Dial In Number 1-877-593-2001 Pin: 3959 Information About Microsoft August 2012 Security Bulletins...

Dial In Number 1-877-593-2001 Pin: 3959

Information About Microsoft August 2012 Security Bulletins

Jonathan NessSecurity Development ManagerMicrosoft Corporation

Dustin ChildsGroup Manager, Response CommunicationsMicrosoft Corporation


Live Video Stream

• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon

– Select Show Main Video


What We Will Cover

• Review of August 2012 Bulletin Release Information– New Security Bulletins– Security Advisory 2661254– Re-release of Bulletin MS12-043– Microsoft® Windows® Malicious Software Removal Tool

• Resources

• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast


Severity and Exploitability Index

Exploitabilit

y Inde

x

1

RISK2

3

DP 1 2 1 3 2 3 2 3 1

Severity

Critical

IMPACT

Important

Moderate

Low

MS12-052 MS12-053 MS12-054 MS12-055 MS12-056 MS12-057 MS12-058 MS12-059 MS12-060

Inte

rne

t E

xp

lore

r

Off

ice

Ex

ch

an

ge

Win

do

ws

Win

do

ws

Win

do

ws

JS

cri

pt

& V

BS

cri

pt

Off

ice

Win

do

ws


Bulletin Deployment Priority

Bulletin KB Disclosure Aggregate Severity

Exploit Index

MaxImpact

Deployment Priority Notes

MS12-060MSCOMCTL

2720573 Public Critical 1 RCE 1 Previous MSCOMCTL vulnerabilities have recently been targets of attackers and exploit development efforts.

MS12-052IE

2722913 Private Critical 1 RCE 1 The issues addressed in this bulletin were cooperatively disclosed and no exploits are known to exist in the wild.

MS12-054Networking

2733594 Private Critical 1 RCE 1 Network level access controls can mitigate these vulnerabilities.

MS12-053RDP

2723135 Private Critical 2 RCE 2 This issue only affected XP SP3 and can be mitigated with network level access controls.

MS12-058Exchange

2737112 Public Critical 1 RCE 2This issue was discussed last month in Security Advisory 2737111 and addresses 13 CVE’s in Oracle Outside In Library.

MS12-056Jscript

2706045 Private Important 2 RCE 2 This bulletin addresses a CVE that is shared with MS12-052.

MS12-055KMD

2731847 Private Important 1 EoP 3 A would-be attacker would require local, authenticated access to exploit the issue addressed in this update.

MS12-057Office

2731879 Private Important 3 RCE 3 This issue requires user interaction.

MS12-059Visio

2733918 Private Important 1 RCE 3This issue requires user interaction.


MS12-052: Cumulative Security Update for Internet Explorer (2722913)

CVE SeverityExploitability

Comment NoteLatest Software Older Versions

CVE-2012-1526 Critical 3 1 Remote Code Execution Cooperatively Disclosed



CVE-2012-2523 Important 2 2 Remote Code Execution Cooperatively Disclosed

Affected Products Internet Explorer 6, 7, 8, & 9 on Windows clients Internet Explorer 6, 7, 8 & 9 on Windows Servers

Affected Components Internet Explorer

Deployment Priority 1

Main Target Servers and workstations using IE

Possible Attack Vectors

• An attacker could host a website that contains a maliciously crafted page designed to exploit this vulnerability. • An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office

document that hosts the IE rendering engine

Impact of Attack• An attacker who successfully exploited these vulnerabilities could obtain the same permissions as the currently

logged-on user.

Mitigating Factors

• An attacker would have no way to force users to visit a malicious website.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a

restricted mode known as Enhanced Security Configuration.• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML

emails in the Restricted sites zone.

Additional Information

• Installations using Server Core are not affected.• Customers with Internet Explorer 8 installed on their systems can address the vulnerability described in CVE-2012-

2523 by installing the KB2706045 update.

http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx


MS12-053: Vulnerability in Remote Desktop Could Allow Remote Code Execution (2723135)



CVE-2012-1889 Critical NA 2 Remote Code Execution Cooperatively Disclosed

Affected Products Windows XP SP3

Affected Components Remote Desktop Protocol


Main Target Systems with RDP enabled

Possible Attack Vector• For systems running supported editions of Windows XP, a remote unauthenticated attacker

could exploit this vulnerability by sending a sequence of specially crafted RDP packets to the target system.

Impact of Attack• An attacker who successfully exploited this vulnerability could take complete control of the

affected system.

Mitigating Factors• By default, the Remote Desktop Protocol is not enabled on any Windows operating system.

Systems that do not have RDP enabled are not at risk. Note that on Windows XP, Remote Assistance can enable RDP.

Additional Information • There are no known attacks against this vulnerability in the wild.


MS12-054: Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution (2733594)



CVE-2012-1850 Important NA NA Denial of Service Cooperatively Disclosed




Affected ProductsAll supported versions of Windows XP and Windows Server 2003

All supported versions of VistaAll supported versions of Windows Server 2008 and 2008 R2, Windows 7

Affected Components Windows Networking Components


Main Target Servers and workstations


• A remote unauthenticated attacker could exploit this vulnerability by sending a sequence of specially crafted RAP packets to the target system. (CVE-2012-1850)

• A remote unauthenticated attacker could exploit the vulnerability by responding to the print spooler's requests with a specially crafted response. (CVE-2012-1851/1852/1853)

Impact of Attack

• An attacker who successfully exploited this vulnerability could cause the service to stop responding. (CVE-2012-1850)

• An attacker who successfully exploited this vulnerability could run arbitrary code on a user's system with system privileges. (CVE-2012-1851/1852/1853)

Mitigating Factors • Network level access controls can be used to mitigate the vulnerabilities addressed in this bulletin

Additional Information • Installations using Server 2008 Core are affected and rated as Moderate.


MS12-055: Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2731847)



CVE-2012-1854 Important 1 1 Elevation of Privilege Cooperatively Disclosed

Affected Products All supported versions of Windows and Windows Server

Affected Components Windows Kernel-Mode Drivers


Main Target Workstations

Possible Attack Vectors• To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could

then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Mitigating Factors • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Additional Information • Installations using Server Core are affected.


MS12-056: Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution (2706045)




Affected Products JScript 5.8 and VBScript 5.8 on all supported 64-bit versions of Windows XP, Windows 7

JScript 5.8 and VBScript 5.8 on all supported 64-bit versions of Windows Server 2003, 2008 and 2008R2

Affected Components JScript and VBScript scripting engines


Main Target Systems where IE 8 and IE 9 are used


• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

• An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.

Impact of Attack• An attacker who successfully exploited this vulnerability could gain the same user rights as the

current user.

Mitigating Factors

• An attacker would have no way to force user to visit a malicious website.• Only 64-bit versions of Microsoft Windows that are additionally configured to use the 64-bit version of

Internet Explorer are affected by this vulnerability.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server

2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.

Additional Information• The JavaScript Integer Overflow Remote Code Execution Vulnerability (CVE-2012-2523) described in

this bulletin is also addressed by MS12-052. • Installations using Server Core are not affected.

http://technet.microsoft.com/library/dd883248.aspx


MS12-057: Vulnerability in Microsoft Office Could Allow for Remote Code Execution (2731879)


Comment Cooperatively DisclosedLatest Software Older Versions


Affected Products Office 2007 SP2 and SP3, Office 2010 SP1 (x86 and 64-bit)

Affected Components Office


Main Target Workstations


• This vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office or insert a specially crafted CGM file into a document with an affected version of Microsoft Office.

• In a web-based attack scenario, In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted file that is used to attempt to exploit this vulnerability.

• In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and by convincing the user to open the file.

Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.

Mitigating Factors

• The vulnerability cannot be exploited automatically through email.• For an attack to be successful a user must open an attachment that is sent in an email message.• An attacker would have no way to force user to visit a malicious website.

Additional Information • Microsoft has no indication that this issue is under active attack in the wild.


MS12-058: Vulnerability in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (2740358)



See Note Below Critical 1 1 Remote Code Execution Publicly Disclosed

Affected Products Exchange Server 2007 SP3, Exchange Server 2010 SP1 and SP2

Affected Components WebReady Document Viewing


Main Target Exchange Servers


• An attacker could send an email message containing a specially crafted file to a user on an affected version of Exchange. When the user previews the specially crafted file in the browser, arbitrary code could be run on the Exchange server.

Impact of Attack• An attacker who successfully exploited these vulnerabilities could run arbitrary code as LocalService.

Mitigating Factors

• The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.

Additional Information

• This update addresses 13 vulnerabilities in the Oracle Outside In Library. See bulletin for specific CVEs

• This issue was discussed last month in Security Advisory 2737111, published July 24.


MS12-059: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918)

CVE Severity

Exploitability

Comment NoteLatest

SoftwareOlder Versions


Affected Products Visio 2010 (32-bit and 64-bit), Visio Viewer 2010 (32-bit and 64-bit),

Affected Components Visio


Main Target Workstations that use Visio


• This vulnerability requires that a user open a specially crafted file with an affected version of Visio. • In a web-based attack scenario, an attacker would have to host a website that contains a

specially crafted Visio file that is used to attempt to exploit this vulnerability.• In an email attack scenario, an attacker could exploit the vulnerability by sending a specially

crafted Visio file to the user and by convincing the user to open the file.

Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.

Mitigating Factors• An attacker would have no way to force user to visit a malicious website or open a malicious file in email.

Additional Information• The Microsoft Office update MS11-089 was applied to systems running Microsoft Visio 2010 even though

this software was listed as non-affected in the MS11-089 bulletin.


MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)




Affected Products

Office 2003 SP3 and Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1 (32-bit), SQL Server 2000 SP4 and Analysis Services SP4, SQL Server 2005 Express w/Advanced Services SP 4, SQL Server 2005 for 32-bit Ed. and 64-bit Ed. SP4, SQL Server 2005 for Itanium-based Systems SP4, All supported versions of SQL Server 2008 and 2008R2 except Management Studio, Commerce Server 2002 SP4, Commerce Server 2007 SP2, and Commerce Server 2009 and 2009R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, and Visual FoxPro 9.0 SP2, Visual Basic 6.0 Runtime

Affected Components Windows Common Controls


Main Target Workstations and Servers


• In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted document to the user and convincing the user to open the document.

• In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Impact of Attack• An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

Mitigating Factors

• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.

• The attacker would have to convince the user to open the attachment in order to exploit the vulnerability.

Additional Information • Microsoft is aware of limited, targeted attacks attempting to exploit this vulnerability.


• Microsoft is announcing the availability of an update to Windows that restricts the use of weak RSA keys less than 1024 bits in length.

• The update is available on the Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows.

• Microsoft is planning to release this update through Microsoft Update in October 2012

Microsoft Security Advisory (2661254): Update For Minimum Certificate Key Length


• Microsoft is rereleasing MS12-043 to offer the security updates for Microsoft XML Core Services 5.0 that were unavailable at the time of initial release.

• Customers running Microsoft XML Core Services 5.0 should apply the KB2687324, KB2596856, or KB2596679 update to be protected from the vulnerability described in this bulletin.

• Customers who have already successfully installed the updates originally offered on July 10, 2012 for Microsoft XML Core Services 3.0, Microsoft XML Core Services 4.0, and Microsoft XML Core Services 6.0 do not need to take any additional action for these versions.

MS12-043: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2722479) Re-release


Detection & Deployment

Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007

MS12-052IE

Yes Yes Yes Yes Yes Yes

MS12-053RDP Yes Yes Yes Yes Yes Yes

MS12-054Networking

Yes1 Yes1 Yes1 Yes1 Yes1 Yes1

MS12-055KMD


MS12-056Jscript


MS12-057Office

No Yes Yes Yes Yes Yes

MS12-058Exchange


MS12-059Visio


MS12-060MSCOMCTL


1. Yes for all except Windows XP Media Center 2005 and XP Tablet Edition 2005


Other Update Information

Bulletin Restart Uninstall Replaces

MS12-052IE

Yes Yes MS12-037

MS12-053RDP Yes Yes MS12-036

MS12-054Networking

Yes Yes MS09-022

MS12-055KMD

Yes Yes MS12-047

MS12-056Jscript

Maybe Yes MS11-031

MS12-057Office

Maybe Yes MS10-105, MS11-073

MS12-058Exchange

No Yes None

MS12-059Visio

Maybe Yes MS11-089, MS12-031

MS12-060MSCOMCTL

Maybe No1 MS12-027

1. Uninstall is only possible on Host Integration Server, Commerce Server 2009R2, and SQL Server 2000


Windows Malicious Software Removal Tool (MSRT)

• During this release Microsoft will increase detection capability for the following families in the MSRT:– Win32/Bafruz: A backdoor Trojan that allows unauthorized access and control of an

affected computer.– Win32/Matsnu: A Trojan that can perform certain actions based on instructions from a

remote server. It also changes certain computer settings.

• Available as a priority update through Windows Update or Microsoft Update.

• Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Bafruz



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Gamarue

http://www.microsoft.com/malwareremove


The Security site on TechNet is changing!

• In the coming months, the TechNet Security site will be updated to the Windows 8-style UI. Some of the highlights will include a modern look and feel, streamlined navigation, and easily discoverable security tools. Take a look at how these changes are already happening across TechNet http://technet.microsoft.com.

http://technet.microsoft.com/


ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:

www.blogs.technet.com/msrc • Security Research & Defense blog:

http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:

http://blogs.technet.com/mmpc/

Twitter• @MSFTSecResponse

Security Centers• Microsoft Security Home Page:

www.microsoft.com/security • TechNet Security Center:

www.microsoft.com/technet/security• MSDN Security Developer Center:

http://msdn.microsoft.com/en-us/security/default.aspx

Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:

www.microsoft.com/technet/security/bulletin/summary.mspx

• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx

• Security Advisories:www.microsoft.com/technet/security/advisory/

• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx

• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews

Other Resources• Update Management Process

http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx

• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.blogs.technet.com/msrc

http://blogs.technet.com/srd

http://blogs.technet.com/mmpc/

http://www.microsoft.com/security

http://www.microsoft.com/technet/security



http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/current.aspx

http://www.microsoft.com/technet/security/advisory/

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/secnews



http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.microsoft.com/security/msrc/mapp/partners.mspx


Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the

MSRC Blog:http://blogs.technet.com/msrc

• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx

http://blogs.technet.com/msrc

http://microsoft.com/technet/security/current.aspx


© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dial In Number 1-877-593-2001 Pin: 3959 Information About Microsoft August 2012 Security Bulletins...

Documents

Transcript of Dial In Number 1-877-593-2001 Pin: 3959 Information About Microsoft August 2012 Security Bulletins...