1
Monthly Security
Bulletin Briefing
(September 2013)
CSS Security Worldwide Programs
• Teresa GhiorzoeSecurity Program Manager
• Daniel MauserSenior Technical Lead - LATAM CTS
Blog de Segurança:
http://blogs.technet.com/b/risco/
Twitter: LATAMSRC
Email: [email protected]
September
2013
AgendaOther Security
Resources
Detection and Deployment
Table
Product Support Lifecycle
Information
Public Webcast Details
Appendix
Bulletin Resources
Malicious Software
Removal Tool Updates
Non-security updates
New Security Resources
New Security
Bulletins
13
CSS Security Worldwide Programs
Critical Important
4 9
Security Advisories
1 Re-release
September
2013
Security
Bulletins
Bulletin Impact Component Severity PriorityExploit
IndexPublic
MS13-067 Remote Code Execution SharePoint Critical 1 1 Yes
MS13-068 Remote Code Execution Outlook Critical 1 2 No
MS13-069 Remote Code Execution Internet Explorer Critical 1 1 No
MS13-070 Remote Code Execution OLE Critical 2 1 No
MS13-071 Remote Code Execution Windows Theme Important 3 1 No
MS13-072 Remote Code Execution Office Important 2 1 No
MS13-073 Remote Code Execution Excel Important 2 3 No
MS13-074 Remote Code Execution Access Important 3 1 No
MS13-075 Elevation of Privilege IME Important 3 1 No
MS13-076 Elevation of Privilege Kernel-Mode Driver Important 2 1 No
MS13-077 Elevation of Privilege Service Control Manager Important 3 2 No
MS13-078 Information Disclosure FrontPage Important 3 3 No
MS13-079 Denial of Service Active Directory Important 2 3 No
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
CSS Security Worldwide Programs
MS13-067
Vulnerabilities in
Microsoft
SharePoint
Server Could
Allow Remote
Code Execution
(2834052)
Affected Software:• SharePoint Portal Server 2003 SP3
• SharePoint Server 2007 SP3 (32-bit and 64-bit)
• SharePoint Server 2010 SP1 and 2
• SharePoint Server 2013
• SharePoint Foundation 2013
• Office Services and Web Apps
Excel Services
InfoPath Forms Services
PerformancePoint Services
Project Services
Visio Services
Word Automation Services
• Excel Web App 2010 SP 1 and 2
• Word Web App 2010 SP 1 and 2
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1MS12-050
MS12-066
MS13-030
MS13-035
Yes *
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM* After you install this update on all SharePoint
servers, you must run the PSconfig tool to
complete the installation
No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-067
Vulnerabilities in
Microsoft
SharePoint
Server Could
Allow Remote
Code Execution
(2834052)
Vulnerability Details:
• Seven (7) remote code execution vulnerabilities* exist in the way that affected Microsoft Office software
parses specially crafted files that could allow an attacker to take complete control of an affected system.
• Two elevation of privilege vulnerabilities exist in SharePoint Server that could allow an attacker to perform
cross-site scripting attacks by submitting a specially crafted POST request to a SharePoint server.
• A denial of service vulnerability exists in SharePoint Server, which would cause the W3WP process to stop
responding until it is restarted if an attacker enters a specially crafted URL that is processed on the target
SharePoint site
* CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857, CVE-2013-3858
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-0081
CVE-2013-1330
CVE-2013-3179
CVE-2013-3180
CVE-2013-1315
Multiple *
Important
Critical
Important
Important
Important
Critical
Denial of Service
Remote Code Execution
Elevation of Privilege
Elevation of Privilege
Remote Code Execution
Remote Code Execution
3
NA
3
3
NA
NA
3
1
3
3
3
1
P
P
NA
NA
NA
NA
No
No
No
Yes
No
No
None
None
None
None
None
None
None
None
None
None
None
None
Attack Vectors
• A specially crafted Office file
• A specially crafted POST request
to a SharePoint server
• A specially crafted URL that is
processed on the target
SharePoint site
Mitigations
• Users would have to be persuaded
to visit a malicious web site
• Exploitation only gains the same
rights as the logged on account
• Cannot be exploited automatically
through email because a user
must open an attachment that is
sent in an email message
For CVE-2013-0081, CVE-2013-1330,
CVE-2013-3179, CVE-2013-3180
• Microsoft has not identified any
mitigations for these
vulnerabilities
Workarounds
• Do not open Office files that
you receive from untrusted
sources or that you receive
unexpectedly from trusted
sources
For CVE-2013-0081, CVE-2013-
3179, CVE-2013-3180
• Microsoft has not identified
any workarounds for these
vulnerabilities
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-068
Vulnerability in
Microsoft
Outlook Could
Allow Remote
Code Execution
(2756473)
Affected Software: Outlook 2007 SP3
Outlook 2010 SP1 (32-bit & 64-bit editions)
Outlook 2010 SP2 (32-bit & 64-bit editions)
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 MS10-064 None
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCM If the component discussed in this bulletin was
delivered with the version of the Office Suite
installed on your system, the system will be
offered updates for it whether the component
is installed or not. No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-068
Vulnerability in
Microsoft
Outlook Could
Allow Remote
Code Execution
(2756473)
Vulnerability Details:
• A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted
S/MIME email messages. An attacker can exploit this vulnerability and take complete control of an affected
system if they can persuade a user to open or preview a specially crafted email message.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3870 Critical Remote Code Execution NA 2 NA No None None
Attack Vectors
• A maliciously crafted email
message
Exploitation of this
vulnerability requires that a
user open or preview a
specially crafted email
message with an affected
version of Outlook
Mitigations
• Exploitation only gains the same
user rights as the logged on
account
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-069
Cumulative
Security Update
for Internet
Explorer
(2870699)
Affected Software:
IE 6 on Windows XP and Windows Server
2003
IE 7 on Windows XP, Windows Server 2003,
Windows Vista, and Windows Server 2008
IE 8 on Windows XP, Windows Server 2003,
Windows Vista, Windows Server 2008,
Windows 7, and Windows Server 2008 R2
IE 9 on Windows Vista, Windows Server
2008, Windows 7, and Windows Server 2008
R2
IE 10 on Windows 7, Windows Server 2008
R2, Windows 8, Windows Server 2012, and
Windows RT
The Internet Explorer 11 Preview in Windows 8.1
Preview and Windows RT 8.1 Preview are both
affected by this bulletin
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 MS13-059 None
Restart
Requirement
A restart is
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM1. The MBSA 2.3 beta fully supports Windows 8,
Windows 8.1, Windows Server 2012, and Windows
Server 2012 R2.
2. Windows RT devices can only be serviced with
Windows and Microsoft UpdateYes Yes Yes 1 | 2 Yes 2 Yes 2 Yes 2
CSS Security Worldwide Programs
MS13-069
Cumulative
Security Update
for Internet
Explorer
(2870699)
Vulnerability Details:
• Ten * (10) remote code execution vulnerabilities exist when Internet Explorer improperly accesses an object
in memory. These vulnerabilities may corrupt memory in such a way that an attacker could execute
arbitrary code in the context of the current user and could allow an attacker to take complete control of an
affected system if a user views a specially crafted website or file
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
Multiple a Critical Remote Code Execution NA b 1 NA No No None
Attack Vectors
• A maliciously crafted Web page
• Compromised websites and
websites that accept or host
user-provided content or
advertisements
a. CVE-2013-3201 | CVE-2013-3202
CVE-2013-3203 | CVE-2013-3204
CVE-2013-3205 | CVE-2013-3206
CVE-2013-3207 | CVE-2013-3208
CVE-2013-3209 | CVE-2013-3845
b. XI Latest = IE 11 on Windows
8.1, Windows Server 2012 R2,
and Windows RT 8.1
Mitigations
• Users would have to be persuaded
to visit a malicious web site
• Exploitation only gains the same
user rights as the logged on
account
• By default, all Microsoft e-mail
clients open HTML e-mail
messages in the Restricted Sites
zone
• By default, IE runs in a restricted
mode for all Windows Servers
Workarounds
• Set IE security to High for
Internet and Intranet zones
• Configure IE to prompt before
running ActiveX and Active
Scripting
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-070
Vulnerability in
OLE Could
Allow Remote
Code Execution
(2876217)
Affected Software: Windows XP (all editions)
Windows Server 2003 (all editions)
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS11-093 None
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCM
• For an attack to be successful by sending an
email message a user must open an
attachment that contains a specially crafted
OLE object.
• Many different types of attached documents
can contain the affected OLE objects, which
includes all Office file types as well as many
other third-party file types.
Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-070
Vulnerability in
OLE Could
Allow Remote
Code Execution
(2876217)
Vulnerability Details:
• A vulnerability exists in OLE that could lead to remote code execution that could allow an attacker to take
complete control of an affected system if a user can be persuaded to open a file that contains a specially
crafted OLE object
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3863 Critical Remote Code Execution NA 1 NA No None None
Attack Vectors
• A maliciously crafted file that
contains a specially crafted OLE
object
All Office file types, and
many third-party file types,
can contain a malicious OLE
object
Common delivery
mechanisms: a maliciously
crafted webpage, an email
attachment, an instant
message, a peer-to-peer file
share, a network share,
and/or a USB thumb drive
Mitigations
• Exploitation only gains the same
user rights as the logged on
account
• The vulnerability cannot be
exploited automatically through
email, because a user must open
an attachment that is sent in an
email message
Workarounds
• Do not open Office files that
you receive from untrusted
sources or that you receive
unexpectedly from trusted
sources
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-071
Vulnerability in
Windows
Theme File
Could Allow
Remote Code
Execution
(2864063)
Affected Software: Windows XP (all editions)
Windows Server 2003 (all editions)
Windows Vista (all editions)
Windows Server 2008 (all editions)
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 None None
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCM After applying this update, screen savers
associated with custom themes, that were not
delivered in-box, will no longer be automatically
selected when a custom theme is appliedYes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-071
Vulnerability in
Windows
Theme File
Could Allow
Remote Code
Execution
(2864063)
Vulnerability Details:
• A remote code execution vulnerability exists in the way Windows handles certain specially crafted Windows
theme and screensaver files. In an attack scenario, an attacker could convince a user to open a maliciously
crafted theme file containing a specially crafted screensaver that executes malicious code when the user
applies the Windows theme.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-0810 Important Remote Code Execution NA 1 NA No None None
Attack Vectors
• A maliciously crafted Windows
Theme file that contains a
specially crafted screensaver
Common delivery
mechanisms: a maliciously
crafted webpage, an email
attachment, an instant
message, a peer-to-peer file
share, a network share, and/or
a USB thumb drive
Mitigations
• In all cases, a user cannot be
forced to open the file or apply
the theme; for an attack to be
successful, a user must be
convinced to do so
Workarounds
• Do not open Windows Theme
files that you receive from
untrusted sources or that you
receive unexpectedly from
trusted sources
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-072
Vulnerabilities in
Microsoft Office
Could Allow
Remote Code
Execution
(2845537)
Affected Software: Office 2003 S3
Word 2003 SP3
Office 2007 SP3
Word 2007 SP3
Office 2010 SP 1 & 2 (32-bit & 64-bit
editions)
Word 2010 SP1 & 2 (32-bit & 64-bit
editions)
Office Compatibility Pack SP3
Word Viewer
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2MS11-089
MS12-057
MS12-079
MS13-043
MS13-051
Yes *
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCM If the component discussed in this bulletin was
delivered with the version of the Microsoft
Office Suite installed on your system, the
system will be offered updates for it whether
the component is installed or not. No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-072
Vulnerabilities in
Microsoft Office
Could Allow
Remote Code
Execution
(2845537)
Vulnerability Details:
• Twelve (12) remote code execution vulnerabilities exist in the way that affected Microsoft Office software
parses specially crafted files. An attacker could take complete control of an affected system if they can
convince a user to open a specially crafted file in an affected version of Office software
• CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3850, CVE-2013-3851, CVE-2013-3852
CVE-2013-3853, CVE-2013-3854, CVE-2013-3855, CVE-2013-3856, CVE-2013-3857, CVE-2013-3858
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
Multiple *
CVE-2013-3160
Critical
Important
Remote Code Execution
Information Disclosure
NA
NA
1
3
NA
NA
No
No
None
None
None
None
Attack Vectors
• A maliciously crafted Office file
Common delivery
mechanisms: a maliciously
crafted Web page, an e-mail
attachment, an instant
message, a peer-to-peer file
share, a network share, and/or
a USB thumb drive
Mitigations
• The vulnerabilities cannot be
exploited automatically through
email because a user must open
an attachment that is sent in an
email message
• An attacker would have no way to
force users to visit a malicious or
compromised website, or to open
the specially crafted Office file
• An attacker can only gain the
same user rights as the logged on
user
Workarounds
• Install and configure MOICE to
be the registered handler for
.doc files.
• Use Microsoft Office File Block
policy to prevent the opening
of .doc and .dot binary files
• Do not open Office files that
you receive from untrusted
sources or that you receive
unexpectedly from trusted
sources
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-073
Vulnerabilities in
Microsoft Excel
Could Allow
Remote Code
Execution
(2858300)
Affected Software:• Office 2003 SP3
Excel 2003 SP3
• Office 2007 SP3
Excel 2007 SP3
• Office 2010 SP1 & 2 (32-bit & 64-bit editions)
Excel 2010 SP1 & 2 (32-bit & 64-bit
editions)
• Office 2013 (32-bit & 64-bit editions)
Excel 2013 (32-bit & 64-bit editions)
• Office 2013 RT
Excel 2013 RT
• Office for Mac 2011
• Office Compatibility Pack SP3
• Excel Viewer
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-012 Yes *
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCMIf the component discussed in this bulletin was
delivered with the version of the Microsoft
Office Suite installed on your system, the
system will be offered updates for it whether
the component is installed or not. No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-073
Vulnerabilities in
Microsoft Excel
Could Allow
Remote Code
Execution
(2858300)
Vulnerability Details:
• Two (2) remote code execution vulnerabilities exist in the way that Excel parses content in Excel files. An
attacker could take complete control of an affected system if they can convince a user to open a specially
crafted Excel file.
• An information disclosure vulnerability exists in the way that Excel parses specially crafted XML files
containing external entities. The vulnerability is caused when Excel improperly handles XML external
entities that are resolved within other XML external entity declarations. An attacker could read data from
files on the target system.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-1315
CVE-2013-3158
CVE-2013-3159
Important
Important
Important
Remote Code Execution
Remote Code Execution
Information Disclosure
3
NA
NA
3
3
3
NA
NA
NA
No
No
No
None
None
None
None
None
None
Attack Vectors
• A maliciously crafted Office
Excel file
Common delivery
mechanisms: a maliciously
crafted Web page, an e-mail
attachment, an instant
message, a peer-to-peer file
share, a network share,
and/or a USB thumb drive
Mitigations
• The vulnerabilities cannot be
exploited automatically through
email because a user must open
an attachment that is sent in an
email message
• An attacker would have no way to
force users to visit a malicious or
compromised website, or to open
the specially crafted Office files
• Exploitation only gains the same
user rights as the logged on
account
Workarounds
• Use Microsoft Office File Block
policy to prevent the opening
of Excel binary files
• Do not open Office files that
you receive from untrusted
sources or that you receive
unexpectedly from trusted
sources
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-074
Vulnerabilities in
Microsoft
Access Could
Allow Remote
Code Execution
(2848637)
Affected Software: Access 2007 SP3
Access 2010 SP1 & SP2 (32-bit & 64-bit
editions)
Access 2013 (32-bit & 64-bit editions)
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 MS12-046 None
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCM If the component discussed in this bulletin was
delivered with the version of the Microsoft
Office Suite installed on your system, the
system will be offered updates for it whether
the component is installed or not. No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-074
Vulnerabilities in
Microsoft
Access Could
Allow Remote
Code Execution
(2848637)
Vulnerability Details:
• Three (3) remote code execution vulnerabilities exist in the way that Access handles memory when opening
specially crafted Access files. An attacker could take complete control of an affected system by sending a
specially crafted Access file to the user and then convincing the user to open the file.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3155
CVE-2013-3156
CVE-2013-3157
Important
Important
Important
Remote Code Execution
Remote Code Execution
Remote Code Execution
1
1
1
1
1
1
NA
NA
NA
No
No
No
None
None
None
None
None
None
Attack Vectors
• A specially crafted Access file
Common delivery
mechanisms: a maliciously
crafted Web page, an e-mail
attachment, an instant
message, a peer-to-peer file
share, a network share, and/or
a USB thumb drive
Mitigations
• An attacker would have no way to
force users to visit a malicious or
compromised website
• An attacker can only gain the
same user rights as the logged on
user
Workarounds
• Do not open Office files that
you receive from untrusted
sources or that you receive
unexpectedly from trusted
sources
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-075
Vulnerability in
Microsoft Office
IME (Chinese)
Could Allow
Elevation of
Privilege
(2878687)
Affected Software: Pinyin IME 2010 on Office 2010 SP1 (32-bit
editions)
Pinyin IME 2010 (64-bit version) on Office
2010 SP1 (64-bit editions)
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 None None
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCM
• Microsoft Pinyin IME 2010 is a Microsoft
Pinyin (MSPY) Input Method Editor (IME) for
Simplified Chinese.
• Microsoft Pinyin IME 2010 is installed with
Chinese versions of Microsoft Office 2010 by
default and is also available as an optional
component in English and other language
versions of Microsoft office 2010.
No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-075
Vulnerability in
Microsoft Office
IME (Chinese)
Could Allow
Elevation of
Privilege
(2878687)
Vulnerability Details:
• An elevation of privilege vulnerability exists in Office IME for Chinese that could allow a low-privilege user
to elevate their privileges. In an attack scenario, an authenticated attacker could use the IME toolbar to
launch Internet Explorer with system-level privileges. The attacker could then run a program with system-
level privileges.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3155 Important Elevation of Privilege NA 1 NA No None None
Attack Vectors
• Malicious use of the IME
Toolbar
Mitigations
• An attacker must have valid logon
credentials and be able to log on
locally to exploit this vulnerability.
The vulnerability could not be
exploited remotely or by
anonymous users.
• Only implementations of
Microsoft Pinyin IME 2010 are
affected by this vulnerability.
Other versions of Simplified
Chinese IME and other
implementations of IME are not
affected.
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-076
Vulnerabilities in
Kernel-Mode
Drivers Could
Allow Elevation
of Privilege
(2876315)
Affected Software: Windows XP (all supported editions)
Windows Server 2003 (all supported
editions)
Windows Vista (all supported editions)
Windows Server 2008 (all supported
editions)
Windows 7 (all supported editions)
Windows Server 2008 R2 (all supported
editions)
Windows 8 (all supported editions)
Windows Server 2012
Windows RT
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-053 None
Restart
Requirement
A restart is
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM1. The MBSA 2.3 beta fully supports Windows
8, Windows 8.1, Windows Server 2012, and
Windows Server 2012 R2.
2. Windows RT devices can only be serviced
with Windows and Microsoft Update and
the Microsoft StoreYes Yes Yes 1 | 2 Yes 2 Yes 2 Yes 2
CSS Security Worldwide Programs
MS13-076
Vulnerabilities in
Kernel-Mode
Drivers Could
Allow Elevation
of Privilege
(2876315)
Vulnerability Details:
• Seven (7) elevation of privilege vulnerabilities * exist when the Windows kernel-mode driver improperly
handles objects in memory that could allow an attacker to gain elevated privileges and read arbitrary
amounts of kernel memory by logging on to the system and then running a specially crafted application.
CVE Severity Impact XI Latest 2 XI Legacy XI DoS Public Exploited Advisory
Multiple *
CVE-2013-3866
Important
Important
Elevation of Privilege
Elevation of Privilege
NA
NA
2
1
P
P
No
No
None
None
None
None
Attack Vectors
• A maliciously crafted application
1. CVE-2013-1341, CVE-2013-1342
CVE-2013-1343, CVE-2013-1344
CVE-2013-3864, CVE-2013-3865
2. XI Latest = Windows 8.1,
Windows Server 2012 R2, and
Windows RT 8.1
Mitigations
• An attacker must have valid logon
credentials and be able to log on
locally to exploit this vulnerability.
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-077
Vulnerability in
Windows
Service Control
Manager Could
Allow Elevation
of Privilege
(2872339)
Affected Software: Windows 7 (all supported editions)
Windows Server 2008 R2 (all supported
editions)
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 MS13-019
MS13-063None
Restart
Requirement
A restart is
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCM The Service Control Manager (SCM) maintains
a database of the installed services and driver
services that allow the operating system to
start successfully, and provides a unified and
secure means of controlling them. Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-077
Vulnerability in
Windows
Service Control
Manager Could
Allow Elevation
of Privilege
(2872339)
Vulnerability Details:
• A local elevation of privilege vulnerability exists in the way that the Windows Service Control Manager
(SCM) handles objects in memory. The vulnerability is caused when the SCM retrieves a corrupted service
description from the Windows registry resulting in a "double free" condition. An attacker who successfully
exploited this vulnerability could execute arbitrary code within the context of the Service Control Manager
(services.exe).
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3862 Important Elevation of Privilege NA 2 P No None None
Attack Vectors
• A maliciously crafted application
* XI Latest = Windows 8.1,
Windows Server 2012 R2, and
Windows RT 8.1
Mitigations
• To exploit this vulnerability, an
attacker either must have valid
logon credentials and be able to
log on locally or must convince a
user to run the attacker's specially
crafted application.
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-078
Vulnerability in
FrontPage
Could Allow
Information
Disclosure
(2825621)
Affected Software: FrontPage 2003 SP3 Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 None None
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCMThe vulnerability is caused when Microsoft
FrontPage improperly parses the DTD of an
XML file. DTD, standing for document type
definition, is a file format type that is used in
XML and other markup languages to identify
the markup to be used to format a document.No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-078
Vulnerability in
FrontPage
Could Allow
Information
Disclosure
(2825621)
Vulnerability Details:
• An information disclosure vulnerability exists in FrontPage that could allow an attacker to disclose the
contents of a file on a target computer. An attacker who successfully exploited this vulnerability could
disclose the contents of a local file on a target computer if they can convince a user to open a specially
crafted FrontPage document.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3137 Important Information Disclosure NA 3 NA No None None
Attack Vectors
• A maliciously crafted FrontPage
document
Common delivery
mechanisms: a maliciously
crafted Web page, an e-mail
attachment, an instant
message, a peer-to-peer file
share, a network share, and/or
a USB thumb drive
Mitigations
• The vulnerability cannot be
exploited automatically through
email because a user must open
an attachment that is sent in an
email message
• An attacker would have no way to
force users to visit a malicious or
compromised website
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-079
Vulnerability in
Active Directory
Could Allow
Denial of
Service
(2853587)
Affected Software:
Active Directory Lightweight Directory Service
(AD LDS) on:
• Windows Vista (all supported editions)
• Windows Server 2008 (all supported 32-bit
and 64-bit editions)
• Windows 7 (all supported editions)
• Windows Server 2008 R2 (all supported
x64-bit editions)
• Windows 8 (all supported editions)
• Windows Server 2012
Active Directory Services on:
• Windows Server 2008 (all supported 32-bit
and 64-bit editions)
• Windows Server 2008 R2 (all supported
x64-bit editions)
• Windows Server 2012
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 None None
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM* The MBSA 2.3 beta fully supports Windows
8, Windows 8.1, Windows Server 2012, and
Windows Server 2012 R2.Yes Yes Yes * Yes Yes Yes
CSS Security Worldwide Programs
MS13-079
Vulnerability in
Active Directory
Could Allow
Denial of
Service
(2853587)
Vulnerability Details:
• A denial of service vulnerability exists in implementations of Active Directory when the LDAP service fails to
handle a specially crafted query that could cause the service to stop responding if an attacker sends a
specially crafted query to the LDAP service
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3868 Important Denial of Service NA 3 P No None None
Attack Vectors
• A maliciously crafted LDAP
query
* XI Latest = Windows 8.1 and
Windows Server 2012 R2
Mitigations
• Microsoft has not identified any
mitigations for this vulnerability.
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
Security
Advisory
Rerelease
CSS Security Worldwide Programs
Security Advisory (2755801)Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
Windows 8 for 32-bit and 64-bit Systems
Windows Server 2012
Windows RT
Note: This update is also available for the IE 11 Preview in Windows 8.1 Preview and Windows
8.1 RT Preview releases via Windows Update
Reason for rerelease:
The update addresses the vulnerabilities described in Adobe Security bulletin
APSB13-21
For more information about this update, including download links, see KB
Article 2880289
September
2013
Manageability
Tools
Reference
BulletinWindows
Update
Microsoft
UpdateMBSA WSUS SMS ITMU SCCM 3
MS13-067 No Yes Yes Yes Yes Yes
MS13-068 No Yes Yes Yes Yes Yes
MS13-069 Yes Yes Yes 1 | 2 Yes 2 Yes 2 Yes 2
MS13-070 Yes Yes Yes Yes Yes Yes
MS13-071 Yes Yes Yes Yes Yes Yes
MS13-072 No Yes Yes Yes Yes Yes
MS13-073 No Yes Yes Yes Yes Yes
MS13-074 No Yes Yes Yes Yes Yes
MS13-075 No Yes Yes Yes Yes Yes
MS13-076 Yes Yes Yes 1 | 2 Yes 2 Yes 2 Yes 2
MS13-077 Yes Yes Yes Yes Yes Yes
MS13-078 No Yes Yes Yes Yes Yes
MS13-079 Yes Yes Yes 1 Yes Yes Yes
1. The MBSA 2.3 beta fully supports Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2
(see: http://technet.microsoft.com/en-us/security/cc184924)
2. Windows RT devices can only be serviced with Windows and Microsoft Update and the Microsoft Store
3. System Center 2012 R2 is in beta and is required to service Windows 8.1 and Windows Server 2012 R2 – Note
that these platforms are not affected by any of the September 2013 security bulletins
CSS Security Worldwide Programs
Microsoft
Support
Lifecycle
CSS Security Worldwide Programs
Lifecycle Changes
The following product families and service pack levels
are scheduled to have their support lifecycle expire on
September 10th 2013
Product Family• None
Service Pack Level• None
Remember that support for the entire Windows XP product
family will expire on 4/8/2014
http://support.microsoft.com/lifecycle
September
2013
Security
Bulletins
Bulletin Description Severity Priority
MS13-067Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code
ExecutionCritical 1
MS13-068 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution Critical 1
MS13-069 Cumulative Security Update for Internet Explorer Critical 1
MS13-070 Vulnerability in OLE Could Allow Remote Code Execution Critical 2
MS13-071Vulnerability in Windows Theme File Could Allow Remote Code
ExecutionImportant 3
MS13-072 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution Important 2
MS13-073 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution Important 2
MS13-074 Vulnerabilities in Microsoft Access Could Allow Remote Code Execution Important 3
MS13-075Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of
PrivilegeImportant 3
MS13-076 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege Important 2
MS13-077Vulnerability in Windows Service Control Manager Could Allow Elevation
of PrivilegeImportant 3
MS13-078 Vulnerability in FrontPage Could Allow Information Disclosure Important 3
MS13-079 Vulnerability in Active Directory Could Allow Denial of Service Important 2
CSS Security Worldwide Programs
Appendix
CSS Security Worldwide Programs
MSRT Changes
New malware families added
to the September 2013
MSRT
• Win32/Simda
• Simda is a family of password-
stealing trojans that may also allow
backdoor access and control to an
affected computer.
• Its main purpose is to steal
passwords and system information
from a user's machine.
Additional ToolsMicrosoft Safety Scanner
• Same basic engine as the MSRT, but
with a full set of A/V signatures
Windows Defender Offline
• An offline bootable A/V tool with a
full set of signatures
• Designed to remove rootkits and
other advanced malware that can't
always be detected by antimalware
programs
• Requires you to download an ISO file
and burn a CD, DVD, or USB flash
drive
36
Malicious
Software
Removal Tool
Updates (MSRT)
CSS Security Worldwide Programs
Public
Security
Bulletin
Links
CSS Security Worldwide Programs
Monthly Bulletin Links
• Microsoft Security Bulletin Summary for September 2013
http://technet.microsoft.com/en-us/security/bulletin/ms13-sep
• Security Bulletin Search
http://technet.microsoft.com/en-us/security/bulletin
• Security Advisories
http://technet.microsoft.com/en-us/security/advisory
• Microsoft Technical Security Notifications
http://technet.microsoft.com/en-us/security/dd252948.aspx
Blogs
• MSRC Blog
http://blogs.technet.com/msrc
• SRD Team Blog
http://blogs.technet.com/srd
• MMPC Team Blog
http://blogs.technet.com/mmpc
• MSRC Ecosystem Team Blog
http://blogs.technet.com/ecostrat
Supplemental Security Reference Articles
• Detailed Bulletin Information Spreadsheet
http://go.microsoft.com/fwlink/?LinkID=245778
• Security Tools for IT Pros
http://technet.microsoft.com/en-us/security/cc297183
• KB894199 Description of Software Update Services and Windows Server Update Services changes in
content
http://support.microsoft.com/kb/894199
• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious
software
http://support.microsoft.com/kb/890830
Links
Públicos
dos
Boletin de
Segurança
Português
LATAM
GBS Security Worldwide Programs
Links do Boletins em Português
• Microsoft Security Bulletin Summary for september
2013-Resumo
http://technet.microsoft.com/pt-
br/security/bulletin/ms13-sep
• Security Bulletin Search/Boletins de Segurança Busca
http://technet.microsoft.com/pt-br/security/bulletin
• Security Advisories/Comunicados de Segurança
http://technet.microsoft.com/pt-br/security/advisory
• Microsoft Technical Security Notifications - Notificações
http://technet.microsoft.com/pt-
br/security/dd252948.aspx
Blogs
Negócios de Risco
• http://blogs.technet.com/b/ris
co/
• MSRC Blog
http://blogs.technet.com/msrc
• SRD Team Blog
http://blogs.technet.com/srd
• MMPC Team Blog
http://blogs.technet.com/mmpc
• MSRC Ecosystem Team Blog
http://blogs.technet.com/ecostrat
Supplemental Security Reference Articles
• Detailed Bulletin Information Spreadsheet
http://go.microsoft.com/fwlink/?LinkID=245778
• Security Tools for IT Pros- Ferramentas de Segurança
http://technet.microsoft.com/pt-br/security/cc297183
• KB894199 Description of Software Update Services and Windows Server Update Services changes in
content
http://support.microsoft.com/kb/894199
• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious
software
http://support.microsoft.com/kb/890830
September
2013 Non-
Security
Content
Description Classification Deployment
Update for Windows 7 (KB2853952) Update
(Recommended)Site, AU, SUS, Catalog
Update for Windows 7 (KB2834140) Update
(Recommended)Site, AU, SUS, Catalog
Update for Windows 8 (KB2871389) Update
(Recommended)Site, AU, SUS, Catalog
Update for Windows 8 (KB2876415) Update Site, SUS, Catalog
Update for Windows 7 (KB2574819) Update Site, SUS, Catalog
Update for Windows 7 (KB2868116) Critical Update Site, AU, SUS, Catalog
Update for Windows 8 (KB2802618) Critical Update Site, AU, SUS, Catalog
Update for Windows 8 (KB2871777) Critical Update Site, AU, SUS, Catalog
Windows Malicious Software Removal Tool for Windows 8 - September 2013
(KB890830) Update Rollup Site, AU, SUS, Catalog
Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 and
Windows XP x86 (KB2836941)
Update
(Recommended)Site, AU, SUS, Catalog
Update for Microsoft .NET Framework 4 on XP, Server 2003, Vista, Windows
7, Server 2008 x86 (KB2836939)
Update
(Recommended)Site, AU, SUS, Catalog
Update for Microsoft .NET Framework 3.5.1 on Windows 7 SP1 x86
(KB2836943)
Update
(Recommended)Site, AU, SUS, Catalog
Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2008 SP2
x86 (KB2836945)
Update
(Recommended)Site, AU, SUS, Catalog
Update for Microsoft .NET Framework 3.5 on Windows 8 (KB2836946) Update
(Recommended)Site, AU, SUS, Catalog
CSS Security Worldwide Programs
MBSA 2.3
Preview
Release
CSS Security Worldwide Programs
MBSA 2.3 Preview ReleaseMBSA 2.3 preview release adds support for
Windows 8, Windows 8.1, Windows Server 2012,
and Windows Server 2012 R2.
Tool Information
• Windows 2000 will no longer
be supported with this
release.
• The final release of MBSA 2.3
is expected to be available in
Fall 2013.
System Center Configuration Manager OpenBeta Program
The MBSA 2.3 preview release can be downloaded from the System Center Configuration
Manager OpenBeta Program “Connect” Page at:
• See: http://technet.microsoft.com/en-us/security/cc184924
Due to the remaining short product cycle, we will be unable to implement any design change requested
for this release. Please tag design change requests appropriately
Webcast
Português
Outubro
GBS Security Worldwide Programs41
Webcast Português (Externa)
• WEBCAST DE OUTUBRO- CLIENTES
10/OUTUBRO/2013
15:30 Hrs
Brasília
• Blog de Segurança:
http://blogs.technet.com/b/risco/