Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | carmel-taylor |
View: | 214 times |
Download: | 0 times |
Dial In Number 1-800-227-8104 Pin: 3879
Information About Microsoft May 2012 Security Bulletins
Dustin ChildsSr. Security Program ManagerMicrosoft Corporation
Pete VossSr. Response Communications ManagerMicrosoft Corporation
Dial In Number 1-800-227-8104 Pin: 3879
Live Video Stream
• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon
– Select Show Main Video
Dial In Number 1-800-227-8104 Pin: 3879
What We Will Cover
• Review of May 2012 Bulletin Release Information– New Security Bulletins– Security Advisory 2695962– Microsoft® Windows® Malicious Software Removal Tool
• Resources
• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast
Dial In Number 1-800-227-8104 Pin: 3879
Severity and Exploitability Index
Exploitabili
ty Index
1
RISK2
3
DP 1 2 2 3 3 1 2
Severity
Critical
IMPACT
Important
Moderate
Low
MS12-029 MS12-030 MS12-031 MS12-032 MS12-033 MS12-034 MS12-035
Off
ice
Off
ice
Vis
io
Win
do
ws
Win
do
ws
Off
ice
, W
ind
ow
s,
.NE
T, S
ilv
erl
igh
t
.NE
T
Dial In Number 1-800-227-8104 Pin: 3879
Bulletin Deployment Priority
Bulletin KB Disclosure Aggregate Severity
Exploit Index
MaxImpact
Deployment Priority Notes
MS12-034GDI+/TTF
2681578 Public Critical 1 RCE 1 All updates are required for each affected product.
MS12-029Word
2680352 Private Critical 1 RCE 1 Does not affect Office 2010.
MS12-035NETFX
2693777 Private Critical 1 RCE 2 Both MS12-035 and MS12-034 required for NETFX.
MS12-030Office
2663830 Public Important 1 RCE 2 Multiple updates per product may be required.
MS12-031Visio
2597981 Private Important 1 RCE 2 Users should not open attachments from untrusted sources.
MS12-033Partition Mgr.
2690533 Private Important 1 EoP 3 Requires local system access.
MS12-032TCP/IP
2688338 Public Important 1 EoP 3 Elevation of privilege requires local system access.
Dial In Number 1-800-227-8104 Pin: 3879
MS12-029: Vulnerability In Microsoft Word Could Allow Remote Code Execution (2680352)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0183 Critical N/A 1 Remote Code Execution Cooperatively Disclosed
Affected Products Office 2007 SP2, SP3Office 2003 SP3, Office 2008 For Mac, Office For Mac 2011, Office Compatibility Pack SP2, Office Compatibility Pack SP3
Affected Components Microsoft Word
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• Web-Browsing Scenario: An attacker could host a website that contains an RTF file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.
• Email Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an email attachment, and convince the user to open the attachment.
Impact of Attack• An attacker who successfully exploited this vulnerability could cause arbitrary code to run with the
privileges of the user who opens a specially crafted RTF file or previews or opens a specially crafted RTF email message.
Mitigating Factors• An attacker would have no way to force a user to visit a malicious website.
Additional Information
• For Microsoft Word 2007, in addition to security update package KB2596917, customers also need to install the security update for Microsoft Office Compatibility Pack (KB2596880) to be protected from the vulnerability described in this bulletin.
• Workarounds: • Read email in plain text (for more, consult KB831607).• Use Office File Block Policy to block the opening of RTF documents from unknown or untrusted
sources or locations.
Dial In Number 1-800-227-8104 Pin: 3879
MS12-030: Vulnerabilities In Microsoft Office Could Allow Remote Code Execution (2663830)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0141 Important 3 3 Remote Code Execution Cooperatively Disclosed
CVE-2012-0142 Important 3 3 Remote Code Execution Cooperatively Disclosed
CVE-2012-0143 Important N/A 1 Remote Code Execution Publicly Disclosed
CVE-2012-0184 Important 3 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0185 Important 2 2 Remote Code Execution Cooperatively Disclosed
CVE-2012-1847 Important 1 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsMicrosoft Office 2010 SP1, Office 2010, Office 2007 SP3, Office 2007 SP2, Office 2003 SP3, Office 2008 for Mac, Office for Mac 2011, Microsoft Excel Viewer, Office Compatibility Pack SP2 and SP3
Affected Components Microsoft Excel
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors
• Web-Browsing Scenario: An attacker could host a website that contains a specially crafted Excel file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.
• Email Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an email attachment, and convince the user to open the attachment.
Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.
Mitigating Factors• An attacker would have no way to force users to visit a website or open an email attachment.• The vulnerability cannot be exploited automatically through email. For an attack to be successful a user must open an attachment
that is sent in an email message.
Additional Information
• For Microsoft Excel 2007, in addition to security update package KB2597161, customers also need to install the security update for the Microsoft Office Compatibility Pack (KB2597162).
• Microsoft Excel Viewer must be updated to a supported service pack level (Excel Viewer 2007 Service Pack 2 or Excel Viewer 2007 Service Pack 3) before installing this update.
Dial In Number 1-800-227-8104 Pin: 3879
MS12-031: Vulnerability In Microsoft Visio Viewer Could Allow Remote Code Execution (2597981)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0018 Important 1 N/A Remote Code Execution Cooperatively Disclosed
Affected Products All supported versions of Microsoft Visio Viewer 2010
Affected Components Visio Viewer
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors
• Web-Browsing Scenario: An attacker could host a website that contains a Visio file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.
• Email Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an email attachment, and convince the user to open the attachment.
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in the context
of the current user.
Mitigating Factors
• An attacker would have no way to force users to visit a website or open an email attachment.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows
Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and
Windows Mail open HTML email messages in the Restricted Sites Zone.
Dial In Number 1-800-227-8104 Pin: 3879
MS12-032: Vulnerability In TCP/IP Could Allow Elevation of Privilege (2688338)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0174 Important N/A N/A Security Bypass Cooperatively Disclosed
CVE-2012-0179 Important 1 N/A Elevation of Privilege Publicly Disclosed
Affected Products All supported versions of Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2
Affected Components Windows Firewall, TCP/IP
Deployment Priority 3
Main Target Workstations and Servers
Possible Attack Vectors
• CVE-2012-0174: • In order to use this vulnerability, an attacker would first have to gain access to the local subnet of the target
computer. An attacker could then use another vulnerability to acquire information about the target system or execute code on the target system.
• CVE-2012-0179:• To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a
specially crafted application that could exploit the vulnerability and take complete control over the affected system.
Impact of Attack
• CVE-2012-0174: • An attacker who successfully exploited this vulnerability could bypass Windows Firewall.
• CVE-2012-0179: • An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another
process.
Mitigating Factors
• CVE-2012-0174: • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
• CVE-2012-0179:• Microsoft has not identified any mitigating factors for this vulnerability.
Dial In Number 1-800-227-8104 Pin: 3879
MS12-033: Vulnerability In Windows Partition Manager Could Allow Elevation of Privilege (2690533)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0178 Important 1 1 Elevation of Privilege Cooperatively Disclosed
Affected Products All supported versions of Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2
Affected Components Windows Partition Manager
Deployment Priority 3
Main Target Workstations and Servers
Possible Attack Vectors• To exploit this vulnerability, an attacker would first have to log on to the system. Then, an attacker
could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and
take complete control of an affected system.
Mitigating Factors• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Additional Information• Installations using Server Core are affected.
Dial In Number 1-800-227-8104 Pin: 3879
MS12-034: Combined Security Update For Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)Slide 1 of 3
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2011-3402 Critical 1 1 Remote Code Execution Publicly Disclosed
CVE-2012-0159 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0162 Critical 1 N/A Remote Code Execution Cooperatively Disclosed
CVE-2012-0164 Moderate N/A N/A Denial of Service Publicly Disclosed
CVE-2012-0165 Important 2 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0167 Important N/A 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0176 Critical N/A 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0180 Important 1 1 Elevation of Privilege Cooperatively Disclosed
CVE-2012-0181 Important 3 1 Elevation of Privilege Publicly Disclosed
CVE-2012-1848 Important 1 1 Elevation of Privilege Cooperatively Disclosed
Affected Products and Components
All supported versions of Windows and Windows Server, All supported versions of .NET 3, .NET 3.5.1, and .NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5
All supported versions of Office (except Compatibility Pack SP2 and SP3, and Office For Mac)
.NET Framework
Deployment Priority 1
Main Target Workstations and Servers
Dial In Number 1-800-227-8104 Pin: 3879
Affected Products and Components
All supported versions of Windows and Windows Server; All supported versions of .NET 3, .NET 3.5.1, and .NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5
All supported versions of Office (except Compatibility SP2 and SP3, and Office For Mac)
.NET Framework
Possible Attack Vectors
• CVE-2011-3402, CVE-2012-0159, CVE-2012-0165:• File Sharing Scenario: An attacker could exploit this vulnerability by convincing a user to open a specially
crafted document file or malicious image on a file or network share.
• CVE-2011-3402, CVE-2012-0159, CVE-2012-0162, CVE-2012-0165, CVE-2012-0176, CVE-2012-0167:• Web-Browsing Scenario: An attacker could host a website that contains a webpage that is used to exploit this
vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability. In the case of CVE-2012-0167, a webpage would have to host a specially crafted Office document.
• CVE-2012-0159, CVE-2012-0180, CVE-2012-0181, CVE-2012-1848:• Local Attack Scenario: To exploit this vulnerability, an attacker would first have to log on to the system. Then, an
attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.
• CVE-2012-0164:• An unauthenticated attacker could send a small number of specially crafted requests to an affected site.
• CVE-2012-0165, CVE-2012-0167:• Email Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an
email attachment, and convince the user to open the attachment.
CVE-2011-3402RCE
CVE-2012-0159RCE
CVE-2012-0162RCE
CVE-2012-0164DoS
CVE-2012-0165RCE
CVE-2012-0167RCE
CVE-2012-0176RCE
CVE-2012-0180EoP
CVE-2012-0181EoP
CVE-2012-1848EoP
MS12-034: Combined Security Update For Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)Slide 2 of 3
Dial In Number 1-800-227-8104 Pin: 3879
Affected Products and Components
All supported versions of Windows and Windows Server, All supported versions of .NET 3, .NET 3.5.1, and .NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5
All supported versions of Office (except Compatibility SP2 and SP3, and Office For Mac)
.NET Framework
Impact of Attack
• CVE-2011-3402, CVE-2012-0159, CVE-2012-0162, CVE-2012-0165, CVE-2012-0167, CVE-2012-0176:• An attacker successfully exploiting this issue could gain the same user rights as a logged-on user.
• CVE-2012-0159:• An attacker who successfully exploited this vulnerability could run arbitrary code in Kernel mode and take complete control of an affected
system.
• CVE-2012-0181, CVE-2012-1848:• An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process.
• CVE-2012-0164:• An attacker could cause applications created using WPF APIs that are running on a user's system to stop responding until manually
restarted.
Mitigating Factors
• CVE-2011-3402, CVE-2012-0159, CVE-2012-0162, CVE-2012-0165, CVE-2012-0167, CVE-2012-0176:• An attacker would have no way to force users to visit a website or open an email attachment.
• CVE-2011-3402, CVE-2012-0159:• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the
Restricted Sites Zone.
• CVE-2012-0162, CVE-2012-0176, CVE-2012-1848:• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is
known as Enhanced Security Configuration.
• CVE-2012-0180, CVE-2012-0181:• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
• CVE-2012-0162:• On systems where MS11-044 has been applied, users will be prompted before XBAP applications will execute when in the Internet Zone of
Internet Explorer. A user must click through this prompt in order to run the XBAP application on their system.
• CVE-2012-0164:• Microsoft has not identified any mitigating factors for this vulnerability.
CVE-2011-3402RCE
CVE-2012-0159RCE
CVE-2012-0162RCE
CVE-2012-0164DoS
CVE-2012-0165RCE
CVE-2012-0167RCE
CVE-2012-0176RCE
CVE-2012-0180EoP
CVE-2012-0181EoP
CVE-2012-1848EoP
MS12-034: Combined Security Update For Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)Slide 3 of 3
Dial In Number 1-800-227-8104 Pin: 3879
MS12-035: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0160 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0161 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products All supported versions of .NET Framework on all supported versions of Windows and Windows Server
Affected Components .NET Framework
Deployment Priority 2
Main Target Workstations and Servers
Possible Attack Vectors
• Web-Browsing Scenario: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.
• This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.
Impact of Attack • An attacker successfully exploiting this issue could gain the same user rights as a logged-on user.
Mitigating Factors
• An attacker would have no way to force users to visit a website.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a
restricted mode that is known as Enhanced Security Configuration.• Standard .NET Framework applications are not affected by this vulnerability. Only specially crafted .NET Framework
applications could exploit this vulnerability. (CVE-2012-0160)
Additional Information • .NET Framework 4 and .NET Framework 4 Client Profile Affected
Dial In Number 1-800-227-8104 Pin: 3879
Security Advisory 2695962 – Remote Code ExecutionUpdate Rollup For Active X Kill Bits• This update sets the kill bits for the following third-party software:
Cisco Clientless VPN solution.– Installing this update will block the vulnerable control from running in Internet
Explorer.– For more information regarding security issues in the Cisco Clientless VPN
solution ActiveX control, please see the Cisco Security Advisory, Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability.
• This advisory affects all supported versions of Windows.
Dial In Number 1-800-227-8104 Pin: 3879
Detection & Deployment
Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007
MS12-029Word
No Yes* Yes* Yes* Yes* Yes*
MS12-030Office No Yes Yes* Yes* Yes* Yes*
MS12-031Visio No Yes Yes Yes Yes Yes
MS12-032TCP/IP Yes Yes Yes Yes Yes Yes
MS12-033Partition Mgr.
Yes Yes Yes Yes Yes Yes
MS12-034GDI+/TTF
Yes Yes** Yes Yes Yes Yes**
MS12-035NETFX
Yes Yes Yes Yes Yes Yes
*Except in Microsoft Office 2008 for Mac and Microsoft Office for Mac 2011**Except Silverlight 4 installed on Mac OS
Dial In Number 1-800-227-8104 Pin: 3879
Other Update Information
Bulletin Restart Uninstall Replaces
MS12-029Word
Maybe Yes MS11-089, MS11-094
MS12-030Office Maybe Yes MS11-072, MS11-089,
MS11-096
MS12-031Visio Maybe Yes MS12-015
MS12-032TCP/IP Yes Yes MS11-083
MS12-033Partition Mgr.
Yes Yes None
MS12-034GDI+/TTF
Yes No MS10-087, MS12-018
MS12-035NETFX
No YesMS11-028, MS11-044,MS11-078, MS11-100,
MS12-016
Dial In Number 1-800-227-8104 Pin: 3879
Windows Malicious Software Removal Tool (MSRT)
• During this release Microsoft will increase detection capability for the following families in the MSRT:– Win32/Unruy: A trojan that is capable of connecting to certain remote servers to download and
execute arbitrary files. It can also delete files, schedule tasks, and perform other actions. Depending on the computer's Internet Explorer settings, may also disable third-party browser extensions and BHOs from running.
– Win32/Dishigy: A trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". It sends captured data to a remote attacker and is capable of downloading additional malicious components.
• For the first time, Microsoft is releasing MSRT to Windows 8 machines.
• Available as a priority update through Windows Update or Microsoft Update.
• Is offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.
Dial In Number 1-800-227-8104 Pin: 3879
ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:
www.blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:
http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Dial In Number 1-800-227-8104 Pin: 3879
Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the
MSRC Blog:http://blogs.technet.com/msrc
• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx
Dial In Number 1-800-227-8104 Pin: 3879
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.