1

CSS Security Worldwide Programs

Monthly Security Bulletin

Briefing- January 2014

January 2014• Teresa GhiorzoeSecurity Program Manager- GBS LATAM

• Daniel Mauser

Senior Technical Lead - LATAM CTS

Blog de Segurança: http://blogs.technet.com/b/risco/

Twitter: LATAMSRC

Email: LATAMSRC@Microsoft.com

January

2014

Agenda

New Security

Bulletins

4Critical Important

0 4

Other Security Resources

Detection and Deployment Table

Product Support Lifecycle Information

Post Release Issue Tracking, Escalations, and Contacts

Slide Decks and the Public Webcast

1 Security

Bulletin re-release1 Security Advisory re-release

CSS Security Worldwide Programs

January

2014

Security

Bulletins

Bulletin Impact Component Severity PriorityExploit

IndexPublic

MS14-001 Remote Code Execution Word Important 2 1 No

MS14-002 Elevation of Privilege Kernel Important 1 1 Yes

MS14-003 Elevation of Privilege KMD Important 2 1 No

MS14-004 Denial of Service Dynamics AX Important 3 1 No

Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated

CSS Security Worldwide Programs

MS14-001

Vulnerabilities in

Microsoft Word

and Office Web

Apps Could

Allow Remote

Code Execution

(2916605)

Affected Software Microsoft Word 2003

Microsoft Word 2007

Microsoft Word 2010

Microsoft Word 2013

Microsoft Word 2013 RT

Office Compatibility Pack

Word Viewer

SharePoint Server 2010 (Word Automation

Services)

SharePoint Server 2013 (Word Automation

Services)

Office Web Apps 2010

Office Web Apps Server 2013

Severity | Important

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2MS13-072

MS13-084

MS13-086

MS13-100

No

Restart

Requirement

A restart may be

required

Uninstall Support

In Control Panel go to

Add or Remove

Programs (Windows XP

or Windows 2003) or

System and Security

(newer systems).Detection and Deployment

WU MU MBSA WSUS ITMU SCCMWindows RT devices can only be serviced with

Windows Update, Microsoft Update, and the

Windows Store.

After you install this security update on all

SharePoint servers, you must run the PSconfig tool

to complete the installationNo Yes Yes Yes Yes Yes

CSS Security Worldwide Programs

MS14-001

Vulnerabilities in

Microsoft Word

and Office Web

Apps Could

Allow Remote

Code Execution

(2916605)

Vulnerability Details

• Multiple memory corruption vulnerabilities exist in the way that affected Microsoft Office software parses

specially crafted files that could lead to remote code execution. An attacker who successfully exploited this

vulnerability could take complete control of an affected system.

CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory

CVE-2014-0258 Important Remote Code Execution NA 1 * No No None

CVE-2014-0259 Important Remote Code Execution NA 1 * No No None

CVE-2014-0260 Important Remote Code Execution 1 1 * No No None

CSS Security Worldwide Programs

Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated

DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)

Attack Vectors

• A specially crafted Office file

Common delivery mechanisms: a

maliciously crafted webpage, an

email attachment, an instant

message, a peer-to-peer file share,

a network share, and/or a USB

thumb drive.

Mitigations• The vulnerability cannot be exploited

automatically through email because

a user must open an attachment that

is sent in an email message.

• Users would have to be persuaded to

take some sort of action e.g. clicking

URL sent in email, IM sending user to

malicious site, and user opens Office

file.

• Exploitation only gains the same user

rights as the logged-on account

Workarounds• Install and configure MOICE to be

the registered handler for .doc

files.

• Use Microsoft Office File Block

policy to prevent the opening of

.doc and .dot binary files.

• Do not open Office files that you

receive from untrusted sources or

that you receive unexpectedly

from trusted sources.

Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | *

- Not Rated

DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action

required to recover

MS14-002

Vulnerability in

Windows Kernel

Could Allow

Elevation of

Privilege

(2914368)

Affected Software Windows XP

Windows Server 2003

Severity | Important

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

1 MS10-099 SA2914486

Restart

Requirement

A restart is

required

Uninstall Support

Use Add or Remove

Programs in Control

Panel

Detection and Deployment

WU MU MBSA WSUS ITMU SCCMSecurity Advisory addressed by this update:

Vulnerability in Microsoft Windows Kernel

Could Allow Elevation of Privilege

http://technet.microsoft.com/en-

us/security/advisory/2914486Yes Yes Yes Yes Yes Yes

CSS Security Worldwide Programs

MS14-002

Vulnerability in

Windows Kernel

Could Allow

Elevation of

Privilege

(2914368)

Vulnerability Details• An elevation of privilege vulnerability exists in the NDProxy component of the Windows kernel due to

improper validation of input passed from user mode to the kernel that could allow an attacker to run code

in kernel mode.

CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory

CVE-2013-5065 Important Elevation of Privilege NA 1 * Yes Yes 2914486

CSS Security Worldwide Programs

Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not RatedDoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)

Attack Vectors

• An attacker could run a

specially crafted application

that could exploit the

vulnerability and take complete

control over the affected

system.

Mitigations

• An attacker must have valid logon

credentials and be able to log on

locally to exploit this vulnerability.

Workarounds

• Reroute the NDProxy service

to Null.sys.

MS14-003

Vulnerability in

Windows

Kernel-Mode

Drivers Could

Allow Elevation

of Privilege

(2913602)

Affected Software:• Windows 7

• Windows Server 2008 R2

Severity | Important

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2 MS13-101 No

Restart

Requirement

This update

requires a restart

Uninstall Support

Use Add or Remove

Programs in Control

Panel

Detection and Deployment

WU MU MBSA WSUS ITMU SCCM

Yes Yes Yes Yes Yes Yes

CSS Security Worldwide Programs

MS14-003

Vulnerability in

Windows

Kernel-Mode

Drivers Could

Allow Elevation

of Privilege

(2913602)

Vulnerability Details:

• An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly uses

window handle thread objects in memory. An attacker who successfully exploited this vulnerability could

execute arbitrary code with elevated privileges.

CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory

CVE-2014-0262 Important Elevation of Privilege NA 1 P No No None

Attack Vectors

• An attacker could run a specially

crafted application designed to

increase privileges.

Mitigations

• To exploit this vulnerability, an

attacker would first have to log on

locally to the system.

* Local logon in this case also refers

to RDP session

Workarounds

• Microsoft has not identified

any workarounds for this

vulnerability.

CSS Security Worldwide Programs

Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated

DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)

MS14-004

Vulnerability in

Microsoft

Dynamics AX

Could Allow

Denial of

Service

(2880826)

Affected Software• Microsoft Dynamics AX 4.0 SP2

• Microsoft Dynamics AX 2009 SP1

• Microsoft Dynamics AX 2012

• Microsoft Dynamics AX 2012 R2

Severity | Important

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

3 None No

Restart

Requirement

May require restart

Uninstall Support

Use Add or Remove

Programs in Control

PanelDetection and Deployment

WU MU MBSA WSUS ITMU SCCM

Update is available on the Microsoft Download

Center and PartnerSource

No No No No No No

CSS Security Worldwide Programs

MS14-004

Vulnerability in

Microsoft

Dynamics AX

Could Allow

Denial of

Service

(2880826)

Vulnerability Details

• A denial of service vulnerability exists in Microsoft Dynamics AX that could allow an attacker to cause a

Dynamics AX server to become unresponsive.

CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory

CVE-2014-0261 Important Denial of Service 3 3 P No No None

Attack Vectors

• An authenticated attacker could

submit specially crafted data to

an affected Dynamics AX server.

Mitigations

• To exploit this vulnerability, an

attacker must be able to

authenticate on the Dynamics AX

client.

Workarounds

• Microsoft has not identified

any workarounds for this

vulnerability.

CSS Security Worldwide Programs

Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated

DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)

Re-released

Security

Bulletin

Security Bulletin (2870008)

Vulnerabilities in Windows Kernel-Mode

Drivers Could Allow Remote Code Execution

Microsoft is re-releasing one of the updates associated with this

bulletin (2862330) to address stability issues caused by applying this

update under certain circumstances on Windows 7 and Windows

Server 2008 R2.

CSS Security Worldwide Programs

Rereleased

Security

Advisories

Security Advisory (2755801)Update for Vulnerabilities in Adobe Flash Player

in Internet Explorer

Microsoft updated this advisory to announce the availability of a new

update for Adobe Flash Player. On January 14, 2013, Microsoft

released an update (KB2916626) for all supported editions of

Windows 8, Windows 8.1, Windows Server 2012, Windows Server

2012 R2, and Windows RT. The update addresses the vulnerabilities

described in Adobe Security bulletin APSB14-02. For more

information about this update, including download links, see

Microsoft Knowledge Base Article 2916626

Microsoft

Support

Lifecycle

CSS Security Worldwide Programs

Lifecycle ChangesThe following product families and service pack levels are scheduled to

have their support lifecycle expire on January 14, 2014

Product Family

• Live Communications Server 2003

Remember that support for the entire Windows XP product

family will expire on 4/8/2014

http://support.microsoft.com/lifecycle

January

2014

Security

Bulletins

CSS Security Worldwide Programs

Bulletin Description Severity Priority

MS14-001Vulnerabilities in Microsoft Word and Office Web Apps Could Allow

Remote Code Execution Important 2

MS14-002 Vulnerability in Windows Kernel Could Allow Elevation of Privilege Important 1

MS14-003Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of

Privilege Important 2

MS14-004 Vulnerability in Microsoft Dynamics AX Could Allow Denial of Service Important 3

Appendix

CSS Security Worldwide Programs

MSRT Changes

New malware families added

to the January 2014 MSRT

MSIL/Bladabindi

A family of malware that can be used to

take control of PCs and steal sensitive

information

Additional ToolsMicrosoft Safety Scanner

• Same basic engine as the MSRT, but

with a full set of A/V signatures

Windows Defender Offline

• An offline bootable A/V tool with a

full set of signatures

• Designed to remove rootkits and

other advanced malware that can't

always be detected by antimalware

programs

• Requires you to download an ISO file

and burn a CD, DVD, or USB flash

drive

17

Malicious

Software

Removal Tool

(MSRT)

Updates

CSS Security Worldwide Programs

In 2014 Q1, security bulletins will be moving

to the TechNet Library

• Bulletins, bulletin summaries, and advisories will join the existing IT Pro

content at http://technet.microsoft.com/library

• TechNet Security portal at http://technet.microsoft.com/security/ will

be updated to point to bulletins in the TechNet Library.

Details

• URLs will change from

http://technet.microsoft.com/security/bulletin/MSNN-NNN to

http://technet.microsoft.com/library/security/MSNN-NNN

• Navigational landing pages will guide gentle readers to the latest bulletins

grouped by product family (Windows, IE, .NET, Office, etc.)

• All bulletin content going back to 1998 will be present.

18

TechNet

Security is

Changing!

CSS Security Worldwide Programs

Public

Security

Bulletin

Links

CSS Security Worldwide Programs

Monthly Bulletin Links

• Microsoft Security Bulletin Summary for January 2014

http://technet.microsoft.com/en-us/security/bulletin/ms14-jan

• Security Bulletin Search

http://technet.microsoft.com/security/bulletin

• Security Advisories

http://technet.microsoft.com/security/advisory

• Microsoft Technical Security Notifications

http://technet.microsoft.com/en-us/security/dd252948.aspx

Blogs

• MSRC Blog

http://blogs.technet.com/msrc

• SRD Team Blog

http://blogs.technet.com/srd

• MMPC Team Blog

http://blogs.technet.com/mmpc

• MSRC Ecosystem Team Blog

http://blogs.technet.com/ecostrat

Supplemental Security Reference Articles

• Detailed Bulletin Information Spreadsheet

http://go.microsoft.com/fwlink/?LinkID=245778

• Security Tools for IT Pros

http://technet.microsoft.com/en-us/security/cc297183

• KB894199 Description of Software Update Services and Windows Server Update Services changes in

content

http://support.microsoft.com/kb/894199

• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious

software

http://support.microsoft.com/kb/890830

January 2014

Manageability

Tools

Reference

CSS Security Worldwide Programs

BulletinWindows

Update 1Microsoft

Update 1 MBSA 2 WSUS SMS ITMU SCCM

MS14-001 No Yes Yes Yes Yes Yes

MS14-002 Yes Yes Yes Yes Yes Yes

MS14-003 Yes Yes Yes Yes Yes Yes

MS14-004 No No No No No No

1. Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.

2. Microsoft Baseline Security Analyzer (MBSA) v2.3 now supports Windows 8, Windows 8.1, Windows Server 2012, and Windows

Server 2012 R2.

January 2014

Non-Security

Content

Description Classification Deployment

Update for Windows 8.1 (KB2904440) Critical Update Site, AU, SUS, Catalog

Dynamic Update for Windows 8.1 (KB2914220) Critical Update Site, AU, SUS, Catalog

Update for Microsoft Outlook 2013 (KB2850061) 32-Bit EditionCritical Update Site, AU, SUS, Catalog

CSS Security Worldwide Programs

MBSA 2.3

CSS Security Worldwide Programs

MBSA 2.3 Now Available

The Microsoft Baseline Security Analyzer provides

a streamlined method to identify missing security

updates and common security misconfigurations.

MBSA 2.3 release now provides support for

Windows 8, Windows 8.1, Windows Server 2012,

and Windows Server 2012 R2.

Tool Information

• Available at the Download

Center at http://www.microsoft.com/downl

oad/details.aspx?id=7558

• Windows 2000 will no longer

be supported with this

release.

Links

Públicos

dos

Boletin de

Segurança

Português

LATAM

Links do Boletins em Português

• Microsoft Security Bulletin Summary for january 2014-

Resumo

http://technet.microsoft.com/pt-

br/security/bulletin/ms14-jan

• Security Bulletin Search/Boletins de Segurança Busca

http://technet.microsoft.com/pt-br/security/bulletin

• Security Advisories/Comunicados de Segurança

http://technet.microsoft.com/pt-br/security/advisory

• Microsoft Technical Security Notifications - Notificações

http://technet.microsoft.com/pt-

br/security/dd252948.aspx

Blogs

Negócios de Risco

• http://blogs.technet.com/b/risco/

• MSRC Blog

http://blogs.technet.com/msrc

• SRD Team Blog

http://blogs.technet.com/srd

• MMPC Team Blog

http://blogs.technet.com/mmpc

• MSRC Ecosystem Team Blog

http://blogs.technet.com/ecostrat

Supplemental Security Reference Articles

• Detailed Bulletin Information Spreadsheet

http://go.microsoft.com/fwlink/?LinkID=245778

• Security Tools for IT Pros- Ferramentas de Segurança

http://technet.microsoft.com/pt-br/security/cc297183

• KB894199 Description of Software Update Services and Windows Server Update Services changes in

content

http://support.microsoft.com/kb/894199

• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious

software

http://support.microsoft.com/kb/890830

Webcast

Português

Fevereiro

GBS Security Worldwide Programs24

Webcast Português (Externo)

WEBCAST – CLIENTEShttps://msevents.microsoft.com/CUI/EventDetail.aspx?Event

ID=1032575576&Culture=pt-BR&community=1

13/ FEVEREIRO/2014

15:30 Hrs Brasília

Veja nosso blog para se inscrever:

Negócios de Risco

• http://blogs.technet.com/b/risco/