July 2013 Security Bulletin Webcast

advertisement
• To receive our video stream in LiveMeeting:
- Click on “Voice & Video”
- Click the drop down next to the camera icon
- Select “Show Main Video”
• Dial-in Information:
- 1 (877) 593-2001
Pin: 3959
•
Review of July 2013 Bulletin Release Information
- Seven New Security Bulletins
- One Updated Security Advisory
- Microsoft Windows Malicious Software Removal Tool
•
Resources
•
Questions and Answers: Please Submit Now
- Submit Questions via Twitter #MSFTSecWebcast
MS13-052
MS13-053
MS13-054
MS13-055
2
MS13-056
2
MS13-057
MS13-058
IMPACT
1
Windows Defender
2
Media Format Runtime
1
DirectShow
2
Internet Explorer
GDI+
Critical
Kernel-Mode Drivers
Moderate Important
DP
.NET Framework/Silverlight
Low
Severity
3
RISK
2
1
Exploitability Index
Severity & Exploitability Index
3
Bulletin Deployment Priority
Bulletin
Product /
Component
KB #
Disclosure
Aggregate
Severity
Exploit Index
Max Impact
Deployment
Priority
MS13-055
Internet
Explorer
2846071
Private
Critical
1
RCE
1
MS13-053
Kernel-Mode
Driver
2850851
Public
Critical
1
RCE
1
MS13-054
GDI+
2848295
Private
Critical
1
RCE
2
MS13-052
.NET/
Silverlight
2861561
Public
Critical
1
RCE
2
MS13-056
DirectShow
2845187
Private
Critical
1
RCE
2
MS13-057
Media Format
Runtime
2847883
Private
Critical
2
RCE
2
MS13-058
Windows
Defender
2847927
Private
Important
1
EoP
3
MS13-052: Vulnerabilities in .NET Framework and Silverlight
Could Allow Remote Code Execution (2861561)
Exploitability | Versions
Severity
CVE
Impact
Latest
Older
Disclosure
CVE-2013-3129
Critical
1
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3131
Critical
2
2
Remote Code Execution
Publically Disclosed
CVE-2013-3132
Important
3
3
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-3133
Important
3
3
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-3134
Critical
2
2
Remote Code Execution
Publically Disclosed
CVE-2013-3171
Important
3
3
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-3178
Important
1
1
Remote Code Execution
Cooperatively Disclosed
Affected Products
Severity levels are aggregate, please see
update document for specifics:
.NET Framework 2.0, 3.0, 4, 3.5, 3.5.1, and 4.5 on
all supported versions of Windows Client and
Windows Server; All editions of Silverlight 5, to
include when installed on Mac
Affected Components
Internet Explorer
Deployment Priority
2
Main Target
Workstations
Severity levels are aggregate, please see update
document for specifics:
.NET Framework 1.0 and 1.1 on all supported
versions of Windows Client and Windows Server
MS13-052: Vulnerabilities in .NET Framework and Silverlight
Could Allow Remote Code Execution (2861561)
Exploitability | Versions
CVE
Severity
Impact
Latest
•
•
•
Possible Attack Vectors
•
•
•
•
Disclosure
Older
Web-based: An attacker could host a specially crafted website that is designed to exploit this vulnerability and
then convince a user to view the website. (CVE-2013-3129)
File sharing: an attacker could provide a specially crafted document file that is designed to exploit this
vulnerability, and then convince a user to open the document file (CVE-2013-3129)
Local attack: an attacker could exploit this vulnerability by running a specially crafted application to take
complete control over the affected system. However, the attacker must have valid logon credentials and be able
to log on locally (CVE-2013-3129)
Web-based: an attacker could host a website that contains a specially crafted Silverlight application designed to
exploit this vulnerability and then convince a user to view the website (CVE-2013-3131, 3178)
.NET application: In a .NET application attack scenario, an attacker could modify the array data in a manner that
would allow for remote code execution (CVE-2013-3131, 3134)
Web-based: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML
browser application) that could exploit this vulnerability and then convince a user to view the website (CVE-20133132, 3133, 3171)
This vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security
(CAS) restrictions (CVE-2013-3132, 3133, 3171)
Impact of Attack
• An attacker could run arbitrary code in kernel mode (CVE-2013-3129)
• In a .NET application attack scenario, an attacker could obtain the same permissions as the currently logged-on
user (CVE-2013-3131, 3133, 3134, 3171)
• In a web-browsing scenario, an attacker could execute arbitrary could on behalf of the targeted user (CVE-20133131, 3133, 3171, 3178)
• An attacker could take complete control of the affected system (CVE-2013-3132)
Mitigating Factors
• An attacker cannot force users to view the attacker-controlled content. (All CVEs)
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open
HTML email messages in the Restricted sites zone. (All CVEs)
Additional Information
• Installations using Server Core are affected.
• .NET Framework 4 and .NET Framework 4 Client Profile affected
MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers
Could Allow Remote Code Execution (2850851)
CVE
Exploitability | Versions
Severity
Latest
Older
Impact
Disclosure
CVE-2013-1300
Important
1
1
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-1340
Important
3
1
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-1345
Important
3
1
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-3129
Critical
1
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3167
Important
NA
1
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-3172
Moderate
Denial of Service
Publically Disclosed
CVE-2013-3173
Important
1
1
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-3660
Critical
3
3
Remote Code Execution
Publically Disclosed
Affected Products
All supported versions of Windows Client and Windows Server
Affected Components
Kernel-Mode Drivers
Deployment Priority
1
Main Target
Workstations
Possible Attack Vectors
• Web-based attack: an attacker could host a specially crafted website that is designed to exploit this
vulnerability and then convince a user to view the website. (CVE-2013-3129, 3660)
• File sharing: an attacker could provide a specially crafted document file that is designed to exploit this
vulnerability, and then convince a user to open the document file. (CVE-2013-3129, 3660)
• Local attack: an attacker could also exploit this vulnerability by running a specially crafted application
to take complete control over the affected system. The attacker must have valid logon credentials
(CVE-2013-3129, 3660)
• An attacker would first have to log on to the system. An attacker could then run a specially crafted
application designed to increase privileges. (CVE-2013-1300, 1340, 1345, 3167, 3173)
• For an attacker to exploit this vulnerability, a user would have to execute a specially crafted
application. (CVE-2013-3172)
MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers
Could Allow Remote Code Execution (2850851) (Cont’d)
CVE
Exploitability | Versions
Severity
Impact of Attack
Latest
•
•
•
•
Older
Impact
Disclosure
An attacker could run arbitrary code in kernel mode (CVE-2013-3129)
An attacker could run processes in an elevated context (CVE-2013-1300, 1340, 1345, 3167, 3173)
An attacker could cause the target system to stop responding (CVE-2013-3172)
In most scenarios, an attacker could achieve elevation of privilege on the target system. It is also
theoretically possible, but unlikely due to memory randomization, that an attacker could achieve
remote code execution (CVE-2013-3660)
Mitigating Factors
• An attacker must have valid logon credentials and be able to log on to exploit this vulnerability (CVE2013-1300, 1340, 1345, 3167, 3173)
• Microsoft has not identified any mitigating factors for this vulnerability (CVE-2013-3660)
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail
open HTML email messages in the Restricted sites zone, which disables font download by default
(CVE-2013-3129)
• An attacker would have no way to force a user to click on a malicious link or open a malicious file
(CVE-2013-3129)
Additional Information
• Installations using Server Core are affected
• Microsoft was aware of this vulnerability being used to achieve elevation of privilege in targeted
attacks (CVE-2013-3660)
• Microsoft had not received any information to indicate that this vulnerability had been publicly used
to attack customers (CVE-2013-3129)
MS13-054: Vulnerability in GDI+ Could Allow Remote Code
Execution (2848295)
Exploitability | Versions
Severity
CVE
CVE-2013-3129
Impact
Critical
Latest
Older
1
1
Remote Code Execution
Disclosure
Cooperatively Disclosed
Affected Products
All supported versions of Windows and Windows
Server except for Windows Server 2008 for
Itanium; Lync 2010 32bit, x64 and Attendee; Lync
2013
Affected Components
GDI+, Journal, DirectWrite, Office, Visual Studio .NET 2003, Lync
Deployment Priority
2
Main Target
Workstations
Possible Attack Vectors
• Web based: an attacker could host a specially crafted website that is designed to exploit this
vulnerability and then convince a user to view the website.
• File Sharing: an attacker could provide a specially crafted document file that is designed to exploit
this vulnerability, and then convince a user to open the document file
• Local attack: an attacker could also exploit this vulnerability by running a specially crafted application
to take complete control over the affected system. However, the attacker must have valid logon
credentials and be able to log on locally to exploit this vulnerability in this scenario
Impact of Attack
• An attacker could run arbitrary code in kernel mode and take complete control of an affected system
Mitigating Factors
• An attacker could not force a user to visit a malicious website or click on a malicious link
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail
open HTML email messages in the Restricted sites zone, which disables font download by default
Additional Information
• For some versions of Windows Server, DirectWrite is not installed by default. Customers will only be
offered the update on those systems if DirectWrite is installed
Visual Studio .NET 2003 SP1; Office 2003, 2007,
and all editions of 2010
MS13-055: Cumulative Security Update for Internet Explorer
(2846071)
Exploitability | Versions
CVE
Severity
Latest
Older
Impact
Disclosure
CVE-2013-3115
CVE-2013-3143
CVE-2013-3144
Critical
1
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3147
CVE-2013-3149
CVE-2013-3150
CVE-2013-3164
CVE-2013-3145
Critical
NA
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3148
CVE-2013-3161
CVE-2013-3162
CVE-2013-3153
Critical
3
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3151
CVE-2013-3163
Critical
2
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3146
CVE-2013-3152
Critical
1
NA
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3166
Important
3
3
Information Disclosure
Cooperatively Disclosed
Affected Products
IE6 – IE10 on all supported versions of Windows Client
Affected Components
Internet Explorer
Deployment Priority
1
Main Target
Workstations
IE6 – IE10 on all supported versions of Windows Server
MS13-055: Cumulative Security Update for Internet Explorer
(2846071) Continued
Possible Attack Vectors
• An attacker An attacker could host a specially crafted website that is designed to exploit this vulnerability
through Internet Explorer and then convince a user to view the website. (All CVEs)
• The attacker could take advantage of compromised websites and websites that accept or host user-provided
content or advertisements. (All CVEs)
Impact of Attack
• An attacker could gain the same user rights as the current user (All CVEs except CVE-2013-3166)
• An attacker who successfully exploited this vulnerability could view content from another domain or Internet
Explorer zone (CVE-2013-3166)
Mitigating Factors
• An attacker cannot force users to view the attacker-controlled content. (All CVEs)
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open
HTML email messages in the Restricted sites zone. (All CVEs)
• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and
Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)
Additional Information
• Installations using Server Core not affected. (All CVEs)
• Updates for Windows RT are only available via Windows Update
• Microsoft is aware of targeted attacks attempting to exploit the vulnerability described in CVE-2013-3163.
MS13-056: Vulnerability in Microsoft DirectShow Could Allow
Remote Code Execution (2845187)
Exploitability | Versions
Severity
CVE
CVE-2013-3174
Impact
Critical
Latest
Older
1
1
Remote Code Execution
Disclosure
Cooperatively Disclosed
Affected Products
All supported versions Windows and Windows Server (except Windows Server 2008 for Itanium, Windows Server
2012, and Windows RT)
Affected Components
DirectShow
Deployment Priority
2
Main Target
Servers
Possible Attack Vectors
• Web-based: an attacker would have to host a web site that contains specially crafted content (GIF
file) that is used to attempt to exploit this vulnerability
• Email: an attacker could exploit the vulnerability by sending a specially crafted GIF file as a mail
attachment and by convincing the user to open the file
Impact of Attack
• If a user is logged on with administrative user rights, an attacker who successfully exploited this
vulnerability could take complete control of an affected system.
Mitigating Factors
• The vulnerability cannot be exploited automatically through e-mail.
• An attacker could not force a user to visit a malicious website or click on a malicious link
Additional Information
• Installations using Server Core are not affected.
MS13-057: Vulnerability in Windows Media Format Runtime
Could Allow Remote Code Execution (2847883)
Exploitability | Versions
Severity
CVE
CVE-2013-3127
Impact
Critical
Latest
Older
2
2
Remote Code Execution
Disclosure
Cooperatively Disclosed
Affected Products
WMFR 9, 9.5, 11 and wmv9vcm.dll (codec) installed on Windows XP; WMFR 9.5 and wmv9vcm.dll
(codec) installed on Windows Server 2003, WMFR 11 and wmv9vcm.dll (codec) installed on Windows
Server 2008 (except Itanium); Windows Media Player 12 on Windows 7, Windows Server 2008 R2,
Windows 8, Windows Server 2012, and Windows RT
Affected Components
Windows Media Format Runtime (WMFR)
Deployment Priority
2
Main Target
Workstations
Possible Attack Vectors
• An attacker could exploit the vulnerability by hosting a specially crafted media file on a network
location and convincing a user to open the file
Impact of Attack
• An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on
user
Mitigating Factors
• The vulnerability cannot be exploited automatically through e-mail
• An attacker could not force a user to visit a malicious website or click on a malicious link
Additional Information
• Windows Server 2008 installations using Server Core are not affected.
• This is not a supported or shipped product beyond Windows XP, the Vista/Windows Server 2008
parts of this update are to protect customers in an upgrade scenario only.
MS13-058: Vulnerability in Windows Defender Could Allow
Elevation of Privilege (2847927)
Exploitability | Versions
Severity
CVE
CVE-2013-3154
Impact
Important
Latest
Older
NA
1
Elevation of Privilege
Disclosure
Cooperatively Disclosed
Affected Products
Windows Defender for Windows 7 32bit and x64, Windows Defender when installed on Windows Server
2008 R2 x64
Affected Components
Windows Defender
Deployment Priority
3
Main Target
Windows 7 workstations
Possible Attack Vectors
• To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could
then place a specially crafted application in a location that could be used to exploit the vulnerability
Impact of Attack
• An attacker who successfully exploited this vulnerability could execute arbitrary code in the security
context of the LocalSystem account and take complete control of the system
Mitigating Factors
• An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not
be exploited by anonymous users.
• In a Windows 7 default configuration, a user running as a standard user account does not have
permissions to write files to the root directory on the system
Additional Information
• If a customer is running Windows 7 but Windows Defender is disabled, this update is not required.
• Microsoft Security Advisory (2755801): Update for
Vulnerabilities in Adobe Flash Player in Internet
Explorer
Added the 2857645 update to the Current Update
section for all supported editions of Windows 8,
Windows Server 2012, and Windows RT
• The update addresses the vulnerabilities described
in Adobe Security bulletin APSB13-17
•
Detection & Deployment
Bulletin
Product /
Component
Windows
Update
MS13-052
.NET/ Silverlight
Yes
MS13-053
Kernel-Mode
Driver
Yes
Yes
Yes
MS13-054
GDI+
Yes4
Yes5
Yes1
MS13-055
Internet Explorer
Yes
Yes
Yes
MS13-056
DirectShow
Yes
Yes
Yes
MS13-057
Media Format
Runtime
Yes
Yes
Yes
MS13-058
Windows
Defender
Yes
Yes
1.
2.
3.
4.
5.
3
Microsoft
Update
Yes
3
MBSA
Yes
1,2,3
1,2
1,2
1,2
1,2
Yes
WSUS 3.0
Yes
2,3
Yes
2
Yes
Yes
Yes
Yes
2
2
2
Yes
SMS 2003
with ITMU
Yes
Configuration
Manager
2,3
Yes
2
Yes
Yes
Yes
Yes
2
2
2
Yes
The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012.
Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store.
Mac is not supported by our detection tools.
Microsoft Office, Visual Studio, and Lync are not serviced by Windows Update.
The update for Visual Studio is available thought the Download Center only.
Yes
2,3
Yes
2
Yes
Yes
Yes
Yes
2
2
2
Yes
Other Update Information
Bulletin
Product / Component
Restart
Uninstall
Replaces
MS13-052
.NET/ Silverlight
Maybe
Yes
MS13-004, MS12-034,
MS12-074, MS11-078,
MS10-060, MS12-035,
MS12-034, MS13-022
MS13-053
Kernel-Mode Driver
Yes
Yes
MS13-046, MS13-036
MS13-054
GDI+
Maybe
Yes
MS12-034, MS09-062,
MS13-041
MS13-055
Internet Explorer
Yes
Yes
MS13-047
MS13-056
DirectShow
Maybe
Yes
None
MS13-057
Media Format Runtime
Maybe
Yes
None
MS13-058
Windows Defender
No
Yes
None
•
Microsoft will not add any new families to the MSRT during this
release
•
Version 5 of MSRT is now available on DLC and for Microsoft Update
customers who manually check
•
Available as a priority update through Windows Update or Microsoft
Update
•
Offered through WSUS 3.0 or as a download at:
www.microsoft.com/malwareremove
http://blogs.technet.com/msrc
http://blogs.technet.com/srd
http://blogs.technet.com/mmpc/
www.microsoft.com/technet/security/bulletin/summary.
mspx
www.microsoft.com/technet/security/current.aspx
www.microsoft.com/technet/security/advisory/
•
@MSFTSecResponse
Security Centers
•
•
•
Microsoft Security Home Page:
www.microsoft.com/security
TechNet Security Center:
www.microsoft.com/technet/security
MSDN Security Developer Center:
http://msdn.microsoft.com/enus/security/default.aspx
www.microsoft.com/technet/security/bulletin/notify.ms
px
www.microsoft.com/technet/security/secnews
Other Resources
http://www.microsoft.com/technet/security/guidance/p
atchmanagement/secmod193.mspx
http://www.microsoft.com/security/msrc/mapp/partners
.mspx
•
Submit text questions using the “Ask” button.
•
Don’t forget to fill out the survey.
•
A recording of this webcast will be available within 48 hours
on the MSRC blog.
http://blogs.technet.com/msrc
•
Register for next month’s webcast at:
http://microsoft.com/technet/security/current.aspx
Download