:12.0.6565.5003
Found Value:12.0.6545.5000

Microsoft Excel Remote Code Execution (2587505) - Excel 2007 - KB2553073
Audit ID: 15177
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Excel contains multiple vulnerabilities when parsing crafted Excel files. Successful exploitation could allow remote execution of arbitrary code in the context of the logged-in user.
How To Fix: Install the appropriate patch(es) from Microsoft or through Windows Update.
Related Links: KB2587505 (http://support.microsoft.com/kb/2587505)
Microsoft Security Bulletin MS11-072 (http://www.microsoft.com/technet/security/bulletin/ms11-072.mspx)
CVE: CVE-2011-1986 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1986)
 - Excel Use after Free WriteAV Vulnerability
CVE-2011-1987 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1987)
 - Excel Out of Bounds Array Indexing Vulnerability
CVE-2011-1988 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1988)
 - Excel Heap Corruption Vulnerability
CVE-2011-1989 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1989)
 - Excel Conditional Expression Parsing Vulnerability
CVE-2011-1990 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1990)
 - Excel Out of Bounds Array Indexing Vulnerability
CCE:
IAV: 2011-A-0124 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0124.htm)
 - Multiple Vulnerabilities in Microsoft Office Excel
- NAVCIRT: 2011-A-0124
BugtraqID: 49476 (http://www.securityfocus.com/bid/49476)
 - Microsoft Excel Malformed Object CVE-2011-1986 Remote Code Execution Vulnerability
49477 (http://www.securityfocus.com/bid/49477)
 - Microsoft Excel Array Indexing CVE-2011-1987 Remote Code Execution Vulnerability
49478 (http://www.securityfocus.com/bid/49478)
 - Microsoft Excel Malformed Record CVE-2011-1988 Remote Code Execution Vulnerability
49517 (http://www.securityfocus.com/bid/49517)
 - Microsoft Excel Array Index CVE-2011-1990 Remote Code Execution Vulnerability
49518 (http://www.securityfocus.com/bid/49518)
 - Microsoft Excel Conditional Expression CVE-2011-1989 Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1986NoNoNo
CVE-2011-1987NoNoNo
CVE-2011-1988NoNoNo
CVE-2011-1989NoNoNo
CVE-2011-1990NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\excel.exe
Tested Value:12.0.6565.5003
Found Value:12.0.6545.5000

Microsoft Excel Remote Code Execution (2587505) - Excel 2007 - KB2553089
Audit ID: 15178
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Excel contains multiple vulnerabilities when parsing crafted Excel files. Successful exploitation could allow remote execution of arbitrary code in the context of the logged-in user.
How To Fix: Install the appropriate patch(es) from Microsoft or through Windows Update.
Related Links: KB2587505 (http://support.microsoft.com/kb/2587505)
Microsoft Security Bulletin MS11-072 (http://www.microsoft.com/technet/security/bulletin/ms11-072.mspx)
CVE: CVE-2011-1986 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1986)
 - Excel Use after Free WriteAV Vulnerability
CVE-2011-1987 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1987)
 - Excel Out of Bounds Array Indexing Vulnerability
CVE-2011-1988 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1988)
 - Excel Heap Corruption Vulnerability
CVE-2011-1989 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1989)
 - Excel Conditional Expression Parsing Vulnerability
CVE-2011-1990 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1990)
 - Excel Out of Bounds Array Indexing Vulnerability
CCE:
IAV: 2011-A-0124 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0124.htm)
 - Multiple Vulnerabilities in Microsoft Office Excel
- NAVCIRT: 2011-A-0124
BugtraqID: 49476 (http://www.securityfocus.com/bid/49476)
 - Microsoft Excel Malformed Object CVE-2011-1986 Remote Code Execution Vulnerability
49477 (http://www.securityfocus.com/bid/49477)
 - Microsoft Excel Array Indexing CVE-2011-1987 Remote Code Execution Vulnerability
49478 (http://www.securityfocus.com/bid/49478)
 - Microsoft Excel Malformed Record CVE-2011-1988 Remote Code Execution Vulnerability
49517 (http://www.securityfocus.com/bid/49517)
 - Microsoft Excel Array Index CVE-2011-1990 Remote Code Execution Vulnerability
49518 (http://www.securityfocus.com/bid/49518)
 - Microsoft Excel Conditional Expression CVE-2011-1989 Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1986NoNoNo
CVE-2011-1987NoNoNo
CVE-2011-1988NoNoNo
CVE-2011-1989NoNoNo
CVE-2011-1990NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Oart.dll
Tested Value:12.0.6565.5000
Found Value:12.0.6425.1000

Microsoft Excel Remote Code Execution (2587505) - Excel 2007 - KB2553090
Audit ID: 15179
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Excel contains multiple vulnerabilities when parsing crafted Excel files. Successful exploitation could allow remote execution of arbitrary code in the context of the logged-in user.
How To Fix: Install the appropriate patch(es) from Microsoft or through Windows Update.
Related Links: KB2587505 (http://support.microsoft.com/kb/2587505)
Microsoft Security Bulletin MS11-072 (http://www.microsoft.com/technet/security/bulletin/ms11-072.mspx)
CVE: CVE-2011-1986 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1986)
 - Excel Use after Free WriteAV Vulnerability
CVE-2011-1987 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1987)
 - Excel Out of Bounds Array Indexing Vulnerability
CVE-2011-1988 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1988)
 - Excel Heap Corruption Vulnerability
CVE-2011-1989 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1989)
 - Excel Conditional Expression Parsing Vulnerability
CVE-2011-1990 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1990)
 - Excel Out of Bounds Array Indexing Vulnerability
CCE:
IAV: 2011-A-0124 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0124.htm)
 - Multiple Vulnerabilities in Microsoft Office Excel
- NAVCIRT: 2011-A-0124
BugtraqID: 49476 (http://www.securityfocus.com/bid/49476)
 - Microsoft Excel Malformed Object CVE-2011-1986 Remote Code Execution Vulnerability
49477 (http://www.securityfocus.com/bid/49477)
 - Microsoft Excel Array Indexing CVE-2011-1987 Remote Code Execution Vulnerability
49478 (http://www.securityfocus.com/bid/49478)
 - Microsoft Excel Malformed Record CVE-2011-1988 Remote Code Execution Vulnerability
49517 (http://www.securityfocus.com/bid/49517)
 - Microsoft Excel Array Index CVE-2011-1990 Remote Code Execution Vulnerability
49518 (http://www.securityfocus.com/bid/49518)
 - Microsoft Excel Conditional Expression CVE-2011-1989 Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1986NoNoNo
CVE-2011-1987NoNoNo
CVE-2011-1988NoNoNo
CVE-2011-1989NoNoNo
CVE-2011-1990NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Oartconv.dll
Tested Value:12.0.6565.5000
Found Value:12.0.6425.1000

Microsoft HTML Help Buffer Overflow (Zero-Day)
Audit ID: 14991
Vul ID:
Risk Level: High
Sev Code: Category I
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft HTML Help contains a stack-based buffer overflow when parsing crafted .chm files. Successful exploitation could lead to arbitrary code execution.
How To Fix: There is no patch available from the vendor. Avoid opening files from untrusted sources, however this should not be considered a complete solution as trusted sources may potentially be compromised.
Related Links: eEye Digital Security Advisory ZD20110412 (http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2011/20110412)
Exploit DB - 17158 (http://www.exploit-db.com/exploits/17158/)
CVE:
CCE:
IAV:
BugtraqID: 47330 (http://www.securityfocus.com/bid/47330)
 - Microsoft HTML Help '.chm' File Stack Buffer Overflow Vulnerability
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Windows\hh.exe

Microsoft Internet Explorer 8 Remote Code Execution (Zero-Day)
Audit ID: 12455
Vul ID:
Risk Level: High
Sev Code: Category I
PCI Severity Level:
CVSS Score: 10 [AV:N/AC:L/Au:N/C:C/I:C/A:C] (http://nvd.nist.gov/cvss.cfm?version=2&vector=[AV:N/AC:L/Au:N/C:C/I:C/A:C]&name=CVE-2010-1118)
Category: Miscellaneous
Description: Microsoft Internet Explorer contains unspecified vulnerabilities when parsing documents containing specially crafted data. Successful exploitation could allow execution of arbitrary code.
How To Fix: The best form of mitigation is available by configuring Internet Explorer's zone settings to be more restrictive and to browse to only trusted web sites. These methods will aid in detering exploitation, but will not fix the vulnerability.
Related Links: eEye Digital Security Advisory ZD20100324 (http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20100324)
CVE: CVE-2010-1117 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1117)
 - Heap-based buffer overflow in Internet Explorer 8 on Microsoft Windows 7 allows remote attackers to discover the base address of a Windows .dll file, and possibly have unspecified other impact, via unknown vectors, as demonstrated by Peter Vreugdenhil during a Pwn2Own competition at CanSecWest 2010.
CVE-2010-1118 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1118)
 - Unspecified vulnerability in Internet Explorer 8 on Microsoft Windows 7 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to a use-after-free issue, as demonstrated by Peter Vreugdenhil during a Pwn2Own competition at CanSecWest 2010.
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2010-1117NoNoNo
CVE-2010-1118NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Windows\system32\mshtml.dll
Tested Value:^8\..*$
Found Value:8.0.7600.16912

Microsoft Office PowerPoint Code Execution (2489283) - PowerPoint 2007
Audit ID: 14510
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Office PowerPoint contains multiple vulnerabilities when handling crafted files. Successful exploitation could allow execution of arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2489283 (http://support.microsoft.com/kb/2489283)
Microsoft Security Bulletin MS11-022 (http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx)
CVE: CVE-2011-0655 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0655)
 - Floating Point Techno-color Time Bandit RCE Vulnerability
CVE-2011-0656 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0656)
 - Persist Directory RCE Vulnerability
CVE-2011-0976 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0976)
 - OfficeArt Atom RCE Vulnerability
CCE:
IAV: 2011-A-0047 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0047.htm)
 - Multiple Vulnerabilities in Microsoft Office PowerPoint
- NAVCIRT: 2011-A-0047
BugtraqID: 46228 (http://www.securityfocus.com/bid/46228)
 - Microsoft PowerPoint OfficeArt Remote Code Execution Vulnerability
47251 (http://www.securityfocus.com/bid/47251)
 - Microsoft PowerPoint Invalid 'PersistDirectoryEntry' Record Remote Code Execution Vulnerability
47252 (http://www.securityfocus.com/bid/47252)
 - Microsoft PowerPoint Invalid 'TimeColorBehaviorContainer' Record Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploitMicrosoft Exploitability Index
CVE-2011-0655NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0656NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0976NoNoNo1 - Consistent exploit code likely
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Ppcore.dll
Tested Value:12.0.6550.5000
Found Value:12.0.6535.5002

Microsoft Office PowerPoint Code Execution (2489283) - PowerPoint Viewer 2007
Audit ID: 14514
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Office PowerPoint contains multiple vulnerabilities when handling crafted files. Successful exploitation could allow execution of arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2489283 (http://support.microsoft.com/kb/2489283)
Microsoft Security Bulletin MS11-022 (http://www.microsoft.com/technet/security/Bulletin/MS11-022.mspx)
CVE: CVE-2011-0655 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0655)
 - Floating Point Techno-color Time Bandit RCE Vulnerability
CVE-2011-0656 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0656)
 - Persist Directory RCE Vulnerability
CVE-2011-0976 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0976)
 - OfficeArt Atom RCE Vulnerability
CCE:
IAV: 2011-A-0047 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0047.htm)
 - Multiple Vulnerabilities in Microsoft Office PowerPoint
- NAVCIRT: 2011-A-0047
BugtraqID: 46228 (http://www.securityfocus.com/bid/46228)
 - Microsoft PowerPoint OfficeArt Remote Code Execution Vulnerability
47251 (http://www.securityfocus.com/bid/47251)
 - Microsoft PowerPoint Invalid 'PersistDirectoryEntry' Record Remote Code Execution Vulnerability
47252 (http://www.securityfocus.com/bid/47252)
 - Microsoft PowerPoint Invalid 'TimeColorBehaviorContainer' Record Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploitMicrosoft Exploitability Index
CVE-2011-0655NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0656NoNoNo2 - Inconsistent exploit code likely
CVE-2011-0976NoNoNo1 - Consistent exploit code likely
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Pptview.exe
Tested Value:12.0.6550.5000
Found Value:12.0.6545.5004

Microsoft Office PowerPoint Code Execution (2545814) - PowerPoint 2007
Audit ID: 14642
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Office PowerPoint contains multiple vulnerabilities when handling crafted files. Successful exploitation could allow execution of arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.

Note: In addition to the patches for PowerPoint 2007 SP2, Microsoft states that users need to install the Compatibility Pack/File Formats patch to be fully protected from the vulnerabilities within MS11-036.
Related Links: KB2545814 (http://support.microsoft.com/kb/2545814)
Microsoft Security Bulletin MS11-036 (http://www.microsoft.com/technet/security/bulletin/MS11-036.mspx)
CVE: CVE-2011-1269 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1269)
 - Presentation Memory Corruption RCE Vulnerability
CVE-2011-1270 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1270)
 - Presentation Buffer Overrun RCE Vulnerability
CCE:
IAV: 2011-A-0063 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0063.htm)
 - Multiple Vulnerabilities in Microsoft Office PowerPoint
- NAVCIRT: 2011-A-0063
BugtraqID: 47699 (http://www.securityfocus.com/bid/47699)
 - Microsoft PowerPoint (CVE-2011-1270) Remote Buffer Overflow Vulnerability
47700 (http://www.securityfocus.com/bid/47700)
 - Microsoft PowerPoint (CVE-2011-1269) Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploitMicrosoft Exploitability Index
CVE-2011-1269NoNoNo1 - Consistent exploit code likely
CVE-2011-1270NoNoNo3 - Functioning exploit code unlikely
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Ppcore.dll
Tested Value:12.0.6557.5001
Found Value:12.0.6535.5002

Microsoft Office PowerPoint Code Execution (2639142) - PowerPoint 2007
Audit ID: 15653
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Office PowerPoint contains multiple vulnerabilities when handling crafted files containing OfficeArt shapes and when loading library files. Successful exploitation could allow execution of arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2639142 (http://support.microsoft.com/kb/2639142)
Microsoft Security Bulletin MS11-094 (http://technet.microsoft.com/en-us/security/bulletin/MS11-094)
CVE: CVE-2011-3396 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3396)
 - PowerPoint Insecure Library Loading Vulnerability
CVE-2011-3413 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3413)
 - OfficeArt Shape RCE Vulnerability
CCE:
IAV: 2011-A-0166 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0166.htm)
 - Multiple Remote Code Execution Vulnerabilities in Microsoft Office PowerPoint
- NAVCIRT: 2011-A-0166
BugtraqID: 50964 (http://www.securityfocus.com/bid/50964)
 - Microsoft PowerPoint OfficeArt CVE-2011-3413 Remote Code Execution Vulnerability
50967 (http://www.securityfocus.com/bid/50967)
 - Microsoft PowerPoint CVE-2011-3396 DLL Loading Arbitrary Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-3396NoNoNo
CVE-2011-3413NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Ppcore.dll
Tested Value:12.0.6600.1000
Found Value:12.0.6535.5002

Microsoft Office PowerPoint Code Execution (2639142) - PowerPoint Viewer 2007
Audit ID: 15657
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Office PowerPoint contains multiple vulnerabilities when handling crafted files containing OfficeArt shapes and when loading library files. Successful exploitation could allow execution of arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2639142 (http://support.microsoft.com/kb/2639142)
Microsoft Security Bulletin MS11-094 (http://technet.microsoft.com/en-us/security/bulletin/MS11-094)
CVE: CVE-2011-3396 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3396)
 - PowerPoint Insecure Library Loading Vulnerability
CVE-2011-3413 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3413)
 - OfficeArt Shape RCE Vulnerability
CCE:
IAV: 2011-A-0166 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0166.htm)
 - Multiple Remote Code Execution Vulnerabilities in Microsoft Office PowerPoint
- NAVCIRT: 2011-A-0166
BugtraqID: 50964 (http://www.securityfocus.com/bid/50964)
 - Microsoft PowerPoint OfficeArt CVE-2011-3413 Remote Code Execution Vulnerability
50967 (http://www.securityfocus.com/bid/50967)
 - Microsoft PowerPoint CVE-2011-3396 DLL Loading Arbitrary Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-3396NoNoNo
CVE-2011-3413NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Pptview.exe
Tested Value:12.0.6600.1000
Found Value:12.0.6545.5004

Microsoft Office Remote Code Execution (2489293) - Office 2007
Audit ID: 14493
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Office contains multiple vulnerabilities when parsing Office files with crafted graphic objects and when loading DLL files. Successful exploitation could allow execution of arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2489293 (http://support.microsoft.com/kb/2489293)
Microsoft Security Bulletin MS11-023 (http://www.microsoft.com/technet/security/bulletin/MS11-023.mspx)
CVE: CVE-2011-0107 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0107)
 - A remote code execution vulnerability exists in the way that Microsoft Office handles the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
CVE-2011-0977 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0977)
 - A remote code execution vulnerability exists in the way that Microsoft Office handles graphic objects when parsing a specially crafted Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
CCE:
IAV: 2011-A-0045 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0045.htm)
 - Multiple Vulnerabilities in Microsoft Office
- NAVCIRT: 2011-A-0045
BugtraqID: 46227 (http://www.securityfocus.com/bid/46227)
 - Microsoft Excel Drawing Layer Dangling Pointer Remote Code Execution Vulnerability
47246 (http://www.securityfocus.com/bid/47246)
 - Microsoft Office Shared Component DLL Loading Arbitrary Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploitMicrosoft Exploitability Index
CVE-2011-0107NoNoNo1 - Consistent exploit code likely
CVE-2011-0977NoNoNo2 - Inconsistent exploit code likely
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:REGEX,T,WB,Microsoft Office (Basic|Enterprise|(Home and Student)|(Professional Plus)|Professional|(Small Business Management)|(Small Business)|Standard|Ultimate).*2007
Found Value:Microsoft Office Professional Plus 2007

Microsoft Office Remote Code Execution (2587634) - 2007
Audit ID: 15173
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Office (MSO) contains multiple vulnerabilities when handling crafted Office files. Successful exploitation could allow an attacker to execute arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2587634 (http://support.microsoft.com/kb/2587634)
Microsoft Security Bulletin MS11-073 (http://www.microsoft.com/technet/security/bulletin/MS11-073.mspx)
CVE: CVE-2011-1980 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1980)
 - Office Component Insecure Library Loading Vulnerability
CVE-2011-1982 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1982)
 - Office Uninitialized Object Pointer Vulnerability
CCE:
IAV: 2011-A-0125 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0125.htm)
 - Multiple Vulnerabilities in Microsoft Office
- NAVCIRT: 2011-A-0125
BugtraqID: 49513 (http://www.securityfocus.com/bid/49513)
 - Microsoft Office 'MSO.dll' Uninitialized Pointer (CVE-2011-1982) Remote Code Execution Vulnerability
49519 (http://www.securityfocus.com/bid/49519)
 - Microsoft Office Shared Component CVE-2011-1980 DLL Loading Arbitrary Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1980NoNoNo
CVE-2011-1982NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:REGEX,T,WB,Microsoft Office (Basic|Enterprise|(Home and Student)|(Professional Plus)|Professional|(Small Business Management)|(Small Business)|Standard|Ultimate).*2007
Found Value:Microsoft Office Professional Plus 2007

Microsoft Office Remote Code Execution (2590602) - 2007
Audit ID: 15649
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Office contains a vulnerability in a shared Office component when handling crafted Word files. Successful exploitation could allow an attacker to execute arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2590602 (http://support.microsoft.com/kb/2590602)
Microsoft Security Bulletin MS11-089 (http://technet.microsoft.com/en-us/security/bulletin/MS11-089)
CVE: CVE-2011-1983 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1983)
 - Word Use After Free Vulnerability
CCE:
IAV: 2011-A-0163 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0163.htm)
 - Microsoft Office Remote Code Execution Vulnerability
- NAVCIRT: 2011-A-0163
BugtraqID: 50956 (http://www.securityfocus.com/bid/50956)
 - Microsoft Word Access Violation Remote Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1983NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Common Files\Microsoft Shared\OFFICE12\Msptls.dll
Tested Value:12.0.6654.5000
Found Value:12.0.6421.1000

Microsoft Publisher Remote Code Execution (2607702) - 2007
Audit ID: 15637
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Publisher contains multiple memory corruption vulnerabilities when handling crafted Publisher files. Successful exploitation could allow execution of arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2607702 (http://support.microsoft.com/kb/2607702)
Microsoft Security Bulletin MS11-091 (http://technet.microsoft.com/en-us/security/bulletin/MS11-091)
CVE: CVE-2011-1508 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1508)
 - Publisher Function Pointer Overwrite Vulnerability
CVE-2011-3410 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3410)
 - Publisher Out-of-bounds Array Index Vulnerablility
CVE-2011-3411 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3411)
 - Publisher Invalid Pointer Vulnerability
CVE-2011-3412 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3412)
 - Publisher Memory Corruption Vulnerability
CCE:
IAV: 2011-A-0172 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Alerts/2011/2011-a-0172.htm)
 - Microsoft Office Publisher Remote Code Execution Vulnerability
- NAVCIRT: 2011-A-0172
BugtraqID: 50090 (http://www.securityfocus.com/bid/50090)
 - Microsoft Publisher '.pub' File 'pubconv.dll' Memory Corruption Remote Code Execution Vulnerability
50943 (http://www.securityfocus.com/bid/50943)
 - Microsoft Publisher Out of Bound Array Index Remote Code Execution Vulnerability
50949 (http://www.securityfocus.com/bid/50949)
 - Microsoft Publisher Invalid Pointer Remote Code Execution Vulnerability
50955 (http://www.securityfocus.com/bid/50955)
 - Microsoft Publisher (CVE-2011-3412) Remote Memory Corruption Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2011-1508NoNoNo
CVE-2011-3410NoNoNo
CVE-2011-3411NoNoNo
CVE-2011-3412NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Program Files\Microsoft Office\Office12\Mspub.exe
Tested Value:12.0.6652.5000
Found Value:12.0.6546.5000

Microsoft Windows MFC DLL Preloading (2500212) - VC++ 2010 Redistributable
Audit ID: 14530
Vul ID:
Risk Level: High
Sev Code: Category II
PCI Severity Level: High (Default)
CVSS Score:
Category: Windows
Description: Microsoft Foundation Class (MFC) Library contains an insecure library loading vulnerability. Opening files from attacker controlled locations (e.g. a WebDAV server) could allow the attacker to execute arbitrary code.
How To Fix: Install the appropriate patch from Microsoft or through Windows Update.
Related Links: KB2500212 (http://support.microsoft.com/kb/2500212)
Microsoft Security Bulletin MS11-025 (http://www.microsoft.com/technet/security/bulletin/MS11-025.mspx)
CVE: CVE-2010-3190 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3190)
 - A remote code execution vulnerability exists in the way that certain applications built Microsoft Foundation Classes (MFC) handle the loading of DLL files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
CCE:
IAV: 2011-B-0046 (https://www.cybercom.mil/J3/IAVM/Vulnerability%20Bulletins/2011/2011-b-0046.htm)
 - Microsoft Foundation Class (MFC) Library Remote Code Execution Vulnerability
- NAVCIRT: 2011-B-0046
BugtraqID: 42811 (http://www.securityfocus.com/bid/42811)
 - Microsoft ATL/MFC Trace Tool 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploitMicrosoft Exploitability Index
CVE-2010-3190NoNoNo1 - Consistent exploit code likely
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:OPEN,A,WB,MISSING_KB2467173
Found Value:RTM

Auto Sharing Drive Problem - Server
Audit ID: 418
Vul ID:
Risk Level: Medium
Sev Code: Category III
PCI Severity Level: Low (Default)
CVSS Score:
Category: Registry
Description: By Default, all drives on a machine are shared using hard coded Administrative ACL's. Even if these shares are removed, they are recreated each time the system reboots. Note: disabling automatic drive sharing on the target may hinder Retina's ability to scan the target. Disable drive sharing only if you require it for your local security policy.
How To Fix: To remove this functionality, set the following Registry key settings:
Hive: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\LanmanServer\Parameters
Key: AutoShareServer
Type: DWORD
Value: 0
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:READ,F,WB,AutoShareServer

Auto Sharing Drive Problem - Wks
Audit ID: 419
Vul ID:
Risk Level: Medium
Sev Code: Category III
PCI Severity Level: Low (Default)
CVSS Score:
Category: Registry
Description: By Default, all drives on a machine are shared using hard coded Administrative ACL's. Even if these shares are removed, they are recreated each time the system reboots. Note: disabling automatic drive sharing on the target may hinder Retina's ability to scan the target. Disable drive sharing only if you require it for your local security policy.
How To Fix: To remove this functionality, set the following Registry key settings:
Hive: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\LanmanServer\Parameters
Key: AutoShareWks
Type: DWORD
Value: 0
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:READ,F,WB,AutoShareWks

Microsoft Internet Explorer Cached Content Information Disclosure (Zero-Day)
Audit ID: 13117
Vul ID:
Risk Level: Medium
Sev Code: Category II
PCI Severity Level: High (CVSS Score)
CVSS Score: 9.3 [AV:N/AC:M/Au:N/C:C/I:C/A:C] (http://nvd.nist.gov/cvss.cfm?version=2&vector=[AV:N/AC:M/Au:N/C:C/I:C/A:C]&name=CVE-2010-0255)
Category: Windows
Description: Microsoft Internet Explorer, when not configured for Protected mode, contains a vulnerability that could potentially cause sensitive information to be disclosed. If an attacker is able to determine the username on the system and cache content in a predictable location, then the attacker may be able to access the user's files.

Note: Due to the unavailability of a complete patch, this audit will always report a finding even if workarounds have been implemented or if protected mode has been enabled.
How To Fix: Microsoft released MS10-035 to address the known attack vector in Internet Explorer 7 and 8, however all versions of Internet Explorer are susceptible to potential exploitation if the attacker can determine the username on the system and cache content in a predictable location. As such, it is recommended that the workarounds provided in Microsoft Security Advisory 980088 be considered in order to deter potential exploitation.
Related Links: Core Advisory - CORE-2009-0625 (http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag)
KB980088 (http://support.microsoft.com/kb/980088)
Microsoft Advisory - 980088 (http://www.microsoft.com/technet/security/advisory/980088.mspx)
Microsoft Security Bulletin MS10-035 (http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx)
CVE: CVE-2010-0255 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0255)
 - Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving JavaScript exploit code that constructs a reference to a file://127.0.0.1 URL, aka the dynamic OBJECT tag vulnerability, as demonstrated by obtaining the data from an index.dat file, a variant of CVE-2009-1140 and related to CVE-2008-1448.
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploitMicrosoft Exploitability Index
CVE-2010-0255NoNoNo2 - Inconsistent exploit code likely
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:\\10.10.10.119\C$\Windows\system32\mshtml.dll
Tested Value:^[5-8]\..*$
Found Value:8.0.7600.16912

Microsoft Windows Service Isolation Privilege Escalation (Zero-Day) - SQL Server
Audit ID: 13413
Vul ID:
Risk Level: Medium
Sev Code: Category II
PCI Severity Level: Medium (CVSS Score)
CVSS Score: 6.8 [AV:L/AC:L/Au:S/C:C/I:C/A:C] (http://nvd.nist.gov/cvss.cfm?version=2&vector=[AV:L/AC:L/Au:S/C:C/I:C/A:C]&name=CVE-2010-1886)
Category: Windows
Description: Microsoft Windows systems with Internet Information Services (IIS), SQL Server, and Windows Telephony Application Programming Interfaces (TAPI), contain a security issue in the way that Windows Service Isolation feature handles processes using the NetworkService account. An attacker that is able to execute untrusted code within a process owned by the NetworkService account could gain LocalSystem privileges and thus execute arbitrary code with elevated privileges.

Note: This audit may report findings on systems that have appropriate mitigations in place.
How To Fix: Manually verify that applications are configured using mitigations and suggested actions in Microsoft Advisory 2264072, or apply the appropriate update.

Note: This audit may report findings on systems that have appropriate mitigations in place.
Related Links: eEye Digital Security Advisory ZD20100811 (http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20100811)
KB982316 (http://support.microsoft.com/kb/982316)
Microsoft Advisory - 2264072 (http://www.microsoft.com/technet/security/advisory/2264072.mspx)
CVE: CVE-2010-1886 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1886)
 - Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 SP2 and R2, and Windows 7 allow local users to gain privileges by leveraging access to a process with NetworkService credentials, as demonstrated by TAPI Server, SQL Server, and IIS processes, and related to the Windows Service Isolation feature. NOTE: the vendor states that privilege escalation from NetworkService to LocalSystem does not cross a "security boundary."
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2010-1886NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:OPEN,T,WB,HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer

Microsoft Windows Service Isolation Privilege Escalation (Zero-Day) - TAPI
Audit ID: 13415
Vul ID:
Risk Level: Medium
Sev Code: Category II
PCI Severity Level: Medium (CVSS Score)
CVSS Score: 6.8 [AV:L/AC:L/Au:S/C:C/I:C/A:C] (http://nvd.nist.gov/cvss.cfm?version=2&vector=[AV:L/AC:L/Au:S/C:C/I:C/A:C]&name=CVE-2010-1886)
Category: Windows
Description: Microsoft Windows systems with Internet Information Services (IIS), SQL Server, and Windows Telephony Application Programming Interfaces (TAPI), contain a security issue in the way that Windows Service Isolation feature handles processes using the NetworkService account. An attacker that is able to execute untrusted code within a process owned by the NetworkService account could gain LocalSystem privileges and thus execute arbitrary code with elevated privileges.

Note: This audit may report findings on systems that have appropriate mitigations in place.
How To Fix: Manually verify that applications are configured using mitigations and suggested actions in Microsoft Advisory 2264072, or apply the appropriate update.

Note: This audit may report findings on systems that have appropriate mitigations in place.
Related Links: eEye Digital Security Advisory ZD20100811 (http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20100811)
KB982316 (http://support.microsoft.com/kb/982316)
Microsoft Advisory - 2264072 (http://www.microsoft.com/technet/security/advisory/2264072.mspx)
CVE: CVE-2010-1886 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1886)
 - Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 SP2 and R2, and Windows 7 allow local users to gain privileges by leveraging access to a process with NetworkService credentials, as demonstrated by TAPI Server, SQL Server, and IIS processes, and related to the Windows Service Isolation feature. NOTE: the vendor states that privilege escalation from NetworkService to LocalSystem does not cross a "security boundary."
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-2010-1886NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:OPEN,A,WB,TAPI_7-2008R2_KB982316

MS RAS Encrypt
Audit ID: 208
Vul ID:
Risk Level: Medium
Sev Code: Category II
PCI Severity Level: Low (Default)
CVSS Score:
Category: Remote Access
Description: The current MS RAS (Remote Access Server) is not encrypting data transfers. It is recommended to encrypt all transfers between client and server.
How To Fix: To force encrypted transfers set the following Registry key settings:
Hive: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\RASMAN\PPP
Key: ForceEncryptedData
Type: REG_DWORD
Value: 1
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:READ,F,WB,ForceEncryptedData

MS RAS Logging
Audit ID: 209
Vul ID:
Risk Level: Medium
Sev Code: Category II
PCI Severity Level: Low (Default)
CVSS Score:
Category: Registry
Description: The current MS RAS (Remote Access Server) is not logging connections. It is recommended to log all RAS connection information.
How To Fix: To enable logging, set the following Registry key settings:
Hive: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\Rasman\Parameters
Key: Logging
Type: REG_DWORD
Value: 1
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:READ,F,WB,Logging

MSCHAPv2 VPN
Audit ID: 185
Vul ID:
Risk Level: Medium
Sev Code: Category II
PCI Severity Level: Low (Default)
CVSS Score:
Category: Registry
Description: It is recommended to enforce MSCHAP V2; this forces the server to drop any VPN (Virtual Private Network) connections that do not use MSCHAP V2 authentication.
How To Fix: To enforce MSCHAP V2 set the following key:
Hive: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\RasMan\PPP
Key: SecureVPN
Type: REG_DWORD
Value: 1
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:READ,F,WB,SecureVPN

PPP Client Security
Audit ID: 219
Vul ID:
Risk Level: Medium
Sev Code: Category II
PCI Severity Level: Low (Default)
CVSS Score:
Category: Remote Access
Description: By default, users are permitted to make RAS connections without any sort of authentication. It is recommended that you require users to authenticate themselves.
How To Fix: To require authentication set the following key:
Hive: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Services\Rasman\PPP
Key: ForceEncryptedPassword
Type: REG_DWORD
Value: 2
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:READ,F,WB,ForceEncryptedPassword

Windows Repair Directory Readable By Everyone
Audit ID: 2117
Vul ID:
Risk Level: Medium
Sev Code: Category II
PCI Severity Level:
CVSS Score:
Category: Miscellaneous
Description: Retina has detected that the %SYSTEMROOT%\Repair directory is readable by unprivileged users. This may allow a malicious user to extract account names and password hashes from the target system, which, depending on the strength of the passwords, could allow him to discover the original passwords for some or all accounts.
How To Fix: Adjust the file permissions on the Repair directory to only grant Power Users, Administrators, and the SYSTEM user read access to the files it contains. If the drive on which %SYSTEMROOT% is located does not support file permissions, convert it to NTFS immediately or completely restrict unprivileged users' access to the drive.
Related Links: Microsoft TechNet - Where NT Stores Passwords (http://technet.microsoft.com/en-us/library/cc723740.aspx)
CVE:
CCE:
IAV:
BugtraqID: 5894 (http://www.securityfocus.com/bid/5894)
 - Microsoft Windows XP System Restore Folder Permissions Weakness
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:%SystemRoot%\Repair

Allocate CDROMS
Audit ID: 166
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: High (CVSS Score)
CVSS Score: 10 [AV:N/AC:L/Au:N/C:C/I:C/A:C] (http://nvd.nist.gov/cvss.cfm?version=2&vector=[AV:N/AC:L/Au:N/C:C/I:C/A:C]&name=CVE-1999-0594)
Category: Registry
Description: The allocation of the CDROM drive should be restricted to only the currently logged in user. If an attacker has the ability to place a CDROM in your drive this registry fix will help to make sure they are not able to execute a malicious program from the CDROM.
How To Fix:
To restrict the allocation of CDROMs to only the interactive user, set the following registry key settings:
Hive: HKEY_LOCAL_MACHINE
Path: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: AllocateCDRoms
Type: REG_SZ
Data: 1
Related Links:
CVE: CVE-1999-0594 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0594)
 - A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.
CCE: CCE-2858-9 (http://cce.mitre.org)
 - Determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, a shared CD-ROM drive can still be accessed over the network. Default: Disabled. Note: When enabled, it has been reported that this policy blocks any MSI installation launched from the CD. Error number 1311 occurs. The MSI installation is successful if the installation files are copied to the local hard drive and launched from there, or if the policy is disabled. There are reports this can also affect CD burning.
CCE-2974-4 (http://cce.mitre.org)
 - Determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, a shared CD-ROM drive can still be accessed over the network. Default: Disabled. Note: When enabled, it has been reported that this policy blocks any MSI installation launched from the CD. Error number 1311 occurs. The MSI installation is successful if the installation files are copied to the local hard drive and launched from there, or if the policy is disabled. There are reports this can also affect CD burning.
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-1999-0594NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:CMP,F,WB,1
Found Value:0

Force User to Log Out if Shell Crashes
Audit ID: 885
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: Low (Default)
CVSS Score:
Category: Registry
Description: The system is not configured to force users to restart the interface by logging off and logging on again when the user interface or one of its components stops unexpectedly. Users may be able to surmount various restrictions placed on them if the shell crashes.
How To Fix: To force the user to log out if system crashes, edit the following registry settings:
Hive: HKEY_LOCAL_MACHINE
Path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: AutoRestartShell
Type: DWORD
Data: 0
Related Links: Microsoft TechNet - 2000 (http://technet.microsoft.com/en-us/library/cc939703.aspx)
Microsoft TechNet - 2003 (http://technet.microsoft.com/en-us/library/cc776814.aspx)
Microsoft TechNet - AutoRestartShell (http://technet.microsoft.com/de-de/library/cc776814.aspx)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:CMP,F,WB,0
Found Value:1

Microsoft File System Object Registered
Audit ID: 978
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: Low (Default)
CVSS Score:
Category: Registry
Description: Retina has detected that the File System Object is registered on the target system. The File System Object (FSO) might be used in a script to remotely gain privileges in combination with another scripting attack. The FSO allows the instantiating script to manipulate the file system (e.g. delete files, create folders) and may potentially allow arbitrary code execution.
How To Fix: This is a security-related warning. The File System Object (FSO) should be disabled and restricted if not needed for administrative tasks or core applications*.

To unregister the File System Object, perform one of the following:
  • Delete the FSO registry keys "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}" including the subkeys, and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}" including the subkeys.

  • or
  • Unregister the FSO using the Microsoft "regsvr32" utility. Obtain the FSO file path using the registry editor to view to "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\(Default)". From a command prompt or Run menu, type and execute regsvr32 /u FILEPATH to unregister the FSO, where FILEPATH is the data obtained from the (Default) registry value. The "unregister" will be indicated by a message stating the DllUnregisterServer succeeded.


*Note: Unregistering the FSO on a machine may disable functionality in applications using the Microsoft Scripting Library.
**Note: It may be necessary to create the appropriate keys or values if such do not exist. A more thorough description can be found in Microsoft KB240797, titled "How to stop an ActiveX control from running in Internet Explorer".

To restrict the FSO from being instantiated by applications such as Internet Explorer, set the kill bit for the File System Object's CLSID. To kill bit the FSO, edit the following registry location**:
Hive: HKEY_LOCAL_MACHINE
Path: SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility
Key: {0D43FE01-F093-11CF-8940-00A0C9054228}
Value: Compatibility Flags
Type: DWORD
Data: 00000400 (hexadecimal)

*Note: This audit will continue to report a finding so long as the FSO is registered, since other applications could potentially use the FSO.
Related Links: KB240797 (http://support.microsoft.com/kb/240797)
Microsoft MSDN - FileSystemObject (http://msdn.microsoft.com/en-us/library/z9ty6h50%28VS.85%29.aspx)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:OPEN,T,WBCL,HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}

Microsoft Windows Decoy Administrator
Audit ID: 3260
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level:
CVSS Score:
Category: Accounts
Description: A decoy administrator account is either not present, or is present and enabled.
How To Fix: Rename the current "Administrator" account, and create a new standard user account called "Administrator". This will be the decoy administrator account. Finally, disable the decoy "Administrator" account.
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:Decoy Admin Found
Found Value:Decoy Admin Found

Microsoft Windows Registry Editor File Association Potential Security Issue
Audit ID: 977
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: High (CVSS Score)
CVSS Score: 7.5 [AV:N/AC:L/Au:N/C:P/I:P/A:P] (http://nvd.nist.gov/cvss.cfm?version=2&vector=[AV:N/AC:L/Au:N/C:P/I:P/A:P]&name=CVE-1999-0572)
Category: Registry
Description: Microsoft Windows is currently configured to associate exported registry files (.reg) to automatically open with a registry editor (e.g. regedit.exe, notepad.exe, etc.). Although a common setting, it may allow users or potentially malicious applications to make changes to the registry.
How To Fix: To remove the registry editor file association, delete the data within the "(Default)" value in following registry location:
Hive: HKEY_LOCAL_MACHINE
Path: SOFTWARE\Classes\regfile\shell\open\command
Value: (Default)
Type: REG_SZ
Related Links:
CVE: CVE-1999-0572 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0572)
 - .reg files are associated with the Windows NT registry editor, making the registry susceptible to Trojan Horse attacks.
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-1999-0572NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:REGEX,F,WB,^.?$
Found Value:regedit.exe "%1"

Microsoft Windows Structured Exception Handling Overwrite Protection
Audit ID: 10628
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: Low (Default)
CVSS Score:
Category: Registry
Description: Structured Exception Handling Overwrite Protection (SEHOP) is disabled on the target system. SEHOP is a mitigation that attempts to prevent an attacker from using the Structured Exception Handler (SEH) overwrite exploitation technique.
How To Fix: This is a security-related warning. To enable Structured Exception Handling Overwrite Protection (SEHOP), edit the following registry settings:
Hive: HKEY_LOCAL_MACHINE
Path: SYSTEM\CurrentControlSet\Control\Session Manager\kernel
Value: DisableExceptionChainValidation
Type: DWORD
Data: 0

Note: This setting may cause certain applications to improperly function. A data value of 1 disables the setting and 0 enables the setting. By default, this setting is enabled on Windows Server 2008 and disabled on Windows Vista and Windows 7.
Related Links: KB956607 (http://support.microsoft.com/kb/956607)
MSRC - Security Research & Defense (http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:READ,F,WB,DisableExceptionChainValidation

NTFS 8 Dot 3
Audit ID: 186
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: Medium (CVSS Score)
CVSS Score: 5 [AV:N/AC:L/Au:N/C:P/I:N/A:N] (http://nvd.nist.gov/cvss.cfm?version=2&vector=[AV:N/AC:L/Au:N/C:P/I:N/A:N]&name=CVE-1999-0012)
Category: Registry
Description: NTFS has the ability to support backwards compatibility with older 16 bit apps. It is recommended not to use 16-bit apps on a secure server since it could allow attackers to bypass access restrictions for files with long file names.
How To Fix: To disable 8.3 file names set the following registry key settings:
Hive: HKEY_LOCAL_MACHINE
Path: System\CurrentControlSet\Control\FileSystem
Key: NtfsDisable8dot3NameCreation
Type: REG_DWORD
Value: 1
Related Links: KB121007 (http://support.microsoft.com/kb/121007)
KB210638 (http://support.microsoft.com/kb/210638)
KB889506 (http://support.microsoft.com/kb/889506)
Microsoft TechNet - Additional Registry Entries (http://technet.microsoft.com/en-us/library/cc766102.aspx)
Microsoft TechNet - Server 2000 (http://technet.microsoft.com/en-us/library/cc751216.aspx)
Microsoft TechNet - Server 2003 (http://technet.microsoft.com/en-us/library/cc875836.aspx)
Microsoft Technet - Threats and Countermeasures (http://technet.microsoft.com/en-us/library/dd162275.aspx)
Microsoft Technet - XP Security Compliance (http://technet.microsoft.com/en-us/library/cc163061.aspx)
CVE: CVE-1999-0012 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0012)
 - Some web servers under Microsoft Windows allow remote attackers to bypass access restrictions for files with long file names.
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-1999-0012NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:CMP,F,WB,1
Found Value:0

Scheduler Service Potential Security Hazard
Audit ID: 899
Vul ID:
Risk Level: Low
Sev Code: Category II
PCI Severity Level: Low (Default)
CVSS Score:
Category: Registry
Description: If you do not use the Task scheduler you should disable the service. The task scheduler is often used in malicious hacking attacks to run trojan code. It has also been used in the past to elevate local privileges.
How To Fix: Disable Task Scheduler Service by setting the following registry key:
Hive: HKEY_LOCAL_MACHINE
Path:SYSTEM\CurrentControlSet\Services\Schedule
Key: Start
Value: 4
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:CMP,F,WB,4
Found Value:2

Windows Application Events Logs Overwritten
Audit ID: 2104
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: Low (Default)
CVSS Score:
Category: Miscellaneous
Description: Retina has detected that the system allows Application Event logs to be overwritten when the logs are full.
How To Fix: To not allow the system to overwrite log files, please follow these steps:
  1. Go to Administrative Tools, and then select Event Viewer.
  2. From Event Viewer, right click on Application Log and select Properties.
  3. Within the System Log Properties box, select Do Not Overwrite Events.
Related Links: Microsoft TechNet - Event Log Security (http://technet.microsoft.com/en-us/library/cc767918.aspx)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:REGEX,T,WB,^([12]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]|3(0[0-9]{6}|1([0-4][0-9]{5}|5([0-2][0-9]{4}|3([0-5][0-9]{3}|6000)))))($|[^0-9.])
Found Value:0

Windows Security Events Logs Overwritten
Audit ID: 2103
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: Low (Default)
CVSS Score:
Category: Miscellaneous
Description: Retina has detected that the system allows Security Event logs to be overwritten when the logs are full.
How To Fix: To not allow the system to overwrite log files, please follow these steps:
  1. Go to Administrative Tools, and then select Event Viewer.
  2. From Event Viewer, right click on Security Log and select Properties.
  3. Within the System Log Properties box, select Do Not Overwrite Events.
Related Links: Microsoft TechNet - Event Log Security (http://technet.microsoft.com/en-us/library/cc767918.aspx)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:REGEX,T,WB,^([12]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]|3(0[0-9]{6}|1([0-4][0-9]{5}|5([0-2][0-9]{4}|3([0-5][0-9]{3}|6000)))))($|[^0-9.])
Found Value:0

Windows System Events Logs Overwritten
Audit ID: 2056
Vul ID:
Risk Level: Low
Sev Code: Category III
PCI Severity Level: Low (Default)
CVSS Score:
Category: Miscellaneous
Description: Retina has detected that the system allows System Event logs to be overwritten when the logs are full.
How To Fix: To not allow the system to overwrite log files, please follow these steps:
  1. Go to Administrative Tools, and then select Event Viewer.
  2. From Event Viewer, right click on System Log and select Properties.
  3. Within the System Log Properties box, select Do Not Overwrite Events.
Related Links: Microsoft TechNet - Event Log Security (http://technet.microsoft.com/en-us/library/cc767918.aspx)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:REGEX,T,WB,^([12]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?[0-9]|3(0[0-9]{6}|1([0-4][0-9]{5}|5([0-2][0-9]{4}|3([0-5][0-9]{3}|6000)))))($|[^0-9.])
Found Value:0

DCOM Enabled
Audit ID: 5853
Vul ID:
Risk Level: Information
Sev Code: Category IV
PCI Severity Level: Low (Denial of Service)
CVSS Score: 0 [AV:N/AC:L/Au:N/C:N/I:N/A:N] (http://nvd.nist.gov/cvss.cfm?version=2&vector=[AV:N/AC:L/Au:N/C:N/I:N/A:N]&name=CVE-1999-0658)
Category: RPC Services
Description: DCOM (Distributed Component Object Model) has been detected on the target system. Although a patched system is not necessarily vulnerable, DCOM is historically known to have many security holes. It is recommended that DCOM be disabled if not required for normal operation of the machine.
How To Fix: To disable DCOM: 1. Click Start 2. Click Run 3. Type in dcomcnfg 4. Hit Enter 5. (For Windows XP and 2003 only) Click on Component Services, then the Computers folder, and then right-click and choose Properties on the target machine 6. Click the Default Properties tab 7. Uncheck Enable Distributed COM on this computer 8. Click OK
Related Links:
CVE: CVE-1999-0658 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0658)
 - DCOM is running.
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
CVE-IDExploit DatabaseCore ImpactMetasploit
CVE-1999-0658NoNoNo
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:CMP,T,WB,Y
Found Value:Y

McAfee virus definitions version
Audit ID: 14624
Vul ID:
Risk Level: Information
Sev Code: Category IV
PCI Severity Level: Low (Default)
CVSS Score:
Category: Anti-Virus
Description: This audit reports the version of the McAfee virus definitions currently in use on the target machine in order to assist in determining if the machine's anti-virus software is out-of-date.
How To Fix: Update virus definitions.
Related Links: McAfee Definitions and Updates (http://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:2012/01/08 rev. 6583.0

McAfee VirusScan Enterprise Detected
Audit ID: 1600
Vul ID:
Risk Level: Information
Sev Code: Category IV
PCI Severity Level: Low (Default)
CVSS Score:
Category: Anti-Virus
Description: Retina has detected that the scanned host is running McAfee VirusScan Enterprise.
How To Fix: This is only a notification.
Related Links: McAfee VirusScan Enterprise home page (http://www.mcafeesecurity.com/us/products/mcafee/antivirus/category.htm)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Tested Value:SRCH,T,WB,VirusScan Enterprise
Found Value:McAfee VirusScan Enterprise

Microsoft Windows BitLocker Status - Protection Off
Audit ID: 14619
Vul ID:
Risk Level: Information
Sev Code: Category IV
PCI Severity Level: Low (Default)
CVSS Score:
Category: Windows
Description: This is an informational check. The protection status of BitLocker is disabled on the detected drive.
How To Fix: This is an informational check to determine the status of BitLocker on drives via Windows Management Instrumentation (WMI).
Related Links:
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:Win32_EncryptableVolume where ProtectionStatus = 0.DeviceID="\\?\Volume{290bc910-d88f-11e0-963e-806e6f6e6963}\"
Tested Value:^[a-zA-Z]+:$
Found Value:C:

Screen Saver Inactive
Audit ID: 12739
Vul ID:
Risk Level: Information
Sev Code: Category II
PCI Severity Level: Low (Default)
CVSS Score:
Category: Windows
Description: The desktop settings on the target system indicate that the screen saver is not activated for the detected user.
How To Fix:
To ensure that a screen saver is active, set a screen saver using Display or Personalize Control Panel applet for the user, and/or create or modify the following registry settings:
Hive: HKEY_USERS
Key: ".DEFAULT" or SID\Control Panel\Desktop
Value: ScreenSaveActive
Type: REG_SZ
Data: 1
Value: SCRNSAVE.EXE
Type: REG_SZ
Data: Path\to\screensaver.scr (e.g. C:\Windows\system32\Mystify.scr)

Note: This setting may be ignored if the "No screen saver" Group Policy setting is enabled.
Related Links: KB314493 (http://support.microsoft.com/kb/314493)
Microsoft TechNet - Customizing User Logons (http://technet.microsoft.com/en-us/library/cc722469.aspx)
Microsoft TechNet - ScreenSaveActive Entry (http://technet.microsoft.com/fr-fr/library/cc787364%28WS.10%29.aspx)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:Win32_Desktop where not Name like 'NT AUTHORITY\\%'.Name=".DEFAULT"
Tested Value:^False$
Found Value:false
  
Context:Win32_Desktop where not Name like 'NT AUTHORITY\\%'.Name="TBOCDRENTEST01\doim.local"
Tested Value:^False$
Found Value:false
  
Context:Win32_Desktop where not Name like 'NT AUTHORITY\\%'.Name="TBOCDRENTEST01\drenadmin"
Tested Value:^False$
Found Value:false

Terminal Services enabled
Audit ID: 1408
Vul ID:
Risk Level: Information
Sev Code: Category IV
PCI Severity Level: Low (Default)
CVSS Score:
Category: Remote Access
Description: Retina has detected that the scanned host has Windows Terminal Services enabled.
How To Fix: Disable Terminal Services if it is not needed; otherwise, ensure that appropriate access controls are in place.
Related Links: Microsoft Advisory 904797 (http://www.microsoft.com/technet/security/advisory/904797.mspx)
Windows 2000 Terminal Services home page (http://www.microsoft.com/windows2000/technologies/terminal/)
Windows NT 4.0 Terminal Server Edition home page (http://www.microsoft.com/ntserver/ProductInfo/terminal/)
CVE:
CCE:
IAV:
BugtraqID:
STIG:
Exploits:
Total Machines Affected: 1 (100.0% of Total Scanned)
Affected Machines:
Affected Items:
  
Context:TCP:3389
Tested Value:RBC T WB 0300000B06D00000123400
Found Value:0300000B06D00000123400

Notes: