Webcast Deck - October 2013 - Customer Ready

advertisement
• To receive our video stream in Live Meeting:
- Click on “Voice & Video”
- Click the drop down next to the camera icon
- Select “Show Main Video”
• Dial-in Information:
- 1 (877) 593-2001
Pin: 3959
•
Review of October 2013 Bulletin Release Information
- Eight New Security Bulletins
- One updated Security Advisory
- Microsoft Windows Malicious Software Removal Tool
•
Resources
•
Questions and Answers: Please Submit Now
- Submit Questions via Twitter #MSFTSecWebcast
MS13-080
MS13-081
Silverlight
1
3
MS13-083
MS13-084
MS13-085
MS13-086
MS13-087
IMPACT
Word
MS13- 082
Excel
2
SharePoint
1
Common Controls
Critical
1
.NET Framework
Kernel-Mode Drivers
Moderate Important
DP
Internet Explorer
Low
Severity
3
RISK
2
1
Exploitability Index
Severity & Exploitability Index
2
2
3
Bulletin Deployment Priority
Bulletin
Product/
Component
KB #
Disclosure
Aggregate
Severity
Exploit Index
Max Impact
Deployment
Priority
MS13-080
IE
2879017
Public
Critical
1
RCE
1
MS13-081
KMD
2870008
Private
Critical
1
RCE
1
MS13-083
Common
Controls
2864058
Private
Critical
1
RCE
1
MS13-082
.NET
2878890
Public
Critical
2
RCE
2
MS13-085
Excel
2885080
Private
Important
1
RCE
2
MS13-086
Word
2885084
Private
Important
1
RCE
2
MS13-084
SharePoint
2885089
Private
Important
1
RCE
3
MS13-087
Silverlight
2890788
Private
Important
3
Info Disc
3
MS13-080: Cumulative Security Update for Internet Explorer
(2879017)
Exploitability | Versions
Severity
CVE
Impact
Latest
Older
Disclosure
CVE-2013-3872
CVE-2013-3873
CVE-2013-3874
CVE-2013-3875
CVE-2013-3882
CVE-2013-3885
CVE-2013-3886
Critical
NA
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3893
Critical
1
1
Remote Code Execution
Publicly Disclosed
CVE-2013-3897
Critical
1
1
Remote Code Execution
Cooperatively Disclosed
IE6 – IE11 on all supported versions of Windows
Server (except for IE11 on Windows Server 2008 R2
x64)
Affected Products
IE6 – IE11 on all supported versions of Windows
Client (except for IE11 on Windows 7)
Affected Components
Internet Explorer
Deployment Priority
1
Main Target
Workstations
Possible Attack Vectors
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through
Internet Explorer and then convince a user to view the website. (All CVEs)
• The attacker could take advantage of compromised websites and websites that accept or host userprovided content or advertisements. (All CVEs)
Impact of Attack
• An attacker could gain the same user rights as the current user. (All CVEs)
Mitigating Factors
• An attacker cannot force users to view the attacker-controlled content. (All CVEs)
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open
HTML email messages in the Restricted sites zone. (All CVEs)
• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration.
(All CVEs)
Additional Information
• Installations using Server Core are not affected.
MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers
Could Allow Remote Code Execution (2870008)
Exploitability | Versions
Severity
CVE
Impact
Latest
Older
Disclosure
CVE-2013-3128
Critical
NA
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3894
Critical
NA
2
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3200
CVE-2013-3880
CVE-2013-3881
Important
NA
1
Elevation of Privilege
Cooperatively Disclosed
CVE-2013-3879
CVE-2013-3888
Important
NA
2
Elevation of Privilege
Cooperatively Disclosed
Affected Products
All supported versions of Windows Client and Windows Server through Windows 8
Affected Components
Kernel-Mode Driver
Deployment Priority
1
Main Target
Workstations
Possible Attack Vectors
• An attacker could exploit the vulnerability by convincing a user to view a specially crafted font. (CVE2013-3128/3894)
• An attacker could exploit the vulnerability by inserting a malicious USB device into the system. (CVE
2013-3200)
All other CVEs
• For an attacker to exploit this vulnerability, a user would have to execute a specially crafted
application.
• In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted
application to a user and convincing them to run it.
MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers
Could Allow Remote Code Execution (2870008)
Impact of Attack
CVE-2013-3880
• An attacker who successfully exploited this vulnerability could disclose info from a different App
Container
All other CVEs
• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
Mitigating Factors
CVE-2013-3128/3894
• An attacker would have no way to force users to visit specially crafted websites.
• An attacker would have to convince users to visit the website and open the specially crafted font
CVE-2013-3200
• In a default scenario, an attacker would require physical access to exploit this vulnerability.
All other CVEs
• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability
or convince a locally authenticated user to execute a specially crafted application.
• Installations using Server Core are affected.
Additional Information
CVE-2013-3128/3894
• Disable Preview Pane and Details Pane in Windows Explorer
• CVE-2003-3128 is shared with MS13-082 Vulnerabilities in .NET Framework Could Allow Remote
Code Execution. Both updates are required to fully address this issue.
MS13-082: Vulnerabilities in .NET Framework Could Allow
Remote Code Execution (2878890)
Exploitability | Versions
Severity
CVE
Impact
Latest
Older
Disclosure
CVE-2013-3128
Critical
2
2
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3860
CVE-2013-3861
Important
3
3
Denial of Service
Cooperatively Disclosed
.NET Framework 3.0, .NET Framework 3.5, .NET
Framework 3.5.1 SP1, .NET Framework 4, and .NET
Framework 4.5 on all supported versions of
Windows Client and Windows Server.
Affected Products
.NET Framework 2.0 SP2 and .NET Framework 3.5.1,
on all supported versions of Windows Client and
Windows Server.
Affected Components
.NET Framework
Deployment Priority
2
Main Target
Workstations and Servers that run .NET and/or WCF
Possible Attack Vectors
• In a .NET application attack scenario, an attacker could host an XAML Browser Application (XBAP)
containing a specially crafted OTF file on a website (CVE-2013-3128)
• In a .NET application attack scenario, an attacker could cause an application or server to crash or
become unresponsive until an administrator restarts the application or server. (CVE-2013-3860/3861)
Impact of Attack
• An attacker who successfully exploited this vulnerability could execute code in the context of the
logged on user. (CVE-2013-3128)
• An attacker could cause an application or server to crash or become unresponsive until an
administrator restarts the application or server. (CVE-2013-3860/3861)
Mitigating Factors
• Microsoft has not identified any mitigating factors for this vulnerability. (CVE-2013-3128)
• Affected systems do not accept and validate XML digital signatures by default. (CVE-2013-3860)
• Affected systems do not accept and validate JSON data by default. (CVE-2012-3861)
Additional Information
• .NET Framework 4 and .NET Framework 4 Client Profile affected.
• CVE-2003-3128 is shared with MS13-081 Vulnerabilities in Windows Kernel-Mode Drivers Could
Allow Remote Code Execution. Both updates are required to fully address this issue.
MS13-083: Vulnerabilities in Windows Common Control
Library Could Allow Remote Code Execution (2864058)
Exploitability | Versions
Severity
CVE
CVE-2013-3195
Impact
Critical
Latest
Older
NA
1
Remote Code Execution
Disclosure
Cooperatively Disclosed
All supported 32-bit versions of Windows Client
and Windows Server (except Windows XP and
Windows 8.1)
Affected Products
All supported 64-bit versions of Windows Client
and Windows Server (except Windows 8.1)
Affected Components
Microsoft Common Control Library
Deployment Priority
1
Main Target
Web application servers
Possible Attack Vectors
• An attacker could exploit the vulnerability by sending a specially crafted request to an affected
system.
Impact of Attack
• An attacker who successfully exploited this vulnerability could gain the same rights as the logged on
user.
Mitigating Factors
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local
user
Additional Information
• Installations using Server Core are affected.
• Severity ratings do not apply to 32-bit software because the known attack vectors for the
vulnerability discussed in this bulletin are blocked in a default configuration.
MS13-084: Vulnerabilities in SharePoint Could Allow Remote
Code Execution (2885059)
Exploitability | Versions
Severity
CVE
Impact
Latest
Older
Disclosure
CVE-2013-3889
Important
1
2
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3895
Important
NA
3
Elevation of Privilege
Cooperatively Disclosed
Affected Products
Microsoft SharePoint Server 2007, 2010 and 2013, All supported versions of Excel Services, Word Automation
Services, and Web Services for SharePoint Server 2007, 2010 and 2013, Office Web Apps 2010
Affected Components
SharePoint
Deployment Priority
3
Main Target
Servers where SharePoint is installed
•
Possible Attack Vectors
Impact of Attack
Mitigating Factors
Additional Information
•
This vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft
Excel software. (CVE-2013-3889)
An unauthenticated attacker could create a specially crafted page and then convince an authenticated
SharePoint user to visit the page. (CVE-2013-3895)
• An attacker who successfully exploited this vulnerability could cause arbitrary code to run in the security context
of the current user. (CVE-2013-3889)
• An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized
to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change
permissions and delete content, and inject malicious content in the browser of the victim. (CVE-2013-3895)
•
•
An attacker would have no way to force users to open specially crafted Office files. (CVE-2013-3889)
Microsoft has not identified any mitigating factors for these vulnerabilities. (CVE-2013-3895)
•
CVE-2013-3889 is also addressed by MS13-085 Vulnerabilities in Microsoft Excel Could Allow Remote Code
Execution. Both updates are required to fully address this issue.
MS13-085: Vulnerability in Microsoft Excel Could Allow
Remote Code Execution (2885080)
Exploitability | Versions
Severity
CVE
Impact
Latest
Older
Disclosure
CVE-2013-3889
Important
1
2
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3890
Important
NA
3
Remote Code Execution
Cooperatively Disclosed
Affected Products
All supported versions of Microsoft Office (except 2003 SP3), Excel Viewer, and Office Compatibility
Pack SP3
Affected Components
Microsoft Office
Deployment Priority
2
Main Target
Workstations
Possible Attack Vectors
• This vulnerability requires that a user open a specially crafted Office file with an affected version of
Microsoft Excel software. (CVE-2013-3889)
• This vulnerability requires that a user open a specially crafted Office file with an affected version of
Microsoft Office software. (CVE-2013-3890)
Impact of Attack
• An attacker who successfully exploited this vulnerability could cause arbitrary code to run in the
security context of the current user. (All CVEs)
Mitigating Factors
• An attacker would have no way to force users to open specially crafted Office or Excel files.
• CVE-2013-3889 is also addressed by MS13-084 Vulnerabilities in Microsoft SharePoint Server Could
Allow Remote Code Execution . Both updates are required to fully address this issue.
MS13-086: Vulnerability in Microsoft Word Could Allow
Remote Code Execution (2885084)
Exploitability | Versions
Severity
CVE
Impact
Latest
Older
Disclosure
CVE-2013-3891
Important
NA
1
Remote Code Execution
Cooperatively Disclosed
CVE-2013-3892
Important
NA
3
Remote Code Execution
Cooperatively Disclosed
Affected Products
Microsoft Word 2003, Microsoft Word 2007, and Microsoft Office Compatibility Pack
Affected Components
Microsoft Word
Deployment Priority
2
Main Target
Workstations
Possible Attack Vectors
• Exploitation of this vulnerability requires that a user open a specially crafted file with an affected
version of Microsoft Office software. (All CVEs)
Impact of Attack
• An attacker who successfully exploited this vulnerability could cause arbitrary code to run in the
security context of the current user. (All CVEs)
Mitigating Factors
• An attacker would have no way to force users to open specially crafted Office files.
• Install and configure MOICE to be the registered handler for .doc files.
• Use Microsoft Office File Block policy to prevent the opening of .doc and .dot binary files
MS13-087: Vulnerability in Silverlight Could Allow Information
Disclosure (2890788)
Exploitability | Versions
Severity
CVE
CVE-2013-2896
Impact
Important
Latest
Older
3
3
Information Disclosure
Disclosure
Cooperatively Disclosed
Affected Products
Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac and all
supported versions of Windows Client (except Windows RT) and Windows Server
Affected Components
Silverlight
Deployment Priority
3
Main Target
Workstations
Possible Attack Vectors
• An attacker could host a website that contains a specially crafted Silverlight application designed to
exploit this vulnerability and then convince a user to view the website.
• The attacker could take advantage of compromised websites and websites that accept or host userprovided content or advertisements.
Impact of Attack
• An attacker could disclose information on the local system.
Mitigating Factors
• An attacker cannot force users to visit specially crafted websites.
• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008
R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security
Configuration.
Additional Information
• Microsoft Silverlight build 5.1.20913.0, which was the current build of Microsoft Silverlight when this
bulletin was first released, addresses the vulnerability and is not affected. Builds of Microsoft
Silverlight prior to 5.1.20913.0 are affected.
Detection & Deployment
Bulletin
Windows
Update
Microsoft
Update
MS13-080
IE
Yes
Yes
Yes
MS13-081
KMD
Yes
Yes3
Yes1
MS13-082
.NET
Yes
Yes
Yes
MS13-083
Common Ctls
Yes
Yes
Yes1
Yes
Yes
Yes
MS13-084
SharePoint
No
Yes
Yes
Yes
Yes
Yes
MS13-085
Excel
No
Yes3
Yes2,3
Yes2,3
Yes2,3
Yes2,3
MS13-086
Word
No
Yes
Yes
Yes
Yes
Yes
MS13-087
Silverlight
Yes
3
Yes
3
MBSA
Yes
1,2
1,2
1,2,3
WSUS 3.0
Yes
2
Yes
Yes
Yes
2
2,3
SMS 2003 with
ITMU
Yes
2
Yes
Yes
Yes
2
2,3
Configuration
Manager
Yes
2
Yes
Yes
Yes
2
2,3
1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012.
2. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store.
3. Mac is not supported by detection tools.
Other Update Information
Bulletin
Restart
Uninstall
Replaces
MS13-080
IE
Yes
Yes
MS13-069
MS13-081
KMD
Yes
Yes
MS13-076
MS13-046
MS12-078
MS13-082
.NET
Maybe
Yes
MS13-052
MS13-040
MS11-100
MS13-083
Common Ctls
Yes
Yes
MS10-081
MS13-084
SharePoint
Maybe
No
MS13-067
MS13-085
Excel
Maybe
Yes
MS13-073
MS11-072
MS13-086
Word
Maybe
Yes
MS13-072
MS13-087
Silverlight
No
Yes
MS13-052
•
During this release, Microsoft will increase/add detection
capability for the following families in the MSRT:
• Win32/Shiotob - a family of trojans that monitors network
activities of the affected system to steal system information
and user credentials.
• Win32/Foidan - a family of trojans that monitors and may
also change internet traffics of an affected computer.
•
Available as a priority update through Windows Update or
Microsoft Update
•
Offered through WSUS 3.0 or as a download at:
www.microsoft.com/malwareremove
http://blogs.technet.com/msrc
http://blogs.technet.com/srd
http://blogs.technet.com/mmpc/
www.microsoft.com/technet/security/bulletin/summary.
mspx
www.microsoft.com/technet/security/current.aspx
www.microsoft.com/technet/security/advisory/
•
@MSFTSecResponse
Security Centers
•
•
•
Microsoft Security Home Page:
www.microsoft.com/security
TechNet Security Center:
www.microsoft.com/technet/security
MSDN Security Developer Center:
http://msdn.microsoft.com/enus/security/default.aspx
www.microsoft.com/technet/security/bulletin/notify.ms
px
www.microsoft.com/technet/security/secnews
Other Resources
http://www.microsoft.com/technet/security/guidance/p
atchmanagement/secmod193.mspx
http://www.microsoft.com/security/msrc/mapp/partners
.mspx
•
Submit text questions using the “Ask” button.
•
Don’t forget to fill out the survey.
•
A recording of this webcast will be available within 48 hours
on the MSRC blog.
http://blogs.technet.com/msrc
•
Register for next month’s webcast at:
http://microsoft.com/technet/security/current.aspx
Download