• To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” • Dial-in Information: - 1 (877) 593-2001 Pin: 3959 • Review of July 2013 Bulletin Release Information - Seven New Security Bulletins - One Updated Security Advisory - Microsoft Windows Malicious Software Removal Tool • Resources • Questions and Answers: Please Submit Now - Submit Questions via Twitter #MSFTSecWebcast MS13-052 MS13-053 MS13-054 MS13-055 2 MS13-056 2 MS13-057 MS13-058 IMPACT 1 Windows Defender 2 Media Format Runtime 1 DirectShow 2 Internet Explorer GDI+ Critical Kernel-Mode Drivers Moderate Important DP .NET Framework/Silverlight Low Severity 3 RISK 2 1 Exploitability Index Severity & Exploitability Index 3 Bulletin Deployment Priority Bulletin Product / Component KB # Disclosure Aggregate Severity Exploit Index Max Impact Deployment Priority MS13-055 Internet Explorer 2846071 Private Critical 1 RCE 1 MS13-053 Kernel-Mode Driver 2850851 Public Critical 1 RCE 1 MS13-054 GDI+ 2848295 Private Critical 1 RCE 2 MS13-052 .NET/ Silverlight 2861561 Public Critical 1 RCE 2 MS13-056 DirectShow 2845187 Private Critical 1 RCE 2 MS13-057 Media Format Runtime 2847883 Private Critical 2 RCE 2 MS13-058 Windows Defender 2847927 Private Important 1 EoP 3 MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561) Exploitability | Versions Severity CVE Impact Latest Older Disclosure CVE-2013-3129 Critical 1 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3131 Critical 2 2 Remote Code Execution Publically Disclosed CVE-2013-3132 Important 3 3 Elevation of Privilege Cooperatively Disclosed CVE-2013-3133 Important 3 3 Elevation of Privilege Cooperatively Disclosed CVE-2013-3134 Critical 2 2 Remote Code Execution Publically Disclosed CVE-2013-3171 Important 3 3 Elevation of Privilege Cooperatively Disclosed CVE-2013-3178 Important 1 1 Remote Code Execution Cooperatively Disclosed Affected Products Severity levels are aggregate, please see update document for specifics: .NET Framework 2.0, 3.0, 4, 3.5, 3.5.1, and 4.5 on all supported versions of Windows Client and Windows Server; All editions of Silverlight 5, to include when installed on Mac Affected Components Internet Explorer Deployment Priority 2 Main Target Workstations Severity levels are aggregate, please see update document for specifics: .NET Framework 1.0 and 1.1 on all supported versions of Windows Client and Windows Server MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561) Exploitability | Versions CVE Severity Impact Latest • • • Possible Attack Vectors • • • • Disclosure Older Web-based: An attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. (CVE-2013-3129) File sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file (CVE-2013-3129) Local attack: an attacker could exploit this vulnerability by running a specially crafted application to take complete control over the affected system. However, the attacker must have valid logon credentials and be able to log on locally (CVE-2013-3129) Web-based: an attacker could host a website that contains a specially crafted Silverlight application designed to exploit this vulnerability and then convince a user to view the website (CVE-2013-3131, 3178) .NET application: In a .NET application attack scenario, an attacker could modify the array data in a manner that would allow for remote code execution (CVE-2013-3131, 3134) Web-based: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website (CVE-20133132, 3133, 3171) This vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions (CVE-2013-3132, 3133, 3171) Impact of Attack • An attacker could run arbitrary code in kernel mode (CVE-2013-3129) • In a .NET application attack scenario, an attacker could obtain the same permissions as the currently logged-on user (CVE-2013-3131, 3133, 3134, 3171) • In a web-browsing scenario, an attacker could execute arbitrary could on behalf of the targeted user (CVE-20133131, 3133, 3171, 3178) • An attacker could take complete control of the affected system (CVE-2013-3132) Mitigating Factors • An attacker cannot force users to view the attacker-controlled content. (All CVEs) • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. (All CVEs) Additional Information • Installations using Server Core are affected. • .NET Framework 4 and .NET Framework 4 Client Profile affected MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) CVE Exploitability | Versions Severity Latest Older Impact Disclosure CVE-2013-1300 Important 1 1 Elevation of Privilege Cooperatively Disclosed CVE-2013-1340 Important 3 1 Elevation of Privilege Cooperatively Disclosed CVE-2013-1345 Important 3 1 Elevation of Privilege Cooperatively Disclosed CVE-2013-3129 Critical 1 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3167 Important NA 1 Elevation of Privilege Cooperatively Disclosed CVE-2013-3172 Moderate Denial of Service Publically Disclosed CVE-2013-3173 Important 1 1 Elevation of Privilege Cooperatively Disclosed CVE-2013-3660 Critical 3 3 Remote Code Execution Publically Disclosed Affected Products All supported versions of Windows Client and Windows Server Affected Components Kernel-Mode Drivers Deployment Priority 1 Main Target Workstations Possible Attack Vectors • Web-based attack: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. (CVE-2013-3129, 3660) • File sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file. (CVE-2013-3129, 3660) • Local attack: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system. The attacker must have valid logon credentials (CVE-2013-3129, 3660) • An attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. (CVE-2013-1300, 1340, 1345, 3167, 3173) • For an attacker to exploit this vulnerability, a user would have to execute a specially crafted application. (CVE-2013-3172) MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) (Cont’d) CVE Exploitability | Versions Severity Impact of Attack Latest • • • • Older Impact Disclosure An attacker could run arbitrary code in kernel mode (CVE-2013-3129) An attacker could run processes in an elevated context (CVE-2013-1300, 1340, 1345, 3167, 3173) An attacker could cause the target system to stop responding (CVE-2013-3172) In most scenarios, an attacker could achieve elevation of privilege on the target system. It is also theoretically possible, but unlikely due to memory randomization, that an attacker could achieve remote code execution (CVE-2013-3660) Mitigating Factors • An attacker must have valid logon credentials and be able to log on to exploit this vulnerability (CVE2013-1300, 1340, 1345, 3167, 3173) • Microsoft has not identified any mitigating factors for this vulnerability (CVE-2013-3660) • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default (CVE-2013-3129) • An attacker would have no way to force a user to click on a malicious link or open a malicious file (CVE-2013-3129) Additional Information • Installations using Server Core are affected • Microsoft was aware of this vulnerability being used to achieve elevation of privilege in targeted attacks (CVE-2013-3660) • Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers (CVE-2013-3129) MS13-054: Vulnerability in GDI+ Could Allow Remote Code Execution (2848295) Exploitability | Versions Severity CVE CVE-2013-3129 Impact Critical Latest Older 1 1 Remote Code Execution Disclosure Cooperatively Disclosed Affected Products All supported versions of Windows and Windows Server except for Windows Server 2008 for Itanium; Lync 2010 32bit, x64 and Attendee; Lync 2013 Affected Components GDI+, Journal, DirectWrite, Office, Visual Studio .NET 2003, Lync Deployment Priority 2 Main Target Workstations Possible Attack Vectors • Web based: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. • File Sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file • Local attack: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system. However, the attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability in this scenario Impact of Attack • An attacker could run arbitrary code in kernel mode and take complete control of an affected system Mitigating Factors • An attacker could not force a user to visit a malicious website or click on a malicious link • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default Additional Information • For some versions of Windows Server, DirectWrite is not installed by default. Customers will only be offered the update on those systems if DirectWrite is installed Visual Studio .NET 2003 SP1; Office 2003, 2007, and all editions of 2010 MS13-055: Cumulative Security Update for Internet Explorer (2846071) Exploitability | Versions CVE Severity Latest Older Impact Disclosure CVE-2013-3115 CVE-2013-3143 CVE-2013-3144 Critical 1 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3147 CVE-2013-3149 CVE-2013-3150 CVE-2013-3164 CVE-2013-3145 Critical NA 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3148 CVE-2013-3161 CVE-2013-3162 CVE-2013-3153 Critical 3 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3151 CVE-2013-3163 Critical 2 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3146 CVE-2013-3152 Critical 1 NA Remote Code Execution Cooperatively Disclosed CVE-2013-3166 Important 3 3 Information Disclosure Cooperatively Disclosed Affected Products IE6 – IE10 on all supported versions of Windows Client Affected Components Internet Explorer Deployment Priority 1 Main Target Workstations IE6 – IE10 on all supported versions of Windows Server MS13-055: Cumulative Security Update for Internet Explorer (2846071) Continued Possible Attack Vectors • An attacker An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs) • The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs) Impact of Attack • An attacker could gain the same user rights as the current user (All CVEs except CVE-2013-3166) • An attacker who successfully exploited this vulnerability could view content from another domain or Internet Explorer zone (CVE-2013-3166) Mitigating Factors • An attacker cannot force users to view the attacker-controlled content. (All CVEs) • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. (All CVEs) • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs) Additional Information • Installations using Server Core not affected. (All CVEs) • Updates for Windows RT are only available via Windows Update • Microsoft is aware of targeted attacks attempting to exploit the vulnerability described in CVE-2013-3163. MS13-056: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187) Exploitability | Versions Severity CVE CVE-2013-3174 Impact Critical Latest Older 1 1 Remote Code Execution Disclosure Cooperatively Disclosed Affected Products All supported versions Windows and Windows Server (except Windows Server 2008 for Itanium, Windows Server 2012, and Windows RT) Affected Components DirectShow Deployment Priority 2 Main Target Servers Possible Attack Vectors • Web-based: an attacker would have to host a web site that contains specially crafted content (GIF file) that is used to attempt to exploit this vulnerability • Email: an attacker could exploit the vulnerability by sending a specially crafted GIF file as a mail attachment and by convincing the user to open the file Impact of Attack • If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. Mitigating Factors • The vulnerability cannot be exploited automatically through e-mail. • An attacker could not force a user to visit a malicious website or click on a malicious link Additional Information • Installations using Server Core are not affected. MS13-057: Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883) Exploitability | Versions Severity CVE CVE-2013-3127 Impact Critical Latest Older 2 2 Remote Code Execution Disclosure Cooperatively Disclosed Affected Products WMFR 9, 9.5, 11 and wmv9vcm.dll (codec) installed on Windows XP; WMFR 9.5 and wmv9vcm.dll (codec) installed on Windows Server 2003, WMFR 11 and wmv9vcm.dll (codec) installed on Windows Server 2008 (except Itanium); Windows Media Player 12 on Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT Affected Components Windows Media Format Runtime (WMFR) Deployment Priority 2 Main Target Workstations Possible Attack Vectors • An attacker could exploit the vulnerability by hosting a specially crafted media file on a network location and convincing a user to open the file Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user Mitigating Factors • The vulnerability cannot be exploited automatically through e-mail • An attacker could not force a user to visit a malicious website or click on a malicious link Additional Information • Windows Server 2008 installations using Server Core are not affected. • This is not a supported or shipped product beyond Windows XP, the Vista/Windows Server 2008 parts of this update are to protect customers in an upgrade scenario only. MS13-058: Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927) Exploitability | Versions Severity CVE CVE-2013-3154 Impact Important Latest Older NA 1 Elevation of Privilege Disclosure Cooperatively Disclosed Affected Products Windows Defender for Windows 7 32bit and x64, Windows Defender when installed on Windows Server 2008 R2 x64 Affected Components Windows Defender Deployment Priority 3 Main Target Windows 7 workstations Possible Attack Vectors • To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then place a specially crafted application in a location that could be used to exploit the vulnerability Impact of Attack • An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take complete control of the system Mitigating Factors • An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users. • In a Windows 7 default configuration, a user running as a standard user account does not have permissions to write files to the root directory on the system Additional Information • If a customer is running Windows 7 but Windows Defender is disabled, this update is not required. • Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer Added the 2857645 update to the Current Update section for all supported editions of Windows 8, Windows Server 2012, and Windows RT • The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-17 • Detection & Deployment Bulletin Product / Component Windows Update MS13-052 .NET/ Silverlight Yes MS13-053 Kernel-Mode Driver Yes Yes Yes MS13-054 GDI+ Yes4 Yes5 Yes1 MS13-055 Internet Explorer Yes Yes Yes MS13-056 DirectShow Yes Yes Yes MS13-057 Media Format Runtime Yes Yes Yes MS13-058 Windows Defender Yes Yes 1. 2. 3. 4. 5. 3 Microsoft Update Yes 3 MBSA Yes 1,2,3 1,2 1,2 1,2 1,2 Yes WSUS 3.0 Yes 2,3 Yes 2 Yes Yes Yes Yes 2 2 2 Yes SMS 2003 with ITMU Yes Configuration Manager 2,3 Yes 2 Yes Yes Yes Yes 2 2 2 Yes The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store. Mac is not supported by our detection tools. Microsoft Office, Visual Studio, and Lync are not serviced by Windows Update. The update for Visual Studio is available thought the Download Center only. Yes 2,3 Yes 2 Yes Yes Yes Yes 2 2 2 Yes Other Update Information Bulletin Product / Component Restart Uninstall Replaces MS13-052 .NET/ Silverlight Maybe Yes MS13-004, MS12-034, MS12-074, MS11-078, MS10-060, MS12-035, MS12-034, MS13-022 MS13-053 Kernel-Mode Driver Yes Yes MS13-046, MS13-036 MS13-054 GDI+ Maybe Yes MS12-034, MS09-062, MS13-041 MS13-055 Internet Explorer Yes Yes MS13-047 MS13-056 DirectShow Maybe Yes None MS13-057 Media Format Runtime Maybe Yes None MS13-058 Windows Defender No Yes None • Microsoft will not add any new families to the MSRT during this release • Version 5 of MSRT is now available on DLC and for Microsoft Update customers who manually check • Available as a priority update through Windows Update or Microsoft Update • Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove http://blogs.technet.com/msrc http://blogs.technet.com/srd http://blogs.technet.com/mmpc/ www.microsoft.com/technet/security/bulletin/summary. mspx www.microsoft.com/technet/security/current.aspx www.microsoft.com/technet/security/advisory/ • @MSFTSecResponse Security Centers • • • Microsoft Security Home Page: www.microsoft.com/security TechNet Security Center: www.microsoft.com/technet/security MSDN Security Developer Center: http://msdn.microsoft.com/enus/security/default.aspx www.microsoft.com/technet/security/bulletin/notify.ms px www.microsoft.com/technet/security/secnews Other Resources http://www.microsoft.com/technet/security/guidance/p atchmanagement/secmod193.mspx http://www.microsoft.com/security/msrc/mapp/partners .mspx • Submit text questions using the “Ask” button. • Don’t forget to fill out the survey. • A recording of this webcast will be available within 48 hours on the MSRC blog. http://blogs.technet.com/msrc • Register for next month’s webcast at: http://microsoft.com/technet/security/current.aspx