Exploits Against Obsolete Software
The Qualys Vulnerability Research Team periodically evaluates publicly available exploits against obsolete operating systems and software packages to determine if they are vulnerable. When an obsolete version is found to be vulnerable to an exploit, then this information is integrated into the vulnerability detection to improve the accuracy and coverage of the detection. Findings from the Qualys Vulnerability Research Team are published below.
MS11-050 - Evaluated in October 2011 - QID 100103
Vulnerable Software per Vendor Advisory: see Microsoft Advisory for full detail
Exploit Used: Metasploit 4.0.1dev
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP2 with IE7 | Remote Code Execution |
Video: Microsoft MS11-050 Exploit for Obsolete
MS10-073 - Evaluated in October 2010 - QID 90611
Vulnerable Software per Vendor Advisory: Windows XP SP3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2,Windows Vista Service Pack 1 and Windows Vista Service Pack 2,Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2,Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*,Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*,Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2,Windows 7 for 32-bit Systems,Windows 7 for x64-based Systems,Windows Server 2008 R2 for x64-based Systems*,Windows Server 2008 R2 for Itanium-based Systems
Exploit Used: http://www.exploit-db.com/exploits/15894/
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP2 | Elevation of Privilege |
| Windows XP SP1 | Elevation of Privilege |
| 2000 sp4 | Elevation of Privilege |
| Windows Vista SP0 | Elevation of Privilege |
| Windows XP SP0 | Elevation of Privilege |
| windows 2003 enterprise 32bit sp1 | Elevation of Privilege |
MS10-078 - Evaluated in October 2010 - QID 90654
Vulnerable Software per Vendor Advisory: Windows XP SP3, Windows XP Pro x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2
Exploit Used: http://www.coresecurity.com/content/ms-opentype-cff-parsing-vulnerability
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Win 2000 RTM and all SP | Elevation of Privilege |
| Win XP SP0, SP1, SP2 | Elevation of Privilege |
| Win XP x64 SP1 | Elevation of Privilege |
| Win 2003 SP0, SP1 | Elevation of Privilege |
| Win 2003 x64 SP0, SP1 | Elevation of Privilege |
Credit: Diego Juarez of Core Security Technologies for reporting the OpenType Font Validation Vulnerability (CVE-2010-2741)
MS10-071 - Evaluated in October 2010 - QID 100091
Vulnerable Software per Vendor Advisory:
- IE6 running in Windows XP SP3, Windows XP x64 SP2, Windows 2003 SP2, Windows 2003 x64 SP2, Windows 2003 SP2 for Itanium
- IE7 running in Windows XP SP3, Windows XP x64 SP2, Windows 2003 SP2, Windows 2003 x64 SP2, Windows 2003 SP2 for Itanium, Windows Vista SP1-2, Windows Vista x64 SP1-2, Windows 2008 SP0-2, Windows 2008 x64 SP0-2, Windows 2001 SP0-2 for itanium
- IE8 running in Windows XP SP3, Windows XP x64 SP2, Windows 2003 SP2, Windows 2003 x64 SP2, Windows Vista SP1-2, Windows Vista x64 SP1-2, Windows 2008 SP0-2, Windows 2008 x64 SP0-2, Windows 7, Windows 7 x64, Windows 2008 R2 x64, Windows 2008 R2 for itanium
Exploit Used: http://www.kernelhacking.com/rodrigo/advisories/CPVDT-2010-8881.txt
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| IE 6 running in XP SP2 | Remote Code Execution |
| IE 7 running in XP SP2 | Remote Code Execution |
| IE 8 running in XP SP2 | Remote Code Execution |
Credit: This vulnerability was discovered and researched by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT). For more information click here.
MS10-061 - Evaluated in September 2010 - QID 90636
Vulnerable Software per Vendor Advisory: Windows XP SP3, Windows XP x64 SP2, Windows 2003 SP2, Windows 2003 x64 SP2, Windows VISTA SP1, Windows VISTA SP2
Exploit Used: Metasploit 3.4.2dev "ms10_061_spoolss"
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows 2000 | Remote Code Execution |
| Windows XP SP1 | Remote Code Execution |
| Windows XP SP2 | Remote Code Execution |
| Windows XP x64 SP1 | Remote Code Execution |
| Windows 2003 | Elevation of Privilege |
| Windows 2003 SP1 | Elevation of Privilege |
| Windows 2003 x64 | Elevation of Privilege |
| Windows 2003 x64 SP 1 | Elevation of Privilege |
| Windows Vista | Elevation of Privilege |
MS10-047 - Evaluated in August 2010 - QID 90619
Vulnerable Software per Vendor Advisory: Windows XP SP 3, Vista SP1, Vista SP2, Vista 64 SP1, Vista 64 SP2, Windows Server 2008 for 32-bit Systems, Windows Server 2008 for 32-bit Systems Service Pack 2, Windows Server 2008 for x64-based Systems, Windows Server 2008 for x64-based Systems Service Pack 2*, Windows Server 2008 for Itanium-based Systems, Windows Server 2008 for Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for Itanium-based Systems
Exploit Used:
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP0 | Elevation of Privilege |
| Windows XP SP1 | Elevation of Privilege |
| Windows XP SP2 | Elevation of Privilege |
| Windows 2000 32bit | Elevation of Privilege |
| Windows Vista | Denial of service |
MS10-054 - Evaluated in August 2010 - QID 90626
Vulnerable Software per Vendor Advisory: Windows XP SP3/x64 SP2, 2003 SP2, Vista SP 1/2 , 2008 SP2, Windows 7
Exploit Used: http://www.exploit-db.com/exploits/14607/
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP1 | Denial of Service |
| Windows XP SP2 | Denial of Service |
| Windows 2003 | Denial of Service |
| Windows 2003 SP1 | Denial of Service |
MS10-048 - Evaluated in August 2010 - QID 90627
Vulnerable Software per Vendor Advisory: Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2, Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*, Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*, Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems*, Windows Server 2008 R2 for Itanium-based Systems
Exploit Used: http://www.exploit-db.com/exploits/14608/
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP2 | Denial of Service (BSOD) |
| Windows 2003 | Denial of Service (BSOD) |
MS10-048 - Evaluated in August 2010 - QID 90627
Vulnerable Software per Vendor Advisory: Windows XP SP3, Windows XP 64 SP2
Exploit Used: http://www.exploit-db.com/exploits/14611
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP0 | Local Privilege Escalation Vulnerability |
| Windows XP SP1 | Local Privilege Escalation Vulnerability |
| Windows XP SP2 | Local Privilege Escalation Vulnerability |
| Windows XP 64 | Local Privilege Escalation Vulnerability |
| Windows XP 64 SP1 | Local Privilege Escalation Vulnerability |
MS10-051 - Evaluated in August 2010 - QID 90625
Vulnerable Software per Vendor Advisory: Windows XP SP3,Windows XP x64 Edition SP2, Windows 2003 SP2, 2003 x64 SP2, Windows Vista SP1,SP2, Windows Server 2008,SP2, Windows 7, Windows Server 2008 R2
Exploit Used: http://www.exploit-db.com/exploits/14609/
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows 2000 sp4 | Denial of Service |
| Windows XP x64 SP1 | Denial of Service |
| Windows XP SP2 | Denial of Service |
| Windows vista SP0 | Denial of Service |
MS10-038 - Evaluated in June 2010 - QID 110124
Vulnerable Software per Vendor Advisory: Microsoft Office XP SP3, Microsoft Office 2003 SP3, 2007 Microsoft Office System SP1/2, Microsoft Office Excel Viewer SP1/2, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1/2, Microsoft Office for Mac 2004/2008, Open XML File Format Converter for Mac
Exploit Used: Publically available: http://www.packetstormsecurity.org/1007-exploits/msexcel0x5d-overflow.txt
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Microsoft Office System 2007 Service Pack 0 | Remote Code Execution |
KB2286198 - Evaluated in July 2010 - QID 90616
Vulnerable Software per Vendor Advisory: Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Server 2003 SP2,Windows Server 2003 x64 Edition SP2,Windows Server 2003 with SP2 for Itanium-based Systems,Windows Vista SP1 and Windows Vista SP2,Windows Vista x64 Edition SP1 and Windows Vista x64 Edition SP2,Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems SP2,Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems SP2,Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems SP2,Windows 7 for 32-bit Systems,Windows 7 for x64-based Systems,Windows Server 2008 R2 for x64-based Systems,Windows Server 2008 R2 for Itanium-based Systems
Exploit Used: ExploitDB #14403 "Microsoft Windows Automatic LNK Shortcut File Code Execution"
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP0/1/2 32bit | Remote Code Execution |
| Windows 2003 SP1 32bit | Remote Code Execution |
| Windows Vista SP0 32 bit | Remote Code Execution |
MS10-018 - Evaluated in July 2010 - QID 100075
Vulnerable Software per Vendor Advisory: Windows 2000 SP4 with IE6 SP1, Windows XP SP2/3 with IE6/7, Windows Server 2003 SP2 with IE6/7, Windows Vista SP0/1/2 with IE7, Windows 2008 SP0/2 with IE7
Exploit Used: Metasploit 3.4.1dev "ms10_018_ie_behaviors" using "windows/exec" payload
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP0 with IE6 | Remote Code Execution |
| Windows XP SP1 with IE6 | Denial of Service |
| Windows 2003 SP1 with IE6 | Remote Code Execution |
| Windows 2003 SP1 with IE7 | Denial of Service |
Video: Windows XP SP0 + IE6 Update Version 0
Video: Windows 2003 SP1 + IE6 SP1
MS10-002 - Evaluated in July 2010 - QID 100078
Vulnerable Software per Vendor Advisory: Windows 2000 SP4 with IE6 SP1, Windows XP SP2/3 with IE6, Windows Server 2003 SP2 with IE6
Exploit Used: Metasploit 3.4.1dev "ms10_002_aurora" with payload "windows/exec"
Note: Metasploit currently only has an exploit for IE6
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows 2000 SP1 with IE6 | Remote Code Execution |
| Windows XP SP0 with IE6 | Remote Code Execution |
| Windows XP SP1 with IE6 | Remote Code Execution |
Video: Windows 2000 SP1 + IE SP1 and XP SP0/1 + IE SP0/1
MS09-072 - Evaluated in July 2010 - QID 90570
Vulnerable Software per Vendor Advisory: Windows 2000 SP4 with IE6 SP1, Windows XP SP2/3 with IE6/7, Windows Server 2003 SP2 with IE6/7, Windows Vista SP0/1/2 with IE7, Windows 2008 SP0/2 with IE7
Exploit Used: Metasploit 3.4.1dev "ms09_072_style_object" with payload "windows/exec"
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Windows XP SP0 with IE6 | Remote Code Execution |
| Windows 2003 SP0 with IE6 | Denial of Service |
Video: Microsoft MS09-072 Exploit for Obsolete Windows XP SP0 and 2003 SP0
MS09-067 - Evaluated in July 2010 - QID 110096
Vulnerable Software per Vendor Advisory: Microsoft Office Excel 2002 SP3, Microsoft Office Excel 2003 SP3, Microsoft Office Excel 2007 SP1, Microsoft Office Excel 2007 SP2
Exploit Used: Metasploit 3.4.1dev "ms09_067_excel_featheader" with payload "windows/exec"
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Office XP SP0 | Denial of Service |
| Office XP SP1 | Denial of Service |
| Office Excel 2003 SP0 | Remote Code Execution |
| Office 2007 SP0 | Denial of Service |
MS09-043 - Evaluated in July 2010 - QID 110101
Vulnerable Software per Vendor Advisory: Microsoft Office XP SP3, Microsoft Office 2003 SP3, Microsoft Office 2000 Web Components SP3, Microsoft Office XP Web Components SP3, Microsoft Office 2003 Web Components SP1 for the 2007 Microsoft Office System
Exploit Used: Metasploit 3.4.1dev "ms09_043_owc_msdso" with payload "windows/exec"
Note: Metasploit currently only has an exploit for Office Web Components
Findings:
| Additional Vulnerable Software | Impact of Exploit |
|---|---|
| Office XP SP0 | Denial of Service |
| Office XP SP1 | Remote Code Execution |
| Windows 2003 SP1 with Office XP SP2 | Remote Code Execution |
