Monthly Security Bulletin Briefing - Microsoft€¦ · privilege and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET

1

Monthly Security

Bulletin Briefing

September 2014

CSS Security Worldwide Programs

• Teresa GhiorzoeSecurity Program Manager- GBS LATAM

• Daniel Mauser

Senior Technical Lead - LATAM CTS

Blog de Segurança: http://blogs.technet.com/b/risco/

Twitter: LATAMSRC

Email: [email protected]

CSS Security Worldwide ProgramsSlide 2

Security Bulletin Release OverviewSeptember

2014

Other content

• Product Support Lifecycle Info

Appendix

• Public Webcast Details

• Manageability Tools Reference

• Related Resources

Critical Important

1 3

New

Security

Bulletins4

Security

Advisories 0Rereleased

Security

Advisories3


Security Bulletin Release OverviewSeptember

2014

Bulletin Impact Component Severity PriorityExploit

Index

Publicly

Known

Publicly

Exploited

MS14-052

Remote

Code

Execution

IE Critical 1 0 Yes Yes

MS14-053Denial of

Service.NET Important 3 3 No No

MS14-054Elevation of

Privilege

Task

SchedulerImportant 2 1 No No

MS14-055Denial of

ServiceLync Important 2 3 No No

Exploitability Index: 0 – Exploitation Detected | 1 - Exploitation more likely | 2 – Exploitation less likely | 3 – Exploitation unlikely | NA -

Not Affected


Affected Software• Internet Explorer 6 on Windows Server 2003

• Internet Explorer 7 on Windows Server 2003, Windows

Vista, and Windows Server 2008.

• Internet Explorer 8 on Windows Server 2003, Windows

Vista, Windows Server 2008, Windows 7, and Windows

Server 2008 R2.

• Internet Explorer 9 on Windows Vista, Windows Server

2008, Windows 7, and Windows Server 2008 R2.

• Internet Explorer 10 on Windows 7, Windows Server 2008

R2, Windows 8, Windows Server 2012, and Windows RT.

• Internet Explorer 11 on Windows 7, Windows Server 2008

R2, Windows 8.1, Windows Server 2012 R2, and Windows

RT 8.1.

Severity | Critical

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

1 MS14-051

Outdated ActiveX

blocking

KB2991000

Uninstall Support• Use the Add or Remove

Programs Control Panel

applet

Restart Requirement• A restart is required

Detection and Deployment

WU MU MBSA WSUS ITMU SCCMOut-of-date ActiveX control blocking

http://technet.microsoft.com/en-us/library/dn761713.aspxYes Yes Yes Yes Yes Yes

Cumulative Security Update for Internet Explorer (2977629)MS14-052

Note: Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.


Vulnerability Details

• Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory. These vulnerabilities

could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

• An information disclosure vulnerability exists in Internet Explorer which allows resources loaded into memory to be queried. This

vulnerability could allow an attacker to detect anti-malware applications in use on a target and use the information to avoid

detection

CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory

Multiple Critical Remote Code Execution 1 1 * No No No

CVE-2013-7331 Important Information Disclosure 0 0 * Yes Yes No

Attack Vectors• Attacker hosts a malicious website

utilizing the vulnerability, then

convinces users to visit the site.

• Attacker takes advantage of

compromised websites and/or sites

hosting ads from other providers.

Mitigations• Attacker would have to convince users to take

action, typically by getting them to click a link in

an email message or in an Instant Messenger

message that takes users to the attacker's website,

or by getting them to open an attachment sent

through email. No way for attacker to force user to

view malicious content.

• Exploitation only gains the same user rights as the

logged-on account.

• By default, all Microsoft email clients open HTML

email messages in the Restricted Sites zone.

• By default, Internet Explorer runs in Enhanced

Security Configuration mode for all Windows

Servers.

Workarounds

• Set Internet and Local intranet security zone

settings to "High" to block ActiveX Controls and

Active Scripting in these zones.

• Configure Internet Explorer to prompt before

running Active Scripting or to disable Active

Scripting in the Internet and Local intranet

security zone.

• Add sites that you trust to the Internet Explorer

Trusted sites zone.

• CVE-2013-7331: Read email messages in plain

text.

Slide 5

MS14-052 Cumulative Security Update for Internet Explorer (2977629)

Exploitability Index (XI): 0 – Exploitation Detected | 1 – Exploitation more likely | 2 – Exploitation less likely | 3 - Exploitation unlikely | NA - Not Affected

DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable

Affected Software

• Microsoft .NET Framework 1.1 SP1



• Microsoft .NET Framework 3.5

• Microsoft .NET Framework 3.5.1

• Microsoft .NET Framework 4.0

• Microsoft .NET Framework 4.5/4.5.1/4.5.2

On all supported editions of:

• Windows Server 2003

• Windows Vista

• Windows Server 2008

• Windows 7

• Windows Server 2008 R2

• Windows 8 and 8.1

• Windows Server 2012 and 2012 R2

Severity | Important

Deployment

PriorityUpdate Replacement

More Information

and / or

Known Issues

3MS13-004

MS14-009

MS13-052None

Restart Requirement

• A restart may be required

Uninstall Support

• Use Add or Remove Programs in

Control Panel

WU MU MBSA WSUS ITMU SCCM

Yes Yes Yes Yes Yes Yes


Vulnerability in .NET Framework Could Allow Denial of

Service (2990931) MS14-053



• A denial of service vulnerability exists in the way that Microsoft .NET Framework handles specially crafted requests, causing a hash

collision. An attacker who successfully exploited this vulnerability could send a small number of specially crafted requests to a .NET

server, causing performance to degrade significantly enough to cause a denial of service condition..


CVE-2014-4072 Important Denial of Service 3 3 P No No No

Attack Vectors

Attacker sends a small number of specially

crafted requests to .NET-enabled website.

Mitigations

By default, ASP.NET is not installed when

Microsoft .NET Framework is installed on

any supported edition of Microsoft

Windows

Workarounds

For .NET Framework 4.5 and higher

Enable

UseRandomizedStringHashAlgorithm

application configuration runtime setting

for desktop applications

Slide 7

MS14-053 Vulnerability in .NET Framework Could Allow Denial of

Service (2990931)




Affected Software• Windows 8, Windows 8.1

• Windows Server 2012 and 2012 R2

• Windows RT and RT 8.1


Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2 None None

Restart Requirement

• A restart is required

Uninstall Support

• Use the Add or Remove

Programs Control Panel

applet.

Detection and Deployment

WU MU MBSA WSUS ITMU SCCM Note: Windows RT devices can only be serviced with

Windows Update, Microsoft Update, and the Windows

StoreYes Yes Yes Yes Yes Yes

Vulnerability in Windows Task Scheduler Could Allow

Elevation of Privilege (2988948)MS14-054


Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected


Slide 9

Vulnerability in Windows Task Scheduler Could Allow

Elevation of Privilege (2988948)MS14-054

Vulnerability Details:

• An elevation of privilege vulnerability exists in how Windows Task Scheduler improperly conducts integrity checks on

tasks. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local

system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.


CVE-2014-4074 Important Remote Code Execution 1 1 * No No None

Attack Vectors

• Attacker would first have to log on to

the system, then run a specially crafted

application that could exploit the

vulnerability and take complete control

over an affected system.

Mitigations

Attacker must be able to log on locally to

the system.

Workarounds

Disable Task Scheduler service.




Vulnerabilities in Microsoft Lync Server Could Allow Denial of

Service (2990928)MS14-055

Affected Software• Microsoft Lync Server 2010

• Microsoft Lync Server 2013


Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2 MS14-032Prerequisite – see

below

Restart Requirement

• A restart may be

required

Uninstall Support

• Use Add or Remove

Programs in Control PanelDetection and Deployment

WU MU MBSA WSUS ITMU SCCMLatest cumulative update for Lync Server:

•For Lync Server 2013:

http://support.microsoft.com/kb/2809243

•For Lync Server 2010:

http://support.microsoft.com/kb/2493736No Yes Yes Yes Yes Yes


Vulnerabilities in Microsoft Lync Server Could Allow Denial of

Service (2990928)MS14-055


• Two denial of service vulnerabilities exist in Lync Server. An attacker who successfully exploited these vulnerabilities could cause the

affected system to stop responding.

• A reflected cross-site scripting (XSS) vulnerability which could result in information disclosure exists when Lync Server fails to

properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could potentially execute scripts

in the user’s browser to obtain information from web sessions.


CVE-2014-4068 Important Denial of Service 3 3 T No No None

CVE-2014-4071 Important Denial of Service 3 NA T No No None

CVE-2014-4070 Important Information Disclosure 3 NA * No No None

Attack Vectors

• CVE-2014-4068 & 4071: Attacker executes a

specially crafted request to a Lync server.

• CVE-2014-4070: Attacker hosts a malicious

website utilizing the vulnerability, then

convinces users to visit the site.

• Attacker takes advantage of compromised

websites and/or sites hosting ads from other

providers.

• Email: Attacker sends an email containing a

URL linking to the malicious web site and

convinces user to click the link.

Mitigations

• Microsoft has not identified any

mitigating factors for these

vulnerabilities.

Workarounds

• CVE-2014-4070: Read email messages in plain

text.

• Set Internet and Local intranet security zone

settings to "High" to block ActiveX Controls

and Active Scripting in these zones.

• Add sites that you trust to the Internet

Explorer Trusted sites zone.

• CVE-2014-4068 & 4071: no workarounds




(2905247) Insecure ASP.NET Site Configuration Could Allow

Elevation of Privilege

Rereleased

Security

Advisory

What Has Changed?

This advisory was rereleased to offer the security update via Microsoft Update, in addition to

the download-center-only option that was provided when this advisory was originally

released.

Furthermore, the updates for some of the affected .NET Framework versions were rereleased

to address an issue that occasionally caused Page.IsPostBack to return an incorrect value.

Executive Summary

Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a

vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC)

validation is disabled through configuration settings. The vulnerability could allow elevation of

privilege and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework

2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft

.NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1

Recommendations

Most customers have automatic updating enabled and will not need to take any action

because this security update will be downloaded and installed automatically. For information

about specific configuration options in automatic updating, see Microsoft Knowledge Base

Article 294871. For customers who do not have automatic updating enabled, the steps in Turn automatic updating on or off can be used to enable automatic updating.

More Information http://technet.microsoft.com/library/2905247

https://support.microsoft.com/kb/294871

http://go.microsoft.com/fwlink/?LinkID=398470


Update to Improve Credentials Protection and Management

(2871997)

Rereleased

Security

Advisory

What Has Changed?

On September 9, 2014, Microsoft released the 2982378 update for supported editions of

Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’

credentials when logging into a Windows 7 or Windows Server 2008 R2 system by ensuring

that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket

Granting Ticket) has been obtained. For more information about this update, including

download links, see Microsoft Knowledge Base Article 2982378.

Executive Summary

Microsoft is announcing the availability of an update for supported editions of Windows 8 for

32-bit Systems, Windows 8 for x64-based Systems, Windows RT, Windows Server 2012,

Window 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for

x64-based Systems, and Windows 2008 R2 for Itanium-based Systems that improves

credential protection and domain authentication controls to reduce credential theft. This

update provides additional protection for the Local Security Authority (LSA), adds a restricted

admin mode for Credential Security Support Provider (CredSSP), introduces support for

protected account-restricted domain user category, and enforces stricter authentication

policies for Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

machines as clients.

RecommendationsMicrosoft recommends that customers apply the update immediately using update

management software, or by checking for updates using the Microsoft Update service.

More InformationMicrosoft Security Advisory 2871997

https://technet.microsoft.com/library/2871997.aspx



https://technet.microsoft.com/library/2871997.aspx


(2755801) Update for Vulnerabilities in Adobe Flash Player in

Internet Explorer

Rereleased

Security

Advisory

What Has Changed?

Microsoft updated this advisory to announce the availability of a new update for Adobe Flash

Player. On September 9, 2014, Microsoft released an update (2987114) for Internet Explorer 10

on Windows 8, Windows Server 2012, and Windows RT, and for Internet Explorer 11 on

Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the

vulnerabilities described in Adobe Security bulletin APSB14-21. For more information about

this update, including download links, see Microsoft Knowledge Base Article 2987114.

Executive Summary

Microsoft is announcing the availability of an update for Adobe Flash Player in Internet

Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT,

Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the

vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained

within Internet Explorer 10 and Internet Explorer 11.

Recommendations

Microsoft recommends that customers apply the current update immediately using update

management software, or by checking for updates using the Microsoft Update service. Since

the update is cumulative, only the current update will be offered. Customers do not need to install previous updates as a prerequisite for installing the current update.

More Information http://technet.microsoft.com/library/2755801

http://helpx.adobe.com/security/products/flash-player/APSB14-21.html




Product Families and Service Packs Reaching End of SupportSupport

Lifecycle

Product Families Nothing scheduled to enter Extended Support in September

Service PacksNo Service Packs expiring in September

October: Office 2010 SP1, Project 2010 SP1, SharePoint Server 2010 SP1, Visio 2010 SP1

More InformationMicrosoft Support Lifecycle information

http://support.microsoft.com/lifecycle/

http://support.microsoft.com/lifecycle/


Security Bulletin SummarySeptember

2014Bulletin Bulletin title Severity Priority

MS14-052 Cumulative Security Update for Internet Explorer Critical 1

MS14-053 Vulnerability in .NET Framework Could Allow Denial of Service Important 3

MS14-054 Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege Important 2

MS14-055 Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service Important 2

Appendix



MSRT Changes, Tools, and Public Security Bulletin WebcastRelated

Resources

Malicious Software

Removal Tool (MSRT)

Win32/Zemot – The threat is used by other malware to download more malware onto your PC. This

means that if you have this malware, it's highly likely you also have Win32/Kuluoz, Win32/Zbot,

Win32/Rovnix, or others.

Additional Malware

Removal Tools

Microsoft Safety Scanner

• Same basic engine as the MSRT, but with a full set of A/V signatures.

Windows Defender Offline

• An offline bootable A/V tool with a full set of signatures.

• Designed to remove rootkits and other advanced malware that can't always be detected by

antimalware programs.

• Requires you to download an ISO file and burn a CD, DVD, or USB flash drive.

Public Webcast

Information About Microsoft's Security Bulletins

Wednesday, September 10, 2014, 11:00 A.M. Pacific Time (US & Canada)

Details at: http://technet.microsoft.com/security/dn756352

Microsoft Security

Blogs

Microsoft Security Response Center Blog: http://blogs.technet.com/msrc

Microsoft Security Research Defense Blog: http://blogs.technet.com/srd

Microsoft Malware Protection Center Blog: http://blogs.technet.com/mmpc

Microsoft Security Development Lifecycle Blog: http://blogs.technet.com/sdl

http://technet.microsoft.com/security/dn756352

http://blogs.technet.com/msrc

http://blogs.technet.com/srd

http://blogs.technet.com/mmpc

http://blogs.technet.com/sdl


Detection & Deployment (Manageability Tools) ReferenceSeptember

2014

BulletinWindows

Update 1Microsoft

Update 1 MBSA WSUS SMS ITMU SCCM

MS14-052 Yes Yes Yes Yes Yes Yes



MS14-055 No Yes Yes Yes Yes Yes

1. Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.

Links

Públicos

dos

Boletin de

Segurança

Português

LATAM

Links do Boletins em Português

• Microsoft Security Bulletin Summary for sep 2014-

Resumo

http://technet.microsoft.com/pt-

br/security/bulletin/ms14-sep

• Security Bulletin Search/Boletins de Segurança Busca

http://technet.microsoft.com/pt-br/security/bulletin

• Security Advisories/Comunicados de Segurança

http://technet.microsoft.com/pt-br/security/advisory

• Microsoft Technical Security Notifications - Notificações

http://technet.microsoft.com/pt-

br/security/dd252948.aspx

Blogs

Negócios de Risco

• http://blogs.technet.com/b/risco/

• MSRC Blog


• SRD Team Blog


• MMPC Team Blog


• MSRC Ecosystem Team Blog

http://blogs.technet.com/ecostrat

Supplemental Security Reference Articles

• Detailed Bulletin Information Spreadsheet


• Security Tools for IT Pros- Ferramentas de Segurança

http://technet.microsoft.com/pt-br/security/cc297183

• KB894199 Description of Software Update Services and Windows Server Update Services changes in content


• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious

software


• Mybulletins

• http://mybulletins.technet.microsoft.com/

http://technet.microsoft.com/pt-br/security/bulletin/ms14-sep

http://technet.microsoft.com/pt-br/security/bulletin

http://technet.microsoft.com/pt-br/security/advisory

http://technet.microsoft.com/pt-br/security/dd252948.aspx




http://blogs.technet.com/ecostrat


http://technet.microsoft.com/pt-br/security/cc297183



http://mybulletins.technet.microsoft.com/

Webcast

Português

Outubro

GBS Security Worldwide Programs22

Webcast Português (Externo)

WEBCAST – CLIENTEShttps://msevents.microsoft.com/CUI/EventDet

ail.aspx?EventID=1032575592

16/Outubro/2014

15:30 Hrs Brasília

Para receber convite para a conferência escrever para [email protected]

https://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032575592

Documents

Monthly Security Bulletin Briefing - Microsoft€¦ · privilege and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET