Dial In Number 1-800-829-9747 Pin: 5453 Information About Microsoft June 2012 Security Bulletins Jonathan Ness Security Development Manager Microsoft Corporation

Dial In Number 1-800-829-9747 Pin: 5453

Information About Microsoft June 2012 Security Bulletins

Jonathan NessSecurity Development ManagerMicrosoft Corporation

Dustin ChildsGroup Manager, Response CommunicationsMicrosoft Corporation


Live Video Stream

• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon

– Select Show Main Video


What We Will Cover

• Review of June 2012 Bulletin Release Information– New Security Bulletins– Security Advisory 2719615– KB 2677070 - Automatic Updater of Revoked Certificates– Microsoft® Windows® Malicious Software Removal Tool

• Resources

• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast


Severity and Exploitability Index

Exploitabilit

y Index

1

RISK2

3

DP 1 1 2 2 2 3 3

Severity

Critical

IMPACT

Important

Moderate

Low

MS12-036 MS12-037 MS12-038 MS12-039 MS12-040 MS12-041 MS12-042

Win

do

ws

Win

do

ws

Win

do

ws

Ly

nc

Inte

rne

t E

xp

lore

r

.NE

T

Dy

na

mic

s A

X


Bulletin Deployment Priority

Bulletin KB Disclosure Aggregate Severity

Exploit Index

MaxImpact

Deployment Priority Notes

MS12-037IE

2699988 Public Critical 1 RCE 1 All eight of the Critical-class issues in this bulletin were disclosed to Microsoft cooperatively.

MS12-036RDP

2685939 Private Critical 1 RCE 1 The issue addressed in this bulletin was cooperatively disclosed and no exploits are known to exist in the wild.

MS12-038.NET

2706726 Private Critical 1 RCE 2 A would-be attacker would have to convince a targeted customer to visit a Web site containing malicious code.

MS12-039Lync

2707956 Public Important 1 RCE 2 Includes one DLL-preloading issue as well as defense-in-depth updates for Lync and Microsoft Communicator.

MS12-040Dynamics AX

2709100 Private Important 1 EoP 2 The cross-site scripting issue addressed here affects only Dynamics AX 2012.

MS12-041KMD

2709162 Private Important 1 EoP 3 All five issues addressed require that would-be attackers have both valid logon credentials and local system access.

MS12-042Kernel

2711167 Public Important 1 EoP 3 Though one of the two issues addressed here was publicly disclosed, we have no evidence of active exploits against it.


MS12-036: Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)

CVE SeverityExploitability

Comment NoteLatest Software Older Versions

CVE-2012-0173 Critical 1 1 Remote Code Execution Cooperatively Disclosed

Affected ProductsWindows Server 2003 SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows Server 2008 R2, Windows Server 2008 R2 SP1

Windows XP SP3, Windows Vista SP2, Windows 7

Affected Components Remote Desktop Protocol

Deployment Priority 1

Main Target Terminal servers

Possible Attack Vector

• A remote unauthenticated attacker could exploit this vulnerability by sending a sequence of specially crafted RDP packets to the target system.

Impact of Attack

• An attacker who successfully exploited this vulnerability on systems for which the issue is marked as Critical could take complete control of the affected system.

• For platforms marked as moderately affected by this issue, exploit would lead only to a Denial of Service.

Mitigating Factors

• By default, the Remote Desktop Protocol is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Additional Information • Installations using Server Core are affected.


MS12-037: Cumulative Security Update for Internet Explorer (2699988) – slide 1 of 2



CVE-2012-1523 Critical N/A 1 Remote Code Execution Cooperatively Disclosed

CVE-2012-1858 Important 3 3 Information Disclosure Cooperatively Disclosed

CVE-2012-1872 Moderate N/A N/A Information Disclosure Cooperatively Disclosed


CVE-2012-1874 Important 1 3 Remote Code Execution Cooperatively Disclosed

CVE-2012-1875 Critical N/A 1 Remote Code Execution Cooperatively Disclosed







CVE-2012-1882 Moderate N/A N/A Information Disclosure Publicly Disclosed


MS12-037: Cumulative Security Update for Internet Explorer (2699988) – slide 2 of 2

CVE-2012-1523RCE

CVE-2012-1858

ID

CVE-2012-1872

ID

CVE-2012-1873

ID

CVE-2012-1874RCE

CVE-2012-1875RCE

CVE-2012-1876RCE

CVE-2012-1877RCE

CVE-2012-1878RCE

CVE-2012-1879RCE

CVE-2012-1880RCE

CVE-2012-1881RCE

CVE-2012-1882

ID

Affected Products Internet Explorer 6, 7, 8, 9 on all supported versions of Windows Internet Explorer 6, 7, 8, 9 on all supported versions of WindowsServer

Affected Components Internet Explorer


Main Target Workstations

Possible Attack Vectors

• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website, or place a malicious ActiveX control in an application or Microsoft Office document. (CVE-2012-1523, CVE-2012-1874, CVE-2012-1875, CVE-2012-1876, CVE-2012-1877, CVE-2012-1878, CVE-2012-1879, CVE-2012-1880, CVE-2012-1881)

• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (CVE-2012-1858, CVE-2012-1872, CVE-2012-1873, CVE-2012-1882)

Impact of Attack

• An attacker successfully exploiting this issue could inflict a cross-site scripting attack on the user. (CVE-2012-1858, CVE-2012-1872)

• An attacker successfully exploiting this issue could gain access to and read IE’s process memory. (CVE-2012-1873)• An attacker successfully exploiting this issue could view context from another domain or Internet Explorer zone. (CVE-

2012-1882)• An attacker successfully exploiting this issue could execute arbitrary code in the context of the current user. (CVE-2012-

1874, CVE-2012-1875, CVE-2012-1876, CVE-2012-1877, CVE-2012-1878, CVE-2012-1879, CVE-2012-1880, CVE-2012-1881, CVE-2012-1523)

Mitigating Factors

• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone.

• An attacker has no way of forcing users to visit a maliciously constructed Web site. • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a

restricted mode that is known as Enhanced Security Configuration.• A targeted user must be convinced to open the Internet Explorer Developer Toolbar while visiting a malicious site. (CVE-

2012-1874)

Additional Information• Installations using Server Core 2008 or 2008 R2 are not affected.

http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx


MS12-038: Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)




Affected Products .NET Framework 2.0 SP2, .NET Framework 3.5.1, .NET Framework 4 on all supported editions of Microsoft Windows

Affected Components .NET Framework


Main Target Servers and workstations


• An attacker could host a website that contains an XAML Browser Application (XBAP) that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.

Impact of Attack

• An attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user.

• Code Access Security (CAS) Bypass: An attacker could use this issue to bypass CAS restrictions.

Mitigating Factors

• An attacker would have no way to force users to visit a malicious website.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows

Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.• Standard .NET Framework applications are not affected by this issue.

Additional Information• This bulletin applies to .NET Framework 4 and .NET Framework 4 Client Profile, and to users of

the .NET Framework 3.5 and 4.5 Windows Consumer Preview software.

http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx


MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)



CVE-2011-3402 Important 3 N/A Remote Code Execution Publicly Disclosed

CVE-2012-0159 Important 3 N/A Remote Code Execution Cooperatively Disclosed

CVE-2012-1849 Important 1 N/A Remote Code Execution Cooperatively Disclosed


Affected Products Microsoft Lync 2010, Microsoft Lync 2010 Attendee, Microsoft Lync 2010 Attendant (32- and 64-bit), Office Communicator 2007 R2

Affected Components Lync


Main Target Workstations and Servers


• An attacker could create content containing a specially crafted TrueType font used to exploit this vulnerability. (CVE-2011-3402, CVE-2012-0159)

• In an email attack scenario, an attacker could exploit the vulnerability by sending a legitimate Microsoft Office file to a user, and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file. (CVE-2012-1849)

• In a network attack scenario, an attacker could place a legitimate Office file and a specially crafted DLL in a network share, a UNC, or WebDAV location and then convince the user to open the file. (CVE-2012-1849)

Impact of Attack

• An attacker successfully exploiting this issue could take control of an affected system. (CVE-2011-3402, CVE-2012-0159)• An attacker successfully exploiting this issue could run arbitrary code in the context of the current user. (CVE-2012-1849)• An attacker successfully exploiting this issue could perform cross-site scripting attacks against Lync or Microsoft Communicator users.

(CVE-2012-1858)

Mitigating Factors

• Users whose accounts are configured to have fewer user rights on the system are less affected than users operating with administrative rights. (CVE-2011-3402)

• The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall. (CVE-2012-1849)• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file from

this location that is then loaded by a vulnerable application. (CVE-2012-1849)

Additional Information

• The update for Lync 2010 Attendee (user-level install) is available only via Download Center.• Though the vulnerability described in CVE-2011-3402 has previously been exploited in limited, targeted attacks, the vector used in those

attacks was addressed in MS11-087, and we have detected no use of this vector in attacks.• The vulnerability addressed by CVE-2012-1849 is related to the class of vulnerabilities described in Microsoft Security Advisory 2269637.

http://technet.microsoft.com/security/advisory/2269637


MS12-040: Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)



CVE-2012-0178 Important 1 N/A Elevation of Privilege Cooperatively Disclosed

Affected Products Microsoft Dynamics AX 2012 Enterprise Portal

Affected Components Microsoft Dynamics AX Enterprise Portal


Main Target Workstations connecting to a Microsoft Dynamics AX Enterprise Portal server

Possible Attack Vectors• An attacker could exploit the vulnerability hosting a web site with a malicious page and convincing a

targeted user to click on the specially crafted URL.

Impact of Attack

• An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read, use the victim's identity to take actions on the Microsoft Dynamics AX Enterprise Portal site on behalf of the victim, or inject malicious content in the browser of the victim.

Mitigating Factors

• An attacker would have no way to force users to visit a malicious website.• The vulnerability cannot be exploited automatically through email.• Internet Explorer 8 and Internet Explorer 9 users browsing to a Microsoft Dynamics AX Enterprise

Portal site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 prevents this attack in the Internet Zone.


• Earlier versions of Microsoft Dynamics AX are not affected by this cross-site scripting issue.• This update is available via the Download Center and via the Microsoft Dynamics CustomerSource

and Microsoft Dynamics PartnerSource websites.

http://www.microsoft.com/dynamics/customer/access-customersource/default.aspx

http://www.microsoft.com/dynamics/customer/access-customersource/default.aspx

https://mbs.microsoft.com/partnersource.aspx

https://mbs.microsoft.com/partnersource.aspx


MS12-041: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)


Comment Cooperatively DisclosedLatest Software Older Versions

CVE-2012-1864 Important 1 1 Elevation of Privilege Cooperatively Disclosed




CVE-2012-1868 Important N/A 1 Elevation of Privilege Cooperatively Disclosed

Affected Products All versions of Microsoft Windows

Affected Components Kernel-Mode Drivers




• An attacker who is able to log onto the targeted system could then run a specially crafted application that could exploit the vulnerability.

Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Mitigating Factors• An attacker would require both valid logon credentials and the ability to logon locally to the targeted

machine.

Additional Information• Installations using Server Core are affected.


MS12-042: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)



CVE-2012-1515 Important N/A 1 Elevation of Privilege Publicly Disclosed

CVE-2012-0217 Important 1 N/A Elevation of Privilege Cooperatively Disclosed

Affected Products Windows XP SP3, Windows Server 2003 SP2, Windows 7 x64, Windows 7 x64 SP1, Windows Server 2008 R2 x64, Windows Server 2008 R2 x64 SP1

Affected Components User Mode Scheduler (CVE-2012-0127) and BIOS ROM (CVE-2012-1515)




• To exploit this vulnerability, an attacker would have to log on to the system, then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and

take complete control of an affected system.

Mitigating Factors

• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.• Systems with AMD- or ARM-based CPUs are unaffected (CVE-2012-0217)• Only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2 (CVE-2012-0217)


• Windows Server 2008 R2 and 2008 R2 SP1 installations using Server Core are affected.• CVE-2012-1515 applies only to Windows XP and 2003, while CVE-2012-0217 applies only to Windows 7

and Server 2008 R2.


Security Advisory 2719615:Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution

• We are releasing a Security Advisory to address a vulnerability in Microsoft XML Core Services. – The issue, if exploited, would permit remote code execution.– The Security Advisory describes the issue in greater detail and

provides a no-reboot Fix it that blocks the vector in Internet Explorer. – We recommend that customers deploy EMET (the Enhanced Mitigation

Experience Toolkit) for additional protection.

• This advisory affects all supported versions of Windows as well as Office 2003 and 2007 and Microsoft SQL.

• Please see Security Advisory 2719615 for more information.

http://technet.microsoft.com/en-us/security/advisory/2719615


KB 2677070: Automatic Updater of Revoked Certificates

• Microsoft is improving the process by which customers interact with untrusted or compromised certificates and keys. – In the past, we issued CRLs – Certificate Revocation Lists – and

customers would update their systems manually.– We are rolling out an automated process that will update Windows

clients with no manual interaction on the part of customers. See KB 2677070 for more information

• KB 2677070 makes this feature available to customers using Windows Vista SP2, Windows Server 2008 SP2, Windows 7, or Windows Server 2008 R2 SP1, and is included in Windows 8 Release Preview and the Windows Server 2012 Release Candidate.

• In August, we will release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. We will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority.

http://support.microsoft.com/kb/2677070


Detection & Deployment

Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007

MS12-036RDP Yes Yes Yes Yes Yes Yes

MS12-037IE

Yes Yes Yes Yes Yes Yes

MS12-038.NET


MS12-039Lync

Yes*** Yes*** Yes*** Yes*** Yes*** Yes***

MS12-040Dynamics AX

No ** No ** No ** No ** No ** No **

MS12-041KMD


MS12-042Kernel


**Available via the Download Center and the Microsoft Dynamics Customer Source and Microsoft Dynamics Partner Source*** Except for Microsoft Lync 2010 Attendee (user-level install), which is available only via the Download Center.


Other Update Information

Bulletin Restart Uninstall Replaces

MS12-036RDP Yes Yes MS11-065, MS12-020

MS12-037IE

Yes Yes MS12-023

MS12-038.NET

Maybe Yes None

MS12-039Lync

Maybe Yes None

MS12-040Dynamics AX

Maybe No None

MS12-041KMD

Yes Yes MS12-018

MS12-042Kernel

Yes Yes MS11-068, MS11-098


Windows Malicious Software Removal Tool (MSRT)

• During this release Microsoft will increase detection capability for the following families in the MSRT:– Win32/Cleaman: A malicious program lacking the ability to propagate on its own, Cleaman

can perform a variety of actions on an infected machine as directed by a remote attacker.– Win32/Kuluoz: This trojan takes instruction from remote servers and is known in

particular to download variants of Trojan:Win32/FakeSysdef, a fake security scanner.

• Available as a priority update through Windows Update or Microsoft Update.

• Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Gamarue




http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Bocinex.gen!A

http://www.microsoft.com/malwareremove


ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:

www.blogs.technet.com/msrc • Security Research & Defense blog:

http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:

http://blogs.technet.com/mmpc/

Twitter• @MSFTSecResponse

Security Centers• Microsoft Security Home Page:

www.microsoft.com/security • TechNet Security Center:

www.microsoft.com/technet/security• MSDN Security Developer Center:

http://msdn.microsoft.com/en-us/security/default.aspx

Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:

www.microsoft.com/technet/security/bulletin/summary.mspx

• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx

• Security Advisories:www.microsoft.com/technet/security/advisory/

• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx

• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews

Other Resources• Update Management Process

http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx

• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.blogs.technet.com/msrc

http://blogs.technet.com/srd

http://blogs.technet.com/mmpc/

http://www.microsoft.com/security

http://www.microsoft.com/technet/security



http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/current.aspx

http://www.microsoft.com/technet/security/advisory/

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/secnews



http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.microsoft.com/security/msrc/mapp/partners.mspx


Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the

MSRC Blog:http://blogs.technet.com/msrc

• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx

http://blogs.technet.com/msrc

http://microsoft.com/technet/security/current.aspx


© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Documents

Dial In Number 1-800-829-9747 Pin: 5453 Information About Microsoft June 2012 Security Bulletins Jonathan Ness Security Development Manager Microsoft Corporation