Embed Size (px)
Citation preview
Dial In Number 1-800-229-0449 Pin: 5639
Information About Microsoft January 2012 Security Bulletins
Dustin ChildsSr. Security Program Manager, MSRCMicrosoft Corporation
Pete VossSr. Response Communications ManagerMicrosoft Corporation
Dial In Number 1-800-229-0449 Pin: 5639
Live Video Stream
• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon
– Select Show Main Video
Dial In Number 1-800-229-0449 Pin: 5639
What We Will Cover
• Review of January 2012 Bulletin release information:– New Security Bulletins– Microsoft® Windows® Malicious Software Removal Tool
• Resources• Questions and Answers: Please Submit Now
Dial In Number 1-800-229-0449 Pin: 5639
Severity and Exploitability Index
Exploitabilit
y Index
1
RISK2
3
DP 3 2 2 1 2 2 3
Severity
Critical
IMPACT
Importan
t
Moderate
Low
MS12-001 MS12-002 MS12-003 MS12-004 MS12-005 MS12-006 MS12-007
Win
do
ws
Win
do
ws
Win
do
ws
Win
do
ws
Win
do
ws
Dev
elo
per
To
ols
& S
oft
war
e
Win
do
ws
Dial In Number 1-800-229-0449 Pin: 5639
Bulletin Deployment Priority
Bulletin KB Disclosure Aggregate Severity
Exploit Index
MaxImpact
Deployment Priority Note
MS12-004 2636391 Private Critical 1 RCE 1 This bulletin addresses two separate issues, one involving .MIDI-format files and one affecting certain DirectShow files.
MS12-005 2584146 Private Important 1 RCE 2 A would-be attacker would have to convince a targeted user to open a maliciously crafted Office document.
MS12-003 2646524 Private Important 1 EoP 2 Affects only Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008
MS12-002 2603381 Private Important 1 RCE 2 Affects only Windows XP SP3 and Windows Server 2003.
MS12-006 2643584 Public Important 3 ID 2This bulletin addresses the issue described in Security Advisory 2588513, “Vulnerability in SSL/TLS Could Allow Information Disclosure.”
MS12-007 2607664 Private Important 3 ID 3 Bulletin to be released via Download Center only.
MS12-001 2644615 Private Important 1 SFB 3This Security Feature Bypass issue is not an exploitable issue; rather, it potentially facilitates other exploits that rely on disabling SafeSEH.
Dial In Number 1-800-229-0449 Pin: 5639
MS12-001: Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-0001 Important 1 1 Security Feature Bypass Cooperatively Disclosed
Affected Products All supported versions of Windows and Windows Server (except XP SP3)
Affected Components Windows Kernel
Deployment Priority 3
Main Target Servers and Workstations
Possible Attack Vectors• An attacker could bypass the SafeSEH security feature in a software application.
Impact of Attack• An attacker who successfully exploited this vulnerability could bypass the security feature and then use
other vulnerabilities to run arbitrary code.
Mitigating Factors• Only software applications that were compiled using the original RTM version of the Microsoft Visual C+
+ .NET 2003 (version 7.1) can be used to exploit this vulnerability.
Additional Information• Can only be exploited in conjunction with another vulnerability. • Machines to which the update is applied are protected, regardless of whether affected applications are
recompiled in an unaffected version of VS.
Dial In Number 1-800-229-0449 Pin: 5639
MS12-002: Vulnerability In Windows Object Packager Could Allow Remote Code Execution (2603381)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-0009 Important N/A 1 Remote Code Execution Cooperatively Disclosed
Affected Products All supported editions of Windows XP and Windows Server 2003
Affected Components Object Packager
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors• An attacker could place a legitimate file with an embedded packaged object and a specially crafted
executable file in a network share, a UNC, or WebDAV location and then convince the user to open the legitimate file.
Impact of Attack• An attacker who exploits this vulnerability could gain the same user rights as the logged-on user.
Mitigating Factors• The attacker cannot force the user to visit an untrusted remote file system or WebDAV share and open a
legitimate file.• The file sharing protocol (SMB) is often disabled on the perimeter firewall.
Additional Information• Blocking TCP ports 139 and 445 at the firewall is a viable workaround for this vulnerability.
Dial In Number 1-800-229-0449 Pin: 5639
MS12-003: Vulnerability In Windows Client/Server Run-Time Subsystem Could Allow Elevation of Privilege (2646524)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-0005 Important N/A 1 Elevation of Privilege Cooperatively Disclosed
Affected Products All supported editions of Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008
Affected Components Client Server Run-Time Subsystem (CSRSS)
Deployment Priority 2
Main Target Servers and Workstations
Possible Attack Vectors• An attacker could exploit this vulnerability if they log on to the affected system and run a specially crafted
application.
Impact of Attack• An attacker could take complete control of the affected system .
Mitigating Factors
• An attacker must have valid logon credentials and be able to log on locally or remotely to exploit this vulnerability.
• This vulnerability can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale.
Additional Information• The vulnerability is not exploitable unless the system locale is set to Chinese, Japanese, or Korean.
Dial In Number 1-800-229-0449 Pin: 5639
MS12-004: Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-0003 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-0004 Important 1 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsAll supported editions of Microsoft Windows XP, Vista, Server 2003 and Server 2008 R1
All editions of Windows 7, Windows Server 2008 R2, Windows Media Center TV Pack for Windows Vista x32 and x64
Affected Components Windows Media Player
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
CVE-2012-0003:
• An attacker could exploit this vulnerability by convincing the user to open a specially crafted MIDI file. CVE-2012-0004:
• An attacker could exploit the vulnerability by sending a user an e-mail message containing a specially crafted media file and convincing the user to open the media file.
• In a Web-based attack scenario, an attacker would have to host a website that contains a specially crafted media file.
Impact of Attack• An attacker could gain the same user rights as the exploited logged-on user, which could include
installing programs, viewing, changing or deleting data, or create new accounts with full user rights.
Mitigating Factors
• An attacker has to convince the user to open the specially crafted media file. CVE-2012-0004 ONLY:
• In Windows Media Player 10, 11, and 12, the WMP security settings block the display of captions by default.
Additional Information• Installations using Server Core are not affected for the following platforms: Windows Server 2008 R2,
Windows Server 2008 x64 SP2 (DirectShow only), Windows Server 2008 x32 SP2 (DirectShow only).
Dial In Number 1-800-229-0449 Pin: 5639
MS12-005: Vulnerability In Windows Could Allow Remote Code Execution (2584146)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-0013 Important 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products All supported editions of Microsoft Windows
Affected Components Windows
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors• In either an email-based or web-based scenario, an attacker can exploit this vulnerability by convincing a
user to open a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application.
Impact of Attack• This vulnerability allows attackers to embed ClickOnce application installers into Microsoft Office
documents and execute code without user interaction.
Mitigating Factors• An attacker has to convince the user to open the specially crafted Microsoft Office file. • To deploy across a network, the deployment manifest and application manifest of a ClickOnce deployment
must both be signed with a digital certificate.
Additional Information• Installations using Server Core are not affected.
Dial In Number 1-800-229-0449 Pin: 5639
MS12-006: Vulnerability In SSL/TLS Could Allow Information Disclosure (2643584)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2011-3389 Important 3 3 Information Disclosure Publicly Disclosed
Affected Products All Supported Editions of Microsoft Windows
Affected Components SSL/TLS
Deployment Priority 2
Main Target Workstations and Servers
Possible Attack Vectors• An attacker could exploit this vulnerability by intercepting encrypted web traffic from an affected system,
via the web browser.
Impact of Attack• An attacker could decrypt intercepted encrypted traffic.
Mitigating Factors• TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Additional Information• This security update also addresses the vulnerability first described in Microsoft Security Advisory
2588513.• This vulnerability affects the SSL/TLS protocol and is not specific to the Windows operating system.
Dial In Number 1-800-229-0449 Pin: 5639
MS12-007: Vulnerability In AntiXSS Library Could Allow Information Disclosure (2607664)CVE Severity
ExploitabilityComment Note
Latest Software Older Versions
CVE-2012-0007 Important 3 3 Information Disclosure Cooperatively Disclosed
Affected Products Microsoft Anti-Cross Site Scripting Library versions 3.x and 4
Affected Components Anti-Cross Site Scripting (AntiXSS) Library
Deployment Priority 3
Main Target Workstations
Possible Attack Vectors• To exploit this vulnerability, an attacker could send specially crafted HTML to a target website that is using
the sanitization module of the AntiXSS Library.
Impact of Attack• An attacker could perform a cross-site scripting (XSS) attack on a website that is using the AntiXSS
Library to sanitize user provided HTML and pass a malicious script through a sanitization function and expose information not intended to be disclosed.
Mitigating Factors• Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.
Additional Information
• This bulletin will be available via the Download Center only. • This vulnerability would not allow an attacker to execute code or elevate the attacker’s user rights directly.• Version 4.2 is not affected.
Dial In Number 1-800-229-0449 Pin: 5639
Detection & DeploymentBulletin Windows
UpdateMicrosoft
Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007
MS12-001 Yes Yes Yes Yes Yes Yes
MS12-002 Yes Yes Yes Yes Yes Yes
MS12-003 Yes Yes Yes Yes Yes Yes
MS12-004 Yes Yes Yes Yes Yes Yes
MS12-005 Yes Yes Yes Yes Yes Yes
MS12-006 Yes Yes Yes Yes Yes Yes
MS12-007 No* No* No* No* No* No*
*Available Via Download Center Only
Dial In Number 1-800-229-0449 Pin: 5639
Other Update Information
Bulletin Restart Uninstall Replaces
MS12-001 Yes Yes None
MS12-002 Maybe Yes None
MS12-003 Maybe Yes MS11-063
MS12-004 Yes Yes MS10-033
MS12-005 Maybe Yes None
MS12-006 Yes YesMS10-049MS10-085MS10-095
MS12-007 Maybe Yes None
Dial In Number 1-800-229-0449 Pin: 5639
Windows Malicious Software Removal Tool (MSRT)
This month, the Windows Malicious Software Removal Tool will add detections for the following family:
• Win32/Sefnit is a widespread trojan that includes a configurable payload controlled by a set of remote hosts.
-- Available as a priority update through Windows Update or Microsoft Update
-- Is offered through WSUS 3.0
-- Also available as a download at: www.microsoft.com/malwareremove
Dial In Number 1-800-229-0449 Pin: 5639
ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:
www.blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:
http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Dial In Number 1-800-229-0449 Pin: 5639
Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the
MSRC Blog:http://blogs.technet.com/msrc
• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx
Dial In Number 1-800-229-0449 Pin: 5639
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
