Embed Size (px)
Citation preview
Microsoft February 2013 Security BulletinsJonathan NessSecurity Development Manager
Dustin ChildsGroup ManagerResponse Communications
Live Video Stream
• To receive our video stream in LiveMeeting:• Click on “Voice & Video”• Click the drop down next to the camera icon
• Select “Show Main Video”
• Dial-in Information:• 1 (877) 593-2001 Pin: 3959
What We Will Cover
• Review of February 2013 Bulletin Release Information
- 12 New Security Bulletins- One Updated Security Advisory- Microsoft Windows Malicious Software Removal Tool
• Resources
• Questions and Answers: Please Submit Now- Submit Questions via Twitter #MSFTSecWebcast
Severity & Exploitability Index
Exploitability
Index
1
RISK
2
3
DP 1 1 2 2 2 3 2 2 2 3 2 1
Severity
Critical
IMPACT
Important
Moderate
Low
MS13-009
MS13-010
MS13- 011
MS13-012
MS13-013
MS13-014
MS13-015
MS13-016
MS13-017
MS13-018
MS13-019
MS13-020
Inte
rnet
Explo
rer
Vect
or
Mark
up
Language
Dir
ect
Show
Exc
hange
OLE
Auto
mati
on
NFS
Serv
er
Share
Poin
t
.NET
Fram
ew
ork
Kern
el-
Mode
Dri
vers
Kern
el
TCP/IP
CSR
SS
Bulletin Deployment Priority
Bulletin KB #Disclosur
e
AGGSeverit
y
Exploit
Index
MaxImpac
t
Priority
Notes
MS13-010VML
2797052
Private Critical 1 RCE 1 This issue affects all versions of Internet Explorer.
MS13-009IE
2792100
Private Critical 1 RCE 1 This issue affects all versions of Internet Explorer.
MS13-020OLE
Automation
2802968
Private Critical 1 RCE 1 This issue affects Windows XP SP3.
MS13-011DirectShow
2780091
Public Critical 1 RCE 2 This issue does not affect Windows 8 or Windows RT.
MS13-012Exchange
2809279
Public Critical 2 RCE 2 This issue addresses Oracle’s Outside In library.
MS13-015.NET
2800277
PrivateImportan
t1 EoP 2
This issue affects all versions of Windows except Windows RT.
MS13-016KMD
2778344
PrivateImportan
t2 EoP 2 30 CVEs affecting all versions of Windows.
MS13-017Kernel
2799494
PrivateImportan
t1 EoP 2 This issue affects all versions of Windows.
MS13-013SharePoint
2784242
PublicImportan
t1 RCE 2 This issue addresses Oracle’s Outside In library.
MS13-019CSRSS
2790113
PublicImportan
t2 EoP 2
This issue affects Windows 7 and Windows Server 2008 R2.
MS13-018TCP/IP
2790655
PrivateImportan
t3 DoS 3 This issue affects all versions of Windows.
MS13-014NFS Server
2790978
PrivateImportan
t3 DoS 3
This issue affects Windows Server 2008 R2, Windows Server 2012.
CVE SeverityExploitability | Versions
Comment NoteLatest Older
CVE-2013-0015 Important NA 3 Information Disclosure Cooperatively Disclosed
CVE-2013-0018CVE-2013-0022CVE-2013-0028
Critical NA 2 Remote Code Execution Cooperatively Disclosed
CVE-2013-0020CVE-2013-0024CVE-2013-0025CVE-2013-0026CVE-2013-0029
Critical NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2013-0019CVE-2013-0021CVE-2013-0023CVE-2013-0027
Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsIE6 – IE10 on all supported versions of Windows Client
IE6 – IE10 on all supported versions of Windows Server
Affected Components Internet Explorer
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs)
• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs)
Impact of Attack• An attacker who successfully exploited this vulnerability could view content from another domain or
Internet Explorer zone. (CVE-2013-0015)• An attacker could gain the same user rights as the current user. (All CVEs except for CVE-2013-0015)
Mitigating Factors
• An attacker cannot force users to view the attacker-controlled content. (All CVEs)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail
open HTML email messages in the Restricted sites zone. (All CVEs)• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)
Additional Information
• Installations using Server Core are not affected.• Severity levels do not apply to IE10 for CVE-2013-0022, this fix is a defense-in-depth.• This bulletin replaces the December IE Bulletin (MS12-077) and the January Out of Band Bulletin (MS13-
008).
MS13-009: Cumulative Security Update for Internet Explorer (2792100)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2013-0030
Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products IE6 – IE10 on all supported versions of Windows Client and Windows Server
Affected Components Vector Markup Language
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
• An attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.
• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements.
Impact of Attack • An attacker could gain the same user rights as the current user.
Mitigating Factors • An attacker cannot force users to view the attacker-controlled content.
Additional Information • Installations using Server Core are not affected.
MS13-010: Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2797052)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2013-0077
Critical NA 1 Remote Code Execution Publicly Disclosed
Affected ProductsAll supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008
Affected Components DirectShow
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors
• Email: an attacker could send a specially crafted media file (such as an .mpg file) to the user and then convince the user to open the file.
• Web-based: an attacker would have to host a website that contains specially crafted media content that could exploit this vulnerability.
Impact of Attack • An attacker could run arbitrary code as the current user.
Mitigating Factors• The vulnerability cannot be exploited automatically through email.• An attacker cannot force users to visit a specially crafted website.
Additional Information• Installations using Server Core are not affected.• At the time of release there were no known attacks using this vulnerability.
MS13-011: Vulnerability in Media Decompression Could Allow Remote Code Execution (2780091)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2013-0393
Important 3 3 Denial of Service Publicly Disclosed
CVE-2013-0418
Critical 2 2 Remote Code Execution Publicly Disclosed
Affected ProductsAll supported editions of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010
Affected Components Oracle Outside in Libraries/WebReady Document Viewing
Deployment Priority 2
Main Target Exchange Server Systems
Possible Attack Vectors• An attacker could send an email message containing a specially crafted file to a user on
an affected version of Exchange.
Impact of Attack
• An attacker could run arbitrary code as LocalService on the affected Exchange server. (CVE-2013-0418)
• An attacker could cause the affected Exchange Server to become unresponsive if a user views a specially crafted file through Outlook Web Access in a browser. (CVE-2013-0393)
Mitigating Factors
• The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. (CVE-2013-0418)
Additional Information
• CVE-2013-0393 and CVE-2013-0418 discussed in the Oracle Critical Patch Update Advisory - January 2013 affect Microsoft Exchange Server and are addressed by this update.
• At the time of release there were no known attacks using these vulnerabilities.
MS13-012: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2809279)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2012-3214
Important 1 1 Remote Code Execution Publicly Disclosed
CVE-2012-3217
Important 1 1 Remote Code Execution Publicly Disclosed
Affected Products All supported editions of FAST Search Server 2010 for SharePoint
Affected Components Oracle Outside in Libraries/Advanced Filter Pack
Deployment Priority 2
Main Target FAST Search 2010 for SharePoint servers with the Advanced Filter Pack installed
Possible Attack Vectors• An attacker would need access to a file location that FAST Search 2010 for SharePoint
indexes, and have the ability to upload a specially crafted file to that location.
Impact of Attack• An attacker could run arbitrary code in the context of a user account with a restricted
token.
Mitigating Factors• FAST Search Server 2010 for SharePoint is only affected by the vulnerabilities if the
Advanced Filter Pack feature is enabled. By default, the Advanced Filter Pack feature is disabled.
Additional Information
• CVE-2012-3214 and CVE-2012-3217 discussed in the Oracle Critical Patch Update Advisory - October 2012 affect FAST Search Server 2010 for SharePoint and are addressed by this update.
• At the time of release there were no known attacks using these vulnerabilities.
MS13-013: Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Code Execution (2784242)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2013-1281
Important 3 3 Denial of Service Cooperatively Disclosed
Affected Products All supported editions of Windows Server 2008 R2 and Windows Server 2012
Affected Components NFS Server
Deployment Priority 3
Main Target Servers with the NFS Server role enabled
Possible Attack Vectors • An attacker could attempt to rename a file or folder on a read-only share.
Impact of Attack • An attacker could cause the affected system to stop responding and restart.
Mitigating Factors• An attacker must have access to the file share in order to exploit this vulnerability. The
vulnerability could not be exploited by anonymous users.• This vulnerability only affects Windows servers with the NFS role enabled.
Additional Information • Installations using Server Core are affected (except Windows Server 2008).
MS13-014: Vulnerability in NFS Server Could Allow Denial of Service (2790978)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2013-0073
Important 1 1 Elevation of Privilege Cooperatively Disclosed
Affected Products.NET Framework 2.0 SP2, .NET Framework 3.5, .NET Framework 3.5.1, .NET Framework 4, and .NET Framework 4.5 on all supported versions of Windows Client and Windows Server (except for .NET Framework 4.5 on Windows RT)
Affected Components .NET Framework
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors
• Web-based: an attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability. The attacker could also take advantage of websites that accept or host user-provided content or advertisements.
• .NET Application based: this vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions.
Impact of Attack • An attacker could take complete control of the affected system.
Mitigating Factors
• By default, Internet Explorer 9 and Internet Explorer 10 prevent XAML, which is used by XBAPs, from running in the Internet Zone.
• By default, Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 are configured to prompt the user before running XAML, which is used by XBAPs in the Internet Zone.
Additional Information• Installations using Server Core are affected.• .NET Framework 4 and .NET Framework 4 Client Profile affected.
MS13-015: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277)
CVE Severity
Exploitability | Versions
Comment Note
Latest Older
Multiple CVEs Important NA 2 Elevation of Privilege Cooperatively Disclosed
Affected ProductsAll supported versions of Windows Client and Windows Server (except for Windows 8, Windows RT and Windows Server 2012)
Affected Components Kernel-Mode Drivers
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors • An attacker could run a specially crafted application designed to increase privileges.
Impact of Attack • An attacker could gain increased privilege and read arbitrary amounts of kernel memory.
Mitigating Factors• An attacker must have valid logon credentials and be able to log on locally to exploit this
vulnerability.
Additional Information
• Installations using Server Core are affected.
• Severity ratings do not apply for Windows 8, Windows RT and Windows Server 2012. However, as a defense-in-depth measure, Microsoft recommends customers apply this security update.
• CVEs: CVE-2013-1248, CVE-2013-1249, CVE-2013-1250, CVE-2013-1251, CVE-2013-1252, CVE-2013-1253, CVE-2013-1254, CVE-2013-1255, CVE-2013-1256, CVE-2013-1257, CVE-2013-1258, CVE-2013-1259, CVE-2013-1260, CVE-2013-1261, CVE-2013-1262, CVE-2013-1263, CVE-2013-1264, CVE-2013-1265, CVE-2013-1266, CVE-2013-1267, CVE-2013-1268, CVE-2013-1269, CVE-2013-1270, CVE-2013-1271, CVE-2013-1272, CVE-2013-1273, CVE-2013-1274, CVE-2013-1275, CVE-2013-1276, CVE-2013-1277
MS13-016: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2778344)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2013-1278
Important 2 2 Elevation of Privilege Cooperatively Disclosed
CVE-2013-1279
Important 1 1 Elevation of Privilege Cooperatively Disclosed
CVE-2013-1280
Important 2 2 Elevation of Privilege Cooperatively Disclosed
Affected Products All supported versions of Windows Client and Windows Server
Affected Components Windows Kernel
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors• An attacker could run a specially crafted application that could exploit the vulnerability
and take complete control over the affected system.
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in
kernel mode.
Mitigating Factors• An attacker must have valid logon credentials and be able to log on locally to exploit this
vulnerability.
Additional Information • Installations using Server Core are affected.
MS13-017: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2799494)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2013-0075
Important 3 3 Denial of Service Cooperatively Disclosed
Affected ProductsAll supported versions of Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012
All supported versions of Vista, Windows 7, Windows 8, and Windows RT
Affected Components TCP/IP
Deployment Priority 3
Main Target Servers
Possible Attack Vectors• An unauthenticated attacker could send a specially crafted connection termination
packet to the server.
Impact of Attack • An attacker could cause the target system to stop responding and automatically restart.
Mitigating Factors • Microsoft has not identified any mitigating factors for this vulnerability.
Additional Information • Installations using Server Core are affected.
MS13-018: Vulnerability in Windows TCP/IP Could Allow Denial of Service (2790655)
CVE Severity
Exploitability | Versions Comment Note
Latest Older
CVE-2013-0076
Important NA 2 Elevation of Privilege Publicly Disclosed
Affected Products All supported editions of Windows 7 and Windows Server 2008 R2
Affected Components Windows CSRSS
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors• An attacker could run a specially crafted application that could exploit the vulnerability
and take complete control over an affected system.
Impact of Attack • An attacker could run arbitrary code in the context of the local system.
Mitigating Factors• An attacker must have valid logon credentials and be able to log on locally to exploit this
vulnerability.
Additional Information• Installations using Server Core are affected.• At the time of release there were no known attacks using this vulnerability.
MS13-019: Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113)
CVE Severity
Exploitability | Versions
Comment Note
Latest Older
CVE-2013-1313
Critical NA 1 Remote Code Execution Cooperatively Disclosed
Affected Products Windows XP Service Pack 3
Affected Components OLE Automation
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• Email: an attacker could send specially crafted RTF-formatted data to the user and then convince the user to open the file.
• Web-based: an attacker could host a website that contains a file that is used to exploit this vulnerability and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.
Impact of Attack • An attacker could gain the same user rights as the local user.
Mitigating Factors• An attacker would have no way to force a user to visit a malicious site or open a
specially crafted file.
MS13-020: Vulnerability in OLE Automation Could Allow Remote Code Execution (2802968)
Microsoft Security Advisories
• Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
- On February 12, 2013, Microsoft released an update (KB2805940) for all supported editions of Windows 8, Windows Server 2012 and Windows RT. The update addresses the vulnerabilities described in Adobe Security Bulletin APSB13-05.
Detection & DeploymentBulletin
Windows Update
Microsoft Update
MBSA WSUS 3.0SMS 2003 with ITMU
ConfigurationManager
MS13-009IE
Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-010VML Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-011DirectShow
Yes Yes Yes Yes Yes Yes
MS13-012Exchange
No Yes Yes Yes Yes Yes
MS13-013SharePoint
No3 No3 No3 No3 No3 No3
MS13-014NFS Server
Yes Yes Yes1 Yes Yes Yes
MS13-015.NET
Yes Yes Yes1 Yes Yes Yes
MS13-016KMD
Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-017Kernel
Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-018TCP/IP
Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-019CSRSS
Yes Yes Yes Yes Yes Yes
MS13-020OLE
AutomationYes Yes Yes Yes Yes Yes
1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012.2. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the
Windows Store (except for MS13-010 which is available through WU only).3. This update is available through the Microsoft Download Center only.
Other Update Information
Bulletin Restart Uninstall Replaces
MS13-009IE
Yes Yes MS12-077, MS13-008
MS13-010VML Yes Yes MS11-052
MS13-011DirectShow
Maybe Yes MS10-033
MS13-012Exchange
No Yes MS12-080
MS13-013SharePoint
Maybe No MS12-067
MS13-014NFS Server
Yes Yes None
MS13-015.NET
Maybe Yes MS12-038
MS13-016KMD
Yes Yes MS12-078, MS13-005
MS13-017Kernel
Yes Yes MS12-068
MS13-018TCP/IP
Yes Yes MS12-032
MS13-019CSRSS
Yes Yes MS11-063
MS13-020OLE Automation
Yes Yes MS11-038
Windows Malicious Software Removal Tool (MSRT)• During this release, Microsoft will increase/add
detection capability for the following families in the MSRT:• Win32/Sirefef: A multi-component family of malware that
uses stealth to hide its presence on an affected computer.
• February MSRT will be distributed to Windows 8 (x86 and x64)
• Available as a priority update through Windows Update or Microsoft Update
• Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove
Blogs• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center
Blog: http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Resources
Questions & Answers
• Submit text questions using the “Ask” button.
• Don’t forget to fill out the survey.
• A recording of this webcast will be available within 48 hours on the MSRC blog.
http://blogs.technet.com/msrc
• Register for next month’s webcast at: http://microsoft.com/technet/security/current.aspx
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
