Dial In Number 1-877-593-2001 Pin: 3959 Information About Microsoft August 2012 Security Bulletins...
Transcript of Dial In Number 1-877-593-2001 Pin: 3959 Information About Microsoft August 2012 Security Bulletins...
Dial In Number 1-877-593-2001 Pin: 3959
Information About Microsoft August 2012 Security Bulletins
Jonathan NessSecurity Development ManagerMicrosoft Corporation
Dustin ChildsGroup Manager, Response CommunicationsMicrosoft Corporation
Dial In Number 1-877-593-2001 Pin: 3959
Live Video Stream
• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon
– Select Show Main Video
Dial In Number 1-877-593-2001 Pin: 3959
What We Will Cover
• Review of August 2012 Bulletin Release Information– New Security Bulletins– Security Advisory 2661254– Re-release of Bulletin MS12-043– Microsoft® Windows® Malicious Software Removal Tool
• Resources
• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast
Dial In Number 1-877-593-2001 Pin: 3959
Severity and Exploitability Index
Exploitabilit
y Inde
x
1
RISK2
3
DP 1 2 1 3 2 3 2 3 1
Severity
Critical
IMPACT
Important
Moderate
Low
MS12-052 MS12-053 MS12-054 MS12-055 MS12-056 MS12-057 MS12-058 MS12-059 MS12-060
Inte
rne
t E
xp
lore
r
Off
ice
Ex
ch
an
ge
Win
do
ws
Win
do
ws
Win
do
ws
JS
cri
pt
& V
BS
cri
pt
Off
ice
Win
do
ws
Dial In Number 1-877-593-2001 Pin: 3959
Bulletin Deployment Priority
Bulletin KB Disclosure Aggregate Severity
Exploit Index
MaxImpact
Deployment Priority Notes
MS12-060MSCOMCTL
2720573 Public Critical 1 RCE 1 Previous MSCOMCTL vulnerabilities have recently been targets of attackers and exploit development efforts.
MS12-052IE
2722913 Private Critical 1 RCE 1 The issues addressed in this bulletin were cooperatively disclosed and no exploits are known to exist in the wild.
MS12-054Networking
2733594 Private Critical 1 RCE 1 Network level access controls can mitigate these vulnerabilities.
MS12-053RDP
2723135 Private Critical 2 RCE 2 This issue only affected XP SP3 and can be mitigated with network level access controls.
MS12-058Exchange
2737112 Public Critical 1 RCE 2This issue was discussed last month in Security Advisory 2737111 and addresses 13 CVE’s in Oracle Outside In Library.
MS12-056Jscript
2706045 Private Important 2 RCE 2 This bulletin addresses a CVE that is shared with MS12-052.
MS12-055KMD
2731847 Private Important 1 EoP 3 A would-be attacker would require local, authenticated access to exploit the issue addressed in this update.
MS12-057Office
2731879 Private Important 3 RCE 3 This issue requires user interaction.
MS12-059Visio
2733918 Private Important 1 RCE 3This issue requires user interaction.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-052: Cumulative Security Update for Internet Explorer (2722913)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-1526 Critical 3 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-2521 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-2522 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-2523 Important 2 2 Remote Code Execution Cooperatively Disclosed
Affected Products Internet Explorer 6, 7, 8, & 9 on Windows clients Internet Explorer 6, 7, 8 & 9 on Windows Servers
Affected Components Internet Explorer
Deployment Priority 1
Main Target Servers and workstations using IE
Possible Attack Vectors
• An attacker could host a website that contains a maliciously crafted page designed to exploit this vulnerability. • An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office
document that hosts the IE rendering engine
Impact of Attack• An attacker who successfully exploited these vulnerabilities could obtain the same permissions as the currently
logged-on user.
Mitigating Factors
• An attacker would have no way to force users to visit a malicious website.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a
restricted mode known as Enhanced Security Configuration.• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML
emails in the Restricted sites zone.
Additional Information
• Installations using Server Core are not affected.• Customers with Internet Explorer 8 installed on their systems can address the vulnerability described in CVE-2012-
2523 by installing the KB2706045 update.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-053: Vulnerability in Remote Desktop Could Allow Remote Code Execution (2723135)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-1889 Critical NA 2 Remote Code Execution Cooperatively Disclosed
Affected Products Windows XP SP3
Affected Components Remote Desktop Protocol
Deployment Priority 2
Main Target Systems with RDP enabled
Possible Attack Vector• For systems running supported editions of Windows XP, a remote unauthenticated attacker
could exploit this vulnerability by sending a sequence of specially crafted RDP packets to the target system.
Impact of Attack• An attacker who successfully exploited this vulnerability could take complete control of the
affected system.
Mitigating Factors• By default, the Remote Desktop Protocol is not enabled on any Windows operating system.
Systems that do not have RDP enabled are not at risk. Note that on Windows XP, Remote Assistance can enable RDP.
Additional Information • There are no known attacks against this vulnerability in the wild.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-054: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-1850 Important NA NA Denial of Service Cooperatively Disclosed
CVE-2012-1851 Critical NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1852 Critical NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1853 Critical NA 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsAll supported versions of Windows XP and Windows Server 2003
All supported versions of VistaAll supported versions of Windows Server 2008 and 2008 R2, Windows 7
Affected Components Windows Networking Components
Deployment Priority 1
Main Target Servers and workstations
Possible Attack Vectors
• A remote unauthenticated attacker could exploit this vulnerability by sending a sequence of specially crafted RAP packets to the target system. (CVE-2012-1850)
• A remote unauthenticated attacker could exploit the vulnerability by responding to the print spooler's requests with a specially crafted response. (CVE-2012-1851/1852/1853)
Impact of Attack
• An attacker who successfully exploited this vulnerability could cause the service to stop responding. (CVE-2012-1850)
• An attacker who successfully exploited this vulnerability could run arbitrary code on a user's system with system privileges. (CVE-2012-1851/1852/1853)
Mitigating Factors • Network level access controls can be used to mitigate the vulnerabilities addressed in this bulletin
Additional Information • Installations using Server 2008 Core are affected and rated as Moderate.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-055: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2731847)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-1854 Important 1 1 Elevation of Privilege Cooperatively Disclosed
Affected Products All supported versions of Windows and Windows Server
Affected Components Windows Kernel-Mode Drivers
Deployment Priority 3
Main Target Workstations
Possible Attack Vectors• To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could
then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.
Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
Mitigating Factors • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Additional Information • Installations using Server Core are affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-056: Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-2523 Important 2 2 Remote Code Execution Cooperatively Disclosed
Affected Products JScript 5.8 and VBScript 5.8 on all supported 64-bit versions of Windows XP, Windows 7
JScript 5.8 and VBScript 5.8 on all supported 64-bit versions of Windows Server 2003, 2008 and 2008R2
Affected Components JScript and VBScript scripting engines
Deployment Priority 2
Main Target Systems where IE 8 and IE 9 are used
Possible Attack Vectors
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
• An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.
Impact of Attack• An attacker who successfully exploited this vulnerability could gain the same user rights as the
current user.
Mitigating Factors
• An attacker would have no way to force user to visit a malicious website.• Only 64-bit versions of Microsoft Windows that are additionally configured to use the 64-bit version of
Internet Explorer are affected by this vulnerability.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server
2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.
Additional Information• The JavaScript Integer Overflow Remote Code Execution Vulnerability (CVE-2012-2523) described in
this bulletin is also addressed by MS12-052. • Installations using Server Core are not affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-057: Vulnerability in Microsoft Office Could Allow for Remote Code Execution (2731879)
CVE SeverityExploitability
Comment Cooperatively DisclosedLatest Software Older Versions
CVE-2012-2524 Important 3 3 Remote Code Execution Cooperatively Disclosed
Affected Products Office 2007 SP2 and SP3, Office 2010 SP1 (x86 and 64-bit)
Affected Components Office
Deployment Priority 3
Main Target Workstations
Possible Attack Vectors
• This vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or insert a specially crafted CGM file into a document with an affected version of Microsoft Office.
• In a web-based attack scenario, In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted file that is used to attempt to exploit this vulnerability.
• In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and by convincing the user to open the file.
Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.
Mitigating Factors
• The vulnerability cannot be exploited automatically through email.• For an attack to be successful a user must open an attachment that is sent in an email message.• An attacker would have no way to force user to visit a malicious website.
Additional Information • Microsoft has no indication that this issue is under active attack in the wild.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-058: Vulnerability in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
See Note Below Critical 1 1 Remote Code Execution Publicly Disclosed
Affected Products Exchange Server 2007 SP3, Exchange Server 2010 SP1 and SP2
Affected Components WebReady Document Viewing
Deployment Priority 2
Main Target Exchange Servers
Possible Attack Vectors
• An attacker could send an email message containing a specially crafted file to a user on an affected version of Exchange. When the user previews the specially crafted file in the browser, arbitrary code could be run on the Exchange server.
Impact of Attack• An attacker who successfully exploited these vulnerabilities could run arbitrary code as LocalService.
Mitigating Factors
• The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.
Additional Information
• This update addresses 13 vulnerabilities in the Oracle Outside In Library. See bulletin for specific CVEs
• This issue was discussed last month in Security Advisory 2737111, published July 24.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-059: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918)
CVE Severity
Exploitability
Comment NoteLatest
SoftwareOlder Versions
CVE-2012-1888 Important 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products Visio 2010 (32-bit and 64-bit), Visio Viewer 2010 (32-bit and 64-bit),
Affected Components Visio
Deployment Priority 3
Main Target Workstations that use Visio
Possible Attack Vectors
• This vulnerability requires that a user open a specially crafted file with an affected version of Visio. • In a web-based attack scenario, an attacker would have to host a website that contains a
specially crafted Visio file that is used to attempt to exploit this vulnerability.• In an email attack scenario, an attacker could exploit the vulnerability by sending a specially
crafted Visio file to the user and by convincing the user to open the file.
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.
Mitigating Factors• An attacker would have no way to force user to visit a malicious website or open a malicious file in email.
Additional Information• The Microsoft Office update MS11-089 was applied to systems running Microsoft Visio 2010 even though
this software was listed as non-affected in the MS11-089 bulletin.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-1856 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products
Office 2003 SP3 and Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1 (32-bit), SQL Server 2000 SP4 and Analysis Services SP4, SQL Server 2005 Express w/Advanced Services SP 4, SQL Server 2005 for 32-bit Ed. and 64-bit Ed. SP4, SQL Server 2005 for Itanium-based Systems SP4, All supported versions of SQL Server 2008 and 2008R2 except Management Studio, Commerce Server 2002 SP4, Commerce Server 2007 SP2, and Commerce Server 2009 and 2009R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, and Visual FoxPro 9.0 SP2, Visual Basic 6.0 Runtime
Affected Components Windows Common Controls
Deployment Priority 1
Main Target Workstations and Servers
Possible Attack Vectors
• In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted document to the user and convincing the user to open the document.
• In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Impact of Attack• An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
Mitigating Factors
• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.
• The attacker would have to convince the user to open the attachment in order to exploit the vulnerability.
Additional Information • Microsoft is aware of limited, targeted attacks attempting to exploit this vulnerability.
Dial In Number 1-877-593-2001 Pin: 3959
• Microsoft is announcing the availability of an update to Windows that restricts the use of weak RSA keys less than 1024 bits in length.
• The update is available on the Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows.
• Microsoft is planning to release this update through Microsoft Update in October 2012
Microsoft Security Advisory (2661254): Update For Minimum Certificate Key Length
Dial In Number 1-877-593-2001 Pin: 3959
• Microsoft is rereleasing MS12-043 to offer the security updates for Microsoft XML Core Services 5.0 that were unavailable at the time of initial release.
• Customers running Microsoft XML Core Services 5.0 should apply the KB2687324, KB2596856, or KB2596679 update to be protected from the vulnerability described in this bulletin.
• Customers who have already successfully installed the updates originally offered on July 10, 2012 for Microsoft XML Core Services 3.0, Microsoft XML Core Services 4.0, and Microsoft XML Core Services 6.0 do not need to take any additional action for these versions.
MS12-043: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479) Re-release
Dial In Number 1-877-593-2001 Pin: 3959
Detection & Deployment
Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007
MS12-052IE
Yes Yes Yes Yes Yes Yes
MS12-053RDP Yes Yes Yes Yes Yes Yes
MS12-054Networking
Yes1 Yes1 Yes1 Yes1 Yes1 Yes1
MS12-055KMD
Yes Yes Yes Yes Yes Yes
MS12-056Jscript
Yes Yes Yes Yes Yes Yes
MS12-057Office
No Yes Yes Yes Yes Yes
MS12-058Exchange
No Yes Yes Yes Yes Yes
MS12-059Visio
No Yes Yes Yes Yes Yes
MS12-060MSCOMCTL
No Yes Yes Yes Yes Yes
1. Yes for all except Windows XP Media Center 2005 and XP Tablet Edition 2005
Dial In Number 1-877-593-2001 Pin: 3959
Other Update Information
Bulletin Restart Uninstall Replaces
MS12-052IE
Yes Yes MS12-037
MS12-053RDP Yes Yes MS12-036
MS12-054Networking
Yes Yes MS09-022
MS12-055KMD
Yes Yes MS12-047
MS12-056Jscript
Maybe Yes MS11-031
MS12-057Office
Maybe Yes MS10-105, MS11-073
MS12-058Exchange
No Yes None
MS12-059Visio
Maybe Yes MS11-089, MS12-031
MS12-060MSCOMCTL
Maybe No1 MS12-027
1. Uninstall is only possible on Host Integration Server, Commerce Server 2009R2, and SQL Server 2000
Dial In Number 1-877-593-2001 Pin: 3959
Windows Malicious Software Removal Tool (MSRT)
• During this release Microsoft will increase detection capability for the following families in the MSRT:– Win32/Bafruz: A backdoor Trojan that allows unauthorized access and control of an
affected computer.– Win32/Matsnu: A Trojan that can perform certain actions based on instructions from a
remote server. It also changes certain computer settings.
• Available as a priority update through Windows Update or Microsoft Update.
• Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.
Dial In Number 1-877-593-2001 Pin: 3959
The Security site on TechNet is changing!
• In the coming months, the TechNet Security site will be updated to the Windows 8-style UI. Some of the highlights will include a modern look and feel, streamlined navigation, and easily discoverable security tools. Take a look at how these changes are already happening across TechNet http://technet.microsoft.com.
Dial In Number 1-877-593-2001 Pin: 3959
ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:
www.blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:
http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Dial In Number 1-877-593-2001 Pin: 3959
Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the
MSRC Blog:http://blogs.technet.com/msrc
• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx
Dial In Number 1-877-593-2001 Pin: 3959
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.