dial in number 1-877-593-2001 pin: 3959 information about microsoft december 2012 security bulletins...

Dial In Number 1-877-593-2001 Pin: 3959

Information About Microsoft December 2012 Security Bulletins

Jonathan NessSecurity Development ManagerMicrosoft Corporation

Dustin ChildsGroup Manager, Response CommunicationsMicrosoft Corporation


Live Video Stream

• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon

– Select Show Main Video


What We Will Cover

• Review of December 2012 Bulletin Release Information– Seven security bulletins– Two updated security Advisories– Five security bulletin re-releases– Microsoft® Windows® Malicious Software Removal Tool

• Resources

• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast


Severity and Exploitability Index

Exploitabili

ty Index

1

RISK2

3

DP 1 2 1 2 2 2 3

Severity

Critical

IMPACT

Important

Moderate

Low

MS12-077 MS12-078 MS12-079 MS12-080 MS12-081 MS12-082 MS12-083

Inte

rne

t E

xp

lore

r

Win

do

ws

Fil

e H

an

dli

ng

Dir

ec

tPla

y

Wo

rd

Ex

ch

an

ge

IP-H

TT

PS

Ke

rne

l


Bulletin Deployment Priority

Bulletin KB Disclosure Aggregate Severity

Exploit Index

MaxImpact

Deployment Priority Notes

MS12-077IE 2761465 Private Critical 1 RCE 1 All versions of Internet Explorer are affected.

MS12-079Word 2780642 Private Critical 1 RCE 1

Microsoft Office Word 2007 and 2010 customers also need to install Compatibility Pack (KB2760416) to be protected from the vulnerability.

MS12-081Windows File

Handling2758857 Private Critical 1 RCE 2 Windows 8, Windows RT and Server 2012 are not affected

MS12-078Kernel 2783534 Public Critical 1 RCE 2 Windows 8, Server 2012 and Windows RT are affected

MS12-080Exchange 2784126 Public Critical 1 RCE 2 Release ensures customers using this third-party code in

Microsoft Exchange are protected from these vulnerabilities

MS12-082DirectPlay 2770660 Private Important 2 RCE 2 Windows RT is not affected

MS12-083IP-HTTPS 2765809 Private Important NA Security

Bypass 3 Security Bypass on Windows Server 2008 and 2012


MS12-077: Cumulative Security Update for Internet Explorer (2761465)CVE Severity

ExploitabilityComment Note

Latest Software Older Versions

CVE-2012-4781 Critical NA 2 Remote Code Execution Cooperatively Disclosed


CVE-2012-4787 Critical 1 1 Remote Code Execution Cooperatively Disclosed

Affected ProductsInternet Explorer 9 and 10 on all supported versions of Vista, Windows 7 & 8, and Windows RT

Internet Explorer 9 & 10 on all supported versions of Windows Server 2008 and 2008 R2, and 2012

Internet Explorer 6, 7 & 8 on all supported versions of Windows XP, Vista, Windows 7, Windows Server 2003, 2008 & 2008 R2

Affected Components Internet Explorer

Deployment Priority 1

Main Target Workstations

Possible Attack Vectors

• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs)

• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs)

• An attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. (CVE-2012-4787)

Impact of Attack • An attacker could gain the same user rights as the current user. (All CVEs)

Mitigating Factors

• An attacker cannot force users to view the attacker-controlled content. (All CVEs)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML

email messages in the Restricted sites zone. (All CVEs)• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and

Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)

Additional Information • Installations using Server Core are not affected.


MS12-078: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2783534)

CVE SeverityExploitability

Comment NoteLatest Software Older Versions

CVE-2012-2556 Critical 1 1 Remote Code Execution Publicly Disclosed

CVE-2012-4786 Critical 1 1 Remote Code Execution Cooperatively Disclosed

Affected Products All supported versions of Windows and Windows Server

Affected Components Kernel-Mode Drivers




• Web-based: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website.

• File Sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability.

• Local: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system.

Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel

mode.

Mitigating Factors• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and

Windows Mail open HTML email messages in the Restricted sites zone.• An attacker cannot force a user to visit a malicious website.

Additional Information • Installations using Server Core are affected.


MS12-079: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2780642)

CVE SeverityExploitability

Comment NoteLatest Software Older Versions


Affected ProductsAll supported editions of Microsoft Word 2007 and Microsoft Word 2010

All supported editions of Microsoft Word 2003, and all supported versions of Microsoft Word Viewer, Microsoft Office Compatibility Pack, and Microsoft Office Web Apps

Affected Components Microsoft Word, Word Automation Services




• This vulnerability requires that a user open or preview specially crafted RTF-formatted data with an affected version of Microsoft Office software.

• Email: an attacker could exploit the vulnerability by sending specially crafted RTF-formatted data in the contents of an email message. The vulnerability could be exploited when the specially crafted RTF email message is previewed or opened in Outlook while using Microsoft Word as the email viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF file as an attachment and convincing the user to open the specially crafted RTF file.

• Web-based: an attacker could host a website that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.

Impact of Attack• An attacker could gain the same user rights as the current user.• An attacker could cause arbitrary code to run with the privileges of the user who opens a specially crafted RTF

file or previews or opens a specially crafted RTF email message.

Mitigating Factors • An attacker would have no way to force users to visit a specially crafted website.

Additional Information• For Microsoft Office Word 2007 & 2010, in addition to security update package KB2760421, customers also need

to install the security update for Microsoft Office Compatibility Pack (KB2760416) to be protected from the vulnerability described in this bulletin.


MS12-080: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2784126)

CVE Severity

Exploitability

Comment NoteLatest

SoftwareOlder Versions

CVE-2012-3214 CVE-2012-3217

Critical 1 1 Remote Code Execution Publicly Disclosed

CVE-2012-4791 Important 3 3 Denial of Service Cooperatively Disclosed

Affected Products All supported editions of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010

Affected Components Oracle Outside in Libraries/WebReady Document Viewing


Main Target Exchange Server Systems

Possible Attack Vector

• An attacker with a valid email account on the Exchange server could create a specially crafted RSS feed that is designed to exploit this vulnerability and then subscribe to the RSS feed. (CVE-2012-4791)

• An attacker could send an email message containing a specially crafted file to a user on an affected version of Exchange. When the user previews the specially crafted file in the browser, arbitrary code could be run on the Exchange server. (CVE-2012-3214, CVE-2012-3217)

Impact of Attack

• An attacker could cause the Information Store service on the affected system to become unresponsive until the process is forcibly terminated. (CVE-2012-4791)

• An attacker could run arbitrary code as LocalService on the affected Exchange server. (CVE-2012-3214, CVE-2012-3217)

Mitigating Factors

• An attacker must have a valid email account on the affected Exchange server and be able to create RSS feeds to exploit this vulnerability. (CVE-2012-4791)

• The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. (CVE-2012-3214, CVE-2012-3217)

Additional Information• This issue was previously described in KB #2786772. (CVE-2012-4791)• CVE-2012-3214 and CVE-2012-3217 discussed in the Oracle Critical Patch Update Advisory - October 2012 affect

Microsoft Exchange Server and are addressed by this update


MS12-081: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2758857)

CVE Severity

Exploitability

Comment NoteLatest

SoftwareOlder

Versions


Affected Products All supported editions of Windows XP, Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2

Affected Components Windows File Handling




• Network: an attacker could host a file with a specially crafted filename on a network share, a UNC, or WebDAV location and then convince the user to browse to the file.

• Email: an attacker could send a specially crafted file or subfolder as an attachment that is designed to exploit this vulnerability.

• Web-based: an attacker would have to host a website that contains a file with a specially crafted name.

Impact of Attack • An attacker could gain the same user rights as the current user.

Mitigating Factors• The vulnerability cannot be exploited automatically through email.• An attacker cannot force a user to open an attachment that is sent in an email message.

Additional Information• Installations using Server Core are affected (except Windows Server 2012).• This bulletin deprecates Security Advisory 2269637.


MS12-082: Vulnerability in DirectPlay Could Allow Remote Code Execution (2770660)

CVE Severity

Exploitability

Comment NoteLatest

SoftwareOlder

Versions

CVE-2012-1537 Important 3 2 Remote Code Execution Cooperatively Disclosed

Affected Products All supported versions of Windows Client (except Windows RT) and Windows Server

Affected Components DirectX



Possible Attack Vectors• An attacker could send a specially crafted Office document with embedded content to the user

that is designed to exploit this vulnerability.

Impact of Attack • An attacker could run arbitrary code as the current user.

Mitigating Factors

• An attacker cannot force a user to open an attachment that is sent in an email message.• By default, the DirectPlay ActiveX control is not included in the default allow-list for ActiveX

controls in Internet Explorer. Only customers who have explicitly approved this control by using the ActiveX opt-in feature are at risk from attempts to exploit this vulnerability.

Additional Information • Installations using Server Core are not affected.


MS12-083: Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass (2765809)

CVE Severity

Exploitability

Comment NoteLatest

SoftwareOlder

Versions

CVE-2012-2549 Important NA NA Security Bypass Cooperatively Disclosed

Affected Products All supported editions of Windows Server 2008 R2 and Windows Server 2012

Affected Components IP-HTTPS


Main Target Servers

Possible Attack Vectors• This could allow security feature bypass if an attacker presents a revoked certificate to an IP-

HTTPS server commonly used in Microsoft DirectAccess deployments.

Impact of Attack • An attacker could bypass a security feature that relies on the validity of certificates.

Mitigating Factors• An attacker must possess a certificate issued from the domain.• Logging on to a system inside the organization would still require system or domain

credentials.

Additional Information • Installations using Server Core are affected.


• Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10– One December 11, 2012, Microsoft revised a security advisory to announce the

availability of a new Adobe Flash update.

• Microsoft Security Advisory (2749655): Compatibility Issues Affecting Signed Microsoft Binaries– Non-security update to address an issue with certificate timestamps.– This could cause compatibility problems with certain programs.– Added the KB2687627 and KB2687499 updates described in MS12-043, the

KB2687501 and KB2687510 updates described in MS12-057, and the KB2726929 update described in MS12-060 to the list of available rereleases.

Microsoft Security Advisories


• The following updates are being re-released to address an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes: – MS12-043: Vulnerability in Microsoft XML Core Services

Could Allow Remote Code Execution (2722479)

– MS12-057: Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879)

– MS12-059: Vulnerability in Microsoft Visio Could Allow Remote Code Execution (2733918)

– MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573)

December Security Bulletin Re-releases


• MS12-050: Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2695502) Re-release– Rereleased this bulletin to announce availability of an update

for Microsoft Windows SharePoint Services 2.0. No other update packages are affected by this rerelease.

December Security Bulletin Re-releases Cont…


Detection & Deployment

Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU

Configuration Manager

MS12-077IE Yes Yes Yes1,3 Yes3 Yes3 Yes3

MS12-078Kernel Yes Yes Yes1,3 Yes3 Yes3 Yes3

MS12-079Word No Yes 2 Yes 2 Yes 2 Yes 2 Yes 2

MS12-080Exchange No Yes Yes Yes Yes Yes


HandlingYes Yes Yes Yes Yes Yes

MS12-082DirectPlay Yes Yes Yes1 Yes Yes Yes

MS12-083IP-HTTPS Yes Yes Yes1 Yes Yes Yes

1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 20122. Yes, but detection only applies to single-server SharePoint deployments, and the detection tools do not support systems configured as part of a multiple-system

SharePoint server farm.3. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store


Other Update Information

Bulletin Restart Uninstall Replaces

MS12-077IE Yes Yes MS12-063, MS12-071

MS12-078Kernel Yes Yes MS11-032, MS12-075

MS12-079Word Maybe Yes1

MS12-064

MS12-080Exchange Maybe Yes MS12-058


HandlingYes Yes MS07-035, MS11-063

MS12-082DirectPlay Maybe Yes None

MS12-083IP-HTTPS Yes Yes None

1. Uninstall is not supported in all editions of SharePoint Server 2010 and all versions of Web Apps 2010


Windows Malicious Software Removal Tool (MSRT)

During this release Microsoft will increase detection capability for the following families in the MSRT:

• Win32/Phdet: A family of backdoor trojans that is used to perform Distributed Denial of Service attacks against specified targets.

December MSRT will be distributed to Windows 8, x86 and amd64.

Available as a priority update through Windows Update or Microsoft Update.

Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Phdet



http://www.microsoft.com/malwareremove


ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:

www.blogs.technet.com/msrc • Security Research & Defense blog:

http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:

http://blogs.technet.com/mmpc/

Twitter• @MSFTSecResponse

Security Centers• Microsoft Security Home Page:

www.microsoft.com/security • TechNet Security Center:

www.microsoft.com/technet/security• MSDN Security Developer Center:

http://msdn.microsoft.com/en-us/security/default.aspx

Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:

www.microsoft.com/technet/security/bulletin/summary.mspx

• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx

• Security Advisories:www.microsoft.com/technet/security/advisory/

• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx

• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews

Other Resources• Update Management Process

http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx

• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.blogs.technet.com/msrc

http://blogs.technet.com/srd

http://blogs.technet.com/mmpc/

http://www.microsoft.com/security

http://www.microsoft.com/technet/security



http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/current.aspx

http://www.microsoft.com/technet/security/advisory/

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/secnews



http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.microsoft.com/security/msrc/mapp/partners.mspx


Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the

MSRC Blog:http://blogs.technet.com/msrc

• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx

http://blogs.technet.com/msrc

http://microsoft.com/technet/security/current.aspx


© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

dial in number 1-877-593-2001 pin: 3959 information about microsoft december 2012 security bulletins...

Documents

windows rt internet

host user

main video slide

disclosed cve

cvesthe attacker

cvesan attacker

msftsecwebcast slide

microsoft office document