dial in number 1-877-593-2001 pin: 3959 information about microsoft december 2012 security bulletins...
TRANSCRIPT
Dial In Number 1-877-593-2001 Pin: 3959
Information About Microsoft December 2012 Security Bulletins
Jonathan NessSecurity Development ManagerMicrosoft Corporation
Dustin ChildsGroup Manager, Response CommunicationsMicrosoft Corporation
Dial In Number 1-877-593-2001 Pin: 3959
Live Video Stream
• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon
– Select Show Main Video
Dial In Number 1-877-593-2001 Pin: 3959
What We Will Cover
• Review of December 2012 Bulletin Release Information– Seven security bulletins– Two updated security Advisories– Five security bulletin re-releases– Microsoft® Windows® Malicious Software Removal Tool
• Resources
• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast
Dial In Number 1-877-593-2001 Pin: 3959
Severity and Exploitability Index
Exploitabili
ty Index
1
RISK2
3
DP 1 2 1 2 2 2 3
Severity
Critical
IMPACT
Important
Moderate
Low
MS12-077 MS12-078 MS12-079 MS12-080 MS12-081 MS12-082 MS12-083
Inte
rne
t E
xp
lore
r
Win
do
ws
Fil
e H
an
dli
ng
Dir
ec
tPla
y
Wo
rd
Ex
ch
an
ge
IP-H
TT
PS
Ke
rne
l
Dial In Number 1-877-593-2001 Pin: 3959
Bulletin Deployment Priority
Bulletin KB Disclosure Aggregate Severity
Exploit Index
MaxImpact
Deployment Priority Notes
MS12-077IE 2761465 Private Critical 1 RCE 1 All versions of Internet Explorer are affected.
MS12-079Word 2780642 Private Critical 1 RCE 1
Microsoft Office Word 2007 and 2010 customers also need to install Compatibility Pack (KB2760416) to be protected from the vulnerability.
MS12-081Windows File
Handling2758857 Private Critical 1 RCE 2 Windows 8, Windows RT and Server 2012 are not affected
MS12-078Kernel 2783534 Public Critical 1 RCE 2 Windows 8, Server 2012 and Windows RT are affected
MS12-080Exchange 2784126 Public Critical 1 RCE 2 Release ensures customers using this third-party code in
Microsoft Exchange are protected from these vulnerabilities
MS12-082DirectPlay 2770660 Private Important 2 RCE 2 Windows RT is not affected
MS12-083IP-HTTPS 2765809 Private Important NA Security
Bypass 3 Security Bypass on Windows Server 2008 and 2012
Dial In Number 1-877-593-2001 Pin: 3959
MS12-077: Cumulative Security Update for Internet Explorer (2761465)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-4781 Critical NA 2 Remote Code Execution Cooperatively Disclosed
CVE-2012-4782 Critical NA 2 Remote Code Execution Cooperatively Disclosed
CVE-2012-4787 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsInternet Explorer 9 and 10 on all supported versions of Vista, Windows 7 & 8, and Windows RT
Internet Explorer 9 & 10 on all supported versions of Windows Server 2008 and 2008 R2, and 2012
Internet Explorer 6, 7 & 8 on all supported versions of Windows XP, Vista, Windows 7, Windows Server 2003, 2008 & 2008 R2
Affected Components Internet Explorer
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs)
• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs)
• An attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. (CVE-2012-4787)
Impact of Attack • An attacker could gain the same user rights as the current user. (All CVEs)
Mitigating Factors
• An attacker cannot force users to view the attacker-controlled content. (All CVEs)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML
email messages in the Restricted sites zone. (All CVEs)• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and
Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)
Additional Information • Installations using Server Core are not affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-078: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-2556 Critical 1 1 Remote Code Execution Publicly Disclosed
CVE-2012-4786 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products All supported versions of Windows and Windows Server
Affected Components Kernel-Mode Drivers
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors
• Web-based: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website.
• File Sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability.
• Local: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system.
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel
mode.
Mitigating Factors• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and
Windows Mail open HTML email messages in the Restricted sites zone.• An attacker cannot force a user to visit a malicious website.
Additional Information • Installations using Server Core are affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-079: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-2539 Critical NA 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsAll supported editions of Microsoft Word 2007 and Microsoft Word 2010
All supported editions of Microsoft Word 2003, and all supported versions of Microsoft Word Viewer, Microsoft Office Compatibility Pack, and Microsoft Office Web Apps
Affected Components Microsoft Word, Word Automation Services
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• This vulnerability requires that a user open or preview specially crafted RTF-formatted data with an affected version of Microsoft Office software.
• Email: an attacker could exploit the vulnerability by sending specially crafted RTF-formatted data in the contents of an email message. The vulnerability could be exploited when the specially crafted RTF email message is previewed or opened in Outlook while using Microsoft Word as the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF file as an attachment and convincing the user to open the specially crafted RTF file.
• Web-based: an attacker could host a website that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.
Impact of Attack• An attacker could gain the same user rights as the current user.• An attacker could cause arbitrary code to run with the privileges of the user who opens a specially crafted RTF
file or previews or opens a specially crafted RTF email message.
Mitigating Factors • An attacker would have no way to force users to visit a specially crafted website.
Additional Information• For Microsoft Office Word 2007 & 2010, in addition to security update package KB2760421, customers also need
to install the security update for Microsoft Office Compatibility Pack (KB2760416) to be protected from the vulnerability described in this bulletin.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-080: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2784126)
CVE Severity
Exploitability
Comment NoteLatest
SoftwareOlder Versions
CVE-2012-3214 CVE-2012-3217
Critical 1 1 Remote Code Execution Publicly Disclosed
CVE-2012-4791 Important 3 3 Denial of Service Cooperatively Disclosed
Affected Products All supported editions of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010
Affected Components Oracle Outside in Libraries/WebReady Document Viewing
Deployment Priority 2
Main Target Exchange Server Systems
Possible Attack Vector
• An attacker with a valid email account on the Exchange server could create a specially crafted RSS feed that is designed to exploit this vulnerability and then subscribe to the RSS feed. (CVE-2012-4791)
• An attacker could send an email message containing a specially crafted file to a user on an affected version of Exchange. When the user previews the specially crafted file in the browser, arbitrary code could be run on the Exchange server. (CVE-2012-3214, CVE-2012-3217)
Impact of Attack
• An attacker could cause the Information Store service on the affected system to become unresponsive until the process is forcibly terminated. (CVE-2012-4791)
• An attacker could run arbitrary code as LocalService on the affected Exchange server. (CVE-2012-3214, CVE-2012-3217)
Mitigating Factors
• An attacker must have a valid email account on the affected Exchange server and be able to create RSS feeds to exploit this vulnerability. (CVE-2012-4791)
• The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. (CVE-2012-3214, CVE-2012-3217)
Additional Information• This issue was previously described in KB #2786772. (CVE-2012-4791)• CVE-2012-3214 and CVE-2012-3217 discussed in the Oracle Critical Patch Update Advisory - October 2012 affect
Microsoft Exchange Server and are addressed by this update
Dial In Number 1-877-593-2001 Pin: 3959
MS12-081: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857)
CVE Severity
Exploitability
Comment NoteLatest
SoftwareOlder
Versions
CVE-2012-4774 Critical NA 1 Remote Code Execution Cooperatively Disclosed
Affected Products All supported editions of Windows XP, Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
Affected Components Windows File Handling
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors
• Network: an attacker could host a file with a specially crafted filename on a network share, a UNC, or WebDAV location and then convince the user to browse to the file.
• Email: an attacker could send a specially crafted file or subfolder as an attachment that is designed to exploit this vulnerability.
• Web-based: an attacker would have to host a website that contains a file with a specially crafted name.
Impact of Attack • An attacker could gain the same user rights as the current user.
Mitigating Factors• The vulnerability cannot be exploited automatically through email.• An attacker cannot force a user to open an attachment that is sent in an email message.
Additional Information• Installations using Server Core are affected (except Windows Server 2012).• This bulletin deprecates Security Advisory 2269637.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-082: Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660)
CVE Severity
Exploitability
Comment NoteLatest
SoftwareOlder
Versions
CVE-2012-1537 Important 3 2 Remote Code Execution Cooperatively Disclosed
Affected Products All supported versions of Windows Client (except Windows RT) and Windows Server
Affected Components DirectX
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors• An attacker could send a specially crafted Office document with embedded content to the user
that is designed to exploit this vulnerability.
Impact of Attack • An attacker could run arbitrary code as the current user.
Mitigating Factors
• An attacker cannot force a user to open an attachment that is sent in an email message.• By default, the DirectPlay ActiveX control is not included in the default allow-list for ActiveX
controls in Internet Explorer. Only customers who have explicitly approved this control by using the ActiveX opt-in feature are at risk from attempts to exploit this vulnerability.
Additional Information • Installations using Server Core are not affected.
Dial In Number 1-877-593-2001 Pin: 3959
MS12-083: Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass (2765809)
CVE Severity
Exploitability
Comment NoteLatest
SoftwareOlder
Versions
CVE-2012-2549 Important NA NA Security Bypass Cooperatively Disclosed
Affected Products All supported editions of Windows Server 2008 R2 and Windows Server 2012
Affected Components IP-HTTPS
Deployment Priority 3
Main Target Servers
Possible Attack Vectors• This could allow security feature bypass if an attacker presents a revoked certificate to an IP-
HTTPS server commonly used in Microsoft DirectAccess deployments.
Impact of Attack • An attacker could bypass a security feature that relies on the validity of certificates.
Mitigating Factors• An attacker must possess a certificate issued from the domain.• Logging on to a system inside the organization would still require system or domain
credentials.
Additional Information • Installations using Server Core are affected.
Dial In Number 1-877-593-2001 Pin: 3959
• Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10– One December 11, 2012, Microsoft revised a security advisory to announce the
availability of a new Adobe Flash update.
• Microsoft Security Advisory (2749655): Compatibility Issues Affecting Signed Microsoft Binaries– Non-security update to address an issue with certificate timestamps.– This could cause compatibility problems with certain programs.– Added the KB2687627 and KB2687499 updates described in MS12-043, the
KB2687501 and KB2687510 updates described in MS12-057, and the KB2726929 update described in MS12-060 to the list of available rereleases.
Microsoft Security Advisories
Dial In Number 1-877-593-2001 Pin: 3959
• The following updates are being re-released to address an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes: – MS12-043: Vulnerability in Microsoft XML Core Services
Could Allow Remote Code Execution (2722479)
– MS12-057: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879)
– MS12-059: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918)
– MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)
December Security Bulletin Re-releases
Dial In Number 1-877-593-2001 Pin: 3959
• MS12-050: Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502) Re-release– Rereleased this bulletin to announce availability of an update
for Microsoft Windows SharePoint Services 2.0. No other update packages are affected by this rerelease.
December Security Bulletin Re-releases Cont…
Dial In Number 1-877-593-2001 Pin: 3959
Detection & Deployment
Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU
Configuration Manager
MS12-077IE Yes Yes Yes1,3 Yes3 Yes3 Yes3
MS12-078Kernel Yes Yes Yes1,3 Yes3 Yes3 Yes3
MS12-079Word No Yes 2 Yes 2 Yes 2 Yes 2 Yes 2
MS12-080Exchange No Yes Yes Yes Yes Yes
MS12-081Windows File
HandlingYes Yes Yes Yes Yes Yes
MS12-082DirectPlay Yes Yes Yes1 Yes Yes Yes
MS12-083IP-HTTPS Yes Yes Yes1 Yes Yes Yes
1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 20122. Yes, but detection only applies to single-server SharePoint deployments, and the detection tools do not support systems configured as part of a multiple-system
SharePoint server farm.3. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store
Dial In Number 1-877-593-2001 Pin: 3959
Other Update Information
Bulletin Restart Uninstall Replaces
MS12-077IE Yes Yes MS12-063, MS12-071
MS12-078Kernel Yes Yes MS11-032, MS12-075
MS12-079Word Maybe Yes1
MS12-064
MS12-080Exchange Maybe Yes MS12-058
MS12-081Windows File
HandlingYes Yes MS07-035, MS11-063
MS12-082DirectPlay Maybe Yes None
MS12-083IP-HTTPS Yes Yes None
1. Uninstall is not supported in all editions of SharePoint Server 2010 and all versions of Web Apps 2010
Dial In Number 1-877-593-2001 Pin: 3959
Windows Malicious Software Removal Tool (MSRT)
During this release Microsoft will increase detection capability for the following families in the MSRT:
• Win32/Phdet: A family of backdoor trojans that is used to perform Distributed Denial of Service attacks against specified targets.
December MSRT will be distributed to Windows 8, x86 and amd64.
Available as a priority update through Windows Update or Microsoft Update.
Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.
Dial In Number 1-877-593-2001 Pin: 3959
ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:
www.blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:
http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Dial In Number 1-877-593-2001 Pin: 3959
Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the
MSRC Blog:http://blogs.technet.com/msrc
• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx
Dial In Number 1-877-593-2001 Pin: 3959
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.