Embed Size (px)
Citation preview
Dial In Number 1-877-593-2001 Pin: 3959
Information About Microsoft November 2012 Security Bulletins
Jeremy TinderSecurity Program ManagerMicrosoft Corporation
Dustin ChildsGroup Manager, Response CommunicationsMicrosoft Corporation
Dial In Number 1-877-593-2001 Pin: 3959
Live Video Stream
• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon
– Select Show Main Video
Dial In Number 1-877-593-2001 Pin: 3959
What We Will Cover
• Review of November 2012 Bulletin Release Information– Six security bulletins– One updated security Advisory– Two security bulletin re-releases– Microsoft® Windows® Malicious Software Removal Tool
• Resources
• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast
Dial In Number 1-877-593-2001 Pin: 3959
Severity and Exploitability Index
Exploitabilit
y Index
1
RISK2
3
DP 1 2 3 2 1 2
Severity
Critical
IMPACT
Important
Moderate
Low
MS12-071 MS12-072 MS12-073 MS12-074 MS12-075 MS12-076
Inte
rne
t E
xp
lore
r
Ke
rne
l- M
od
e D
riv
ers
Ex
ce
l
IIS
Win
do
ws
Sh
ell
.NE
T F
ram
ew
ork
Dial In Number 1-877-593-2001 Pin: 3959
Bulletin Deployment Priority
Bulletin KB Disclosure Aggregate Severity
Exploit Index
MaxImpact
Deployment Priority Notes
MS12-071IE 2761451 Private Critical 1 RCE 1 Does not affect IE 10 on Windows 8 or Windows RT.
MS12-075KMD 2761226 Public Critical 1 RCE 1 Windows 8, Server 2012, and Windows RT are affected.
MS12-074.NET 2745030 Private Critical 1 RCE 2 Windows 8, Server 2012, and Windows RT are affected.
MS12-072Shell 2727528 Private Critical 1 RCE 2 Windows 8 and Server 2012 are affected.
Issues cannot be exploited automatically through email.
MS12-076Excel 2720184 Private Important 1 RCE 2 This issue requires user interaction and workarounds have
been identified.
MS12-073IIS 2733829 Private Moderate NA EoP 3 Non-default log setting required for information disclosure.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-071: Cumulative Security Update for Internet Explorer (2761451)
CVE Severity
Exploitability
Comment NoteLatest
SoftwareOlder Versions
CVE-2012-1538 Critical NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1539 Critical NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-4775 Critical NA 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsInternet Explorer 9 on 32-bit and 64-bit versions ofVista and Windows 7
Internet Explorer 9 on 32-bit and 64-bit versions ofWindows Server 2008 and 2008 R2
Affected Components Internet Explorer
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
• An attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.
• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements.
Impact of Attack • An attacker could gain the same user rights as the current user.
Mitigating Factors• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail
open HTML email messages in the Restricted sites zone• An attacker can not force users to view the attacker-controlled content.
Additional Information• Installations using Server Core are not affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-072: Vulnerabilities in Windows Shell Could Allow Remote Code Execution (2727528)
CVE SeverityExploitability
Comment Note
Latest Software Older Versions
CVE-2012-1527 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1528 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Productsall supported editions of XP, Windows Server 2003, Vista, Windows Server 2008 (except for Itanium-based), Windows 7, Windows Server 2008 R2 (except for Itanium-based), Windows 8 (except for Windows RT), and Windows Server 2012.
Affected Components Windows Shell
Deployment Priority 2
Main Target Workstations
Possible Attack Vector• An attacker could host a specially crafted briefcase on a network share, and convince the user
to navigate to the location using Windows Explorer.
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code as the current
user
Mitigating Factors • The vulnerability cannot be exploited automatically through email.
Additional Information • Installations using Server Core are not affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-073: Vulnerabilities in Microsoft Internet Information Services (IIS) Could Allow Information Disclosure (2733829)
CVE Severity
Exploitability
Comment NoteLatest Software
Older Versions
CVE-2012-2532 Moderate NA NA Information Disclosure Publicly Disclosed
CVE-2012-2531 Moderate NA NA Information Disclosure Cooperatively Disclosed
Affected ProductsMicrosoft FTP Service 7.0, and 7.5 for IIS 7.0 on Vista and Windows Server 2008, FTP 7.5 for IIS 7.5 on Windows 7, Windows Server 2008 R2, and Internet Information Services 7.5 on Windows 7 and Windows Server 2008 R2
Affected Components IIS permissions management
Deployment Priority 3
Main Target Servers running affected versions of Microsoft Internet Information Services (IIS)
Possible Attack Vector
• To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then view the unprotected log file. (CVE-2012-2531)
• An attacker could exploit this vulnerability by sending a specially crafted FTP command to the FTP server. (CVE-2012-2532)
Impact of Attack• An attacker who successfully exploited this vulnerability could execute a limited set of FTP commands,
prior to the session switching to Transport Layer Security (TLS). (CVE-2012-2532)• An attacker could discover the username and/or password of configured accounts. (CVE-2012-2531)
Mitigating Factors• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
(CVE-2012-2531)• The Operational log for IIS is not enabled by default. (CVE-2012-2531)
Additional Information • Installations using Server Core are affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-074: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2745030)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
2012-1895 Important NA 1 Elevation of Privilege Cooperatively Disclosed
2012-1896 Important NA 3 Information Disclosure Cooperatively Disclosed
2012-2519 Important NA 1 Elevation of Privilege Cooperatively Disclosed
2012-4776 Critical 1 1 Remote Code Execution Cooperatively Disclosed
2012-4777 Important 1 1 Elevation of Privilege Cooperatively Disclosed
Affected ProductsAll supported versions of .NET Framework 2.0, 3.5, 3.5.1, 4, 4.5 on all supported versions of Windows Client and Server except for Windows 8, RT, and Windows Server 2012
All supported versions of .NET Framework 1.0, 1.1, .NET Framework 4.0 and 4.5 on Windows 8 and RT and Windows Server 2012
Affected Components .NET Framework
Deployment Priority 2
Main Target Workstations
Possible Attack Vector
• Web Browsing: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website
• .NET Application: An attacker could host a file with a specially crafted filename on a network share, a UNC, or WebDAV location and then convince the user to browse to the file. (CVE-2012-1895, CVE-2012-1896, CVE-2012-4777)
• An attacker could convince a user to open a legitimate .NET application built with ADO.NET that is located in the same network directory as a specially crafted dynamic link library (DLL) file. (CVE-2012-2519)
• In a man-in-the-middle attack, an attacker can spoof the contents or the location of a proxy auto configuration (PAC) file and then inject code into the currently running application, bypassing the Code Access Security (CAS) restrictions. (CVE-2012-4776)
Impact of Attack • An attacker could take complete control of the affected system.
Mitigating Factors• By default, IE 9 and IE 10 prevent XAML, which is used by XBAPs, from running in the Internet Zone.• By default, IE 6, IE 7, and Internet Explorer 8 are configured to prompt the user before running XAML, which is used
by XBAPs in the Internet Zone.
Additional Information This update is related to Microsoft Security Advisory 2269637
Dial In Number 1-877-593-2001 Pin: 3959
MS12-075: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2761226)
CVE Severity
Exploitability
Comment NoteLatest Software
Older Versions
CVE-2012-2530 Important NA 1 Elevation of Privilege Cooperatively Disclosed
CVE-2012-2553 Important NA 1 Elevation of Privilege Cooperatively Disclosed
CVE-2012-2897 Critical 2 2 Remote Code Execution Cooperatively Disclosed
Affected Products All supported versions of Windows Client and Windows Server
Affected Components Kernel-Mode Drivers
Deployment Priority 1
Main Target Workstations
Possible Attack Vector
• To exploit this vulnerability, an attacker would first have to log on to the system and then run a specially crafted application that could exploit the vulnerability. (CVE-2012-2530, CVE-2012-2553)
• Web based: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. (CVE-2012-2897)
• File Sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file. (CVE-2012-2897)
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. (CVE-
2012-2530, CVE-2012-2553)• No mitigations identified for CVE-2012-2897
Mitigating Factors• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
(CVE-2012-2530, CVE-2012-2553)
Additional Information • Installations using Server Core are affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-076: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2720184)
CVE Severity
Exploitability
Comment NoteLatest
SoftwareOlder
Versions
CVE-2012-1885 Important NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1886 Important NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1887 Important NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-2543 Important NA 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsAll supported versions of Excel 2003, 2007, 2010, Office 2008 for Mac, Office for Mac 2011, Excel Viewer, Office Compatibility Pack
Affected Components Excel
Deployment Priority 2
Main Target Workstations
Possible Attack Vector
• Email: an attacker could exploit the vulnerability by sending a specially crafted Excel file to the user and by convincing the user to open the file.
• Web based: an attacker would have to host a website that contains a specially crafted Excel file that is used to attempt to exploit this vulnerability.
Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.
Mitigating Factors• The vulnerability cannot be exploited automatically through email. • an attacker would have no way to force users to visit these websites
Additional Information• For Microsoft Excel 2007, in addition to security update package KB2687307, customers also need to install the
security update for the Microsoft Office Compatibility Pack (KB2687311) to be protected from the vulnerabilities described in this bulletin.
Dial In Number 1-877-593-2001 Pin: 3959
• Microsoft Security Advisory (2749655): Compatibility Issues Affecting Signed Microsoft Binaries– Microsoft is aware of an issue involving specific digital
certificates that were generated by Microsoft without proper timestamp attributes. These digital certificates were later used to sign some Microsoft core components and software binaries.
– As a pre-emptive action to assist customers, Microsoft is providing a non-security update for supported releases of Microsoft Windows. This update helps to ensure compatibility between Microsoft Windows and affected software binaries.
Microsoft Security Advisories
Dial In Number 1-877-593-2001 Pin: 3959
• MS12-046: Vulnerabilities in Visual Basic for Applications Could Allow Remote Code Execution (2707960) Re-release– Microsoft is rereleasing the bulletin to offer the update for Microsoft Office 2003
Service Pack 3 (KB2687626) to address an issue with digital certificates described in Microsoft Security Advisory 2749655.
• MS12-062: Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege (2741528) Re-release– Microsoft is rereleasing the KB2721642 update for System Center Configuration
Manager 2007 to address a problem with the resource files in the localized versions of the security update.
– Customers who have successfully installed only the KB2721642 EN (English) version of the update do not need to take any action.
November Security Bulletin Re-releases
Dial In Number 1-877-593-2001 Pin: 3959
Detection & Deployment
Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007
MS12-071IE Yes Yes Yes Yes Yes Yes
MS12-072Shell Yes 1,2 Yes2 Yes2 Yes2 Yes2 Yes2
MS12-073IIS Yes No5 Yes4 Yes Yes4 Yes4
MS12-074.NET Yes 1,2 Yes2 Yes2 Yes2 Yes2 Yes2
MS12-075KMD Yes 1,2 Yes2 Yes2 Yes2 Yes2 Yes2
MS12-076Excel No Yes3 Yes3 Yes3 Yes3 Yes3
1. MBSA does not support Windows 8 or Windows Server 20122. Windows XP Tablet PC 2005 and XP Media Center Edition 2005 are not supported by any detection tools3. Office for Mac is not supported by detection tools.4. Yes except for Vista and Windows Server 20085. No except for Windows 7 32-bit SP1 and 64-bit SP1, and Windows Server 2008 R2 x64 SP1 and Itanium SP1
Dial In Number 1-877-593-2001 Pin: 3959
Other Update Information
Bulletin Restart Uninstall Replaces
MS12-071IE Yes Yes MS12-063
MS12-072Shell Yes Yes None
MS12-073IIS No Yes MS11-004
MS12-074.NET Maybe Yes MS11-078, MS12-016, MS11-100,
MS12-034
MS12-075KMD Yes Yes MS12-055
MS12-076Excel Maybe Yes1 MS11-030
1. This update cannot be removed once installed on all supported versions of Office for Mac
Dial In Number 1-877-593-2001 Pin: 3959
Windows Malicious Software Removal Tool (MSRT)
During this release Microsoft will increase detection capability for the following families in the MSRT:
• Win32/Folstart: A worm that spreads through removable drives and modifies some system settings
• Win32/Weelsof: A family of ransomware trojans that targets users from certain countries
• Win32/Phorpiex: A worm that spreads via removable drives and Windows Live Messenger, and contains backdoor functionality
Available as a priority update through Windows Update or Microsoft Update.
Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.
Dial In Number 1-877-593-2001 Pin: 3959
ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:
www.blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:
http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Dial In Number 1-877-593-2001 Pin: 3959
Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the
MSRC Blog:http://blogs.technet.com/msrc
• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx
Dial In Number 1-877-593-2001 Pin: 3959
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
