• To receive our video stream in Live Meeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” • Dial-in Information: - 1 (877) 593-2001 Pin: 3959 • Review of October 2013 Bulletin Release Information - Eight New Security Bulletins - One updated Security Advisory - Microsoft Windows Malicious Software Removal Tool • Resources • Questions and Answers: Please Submit Now - Submit Questions via Twitter #MSFTSecWebcast MS13-080 MS13-081 Silverlight 1 3 MS13-083 MS13-084 MS13-085 MS13-086 MS13-087 IMPACT Word MS13- 082 Excel 2 SharePoint 1 Common Controls Critical 1 .NET Framework Kernel-Mode Drivers Moderate Important DP Internet Explorer Low Severity 3 RISK 2 1 Exploitability Index Severity & Exploitability Index 2 2 3 Bulletin Deployment Priority Bulletin Product/ Component KB # Disclosure Aggregate Severity Exploit Index Max Impact Deployment Priority MS13-080 IE 2879017 Public Critical 1 RCE 1 MS13-081 KMD 2870008 Private Critical 1 RCE 1 MS13-083 Common Controls 2864058 Private Critical 1 RCE 1 MS13-082 .NET 2878890 Public Critical 2 RCE 2 MS13-085 Excel 2885080 Private Important 1 RCE 2 MS13-086 Word 2885084 Private Important 1 RCE 2 MS13-084 SharePoint 2885089 Private Important 1 RCE 3 MS13-087 Silverlight 2890788 Private Important 3 Info Disc 3 MS13-080: Cumulative Security Update for Internet Explorer (2879017) Exploitability | Versions Severity CVE Impact Latest Older Disclosure CVE-2013-3872 CVE-2013-3873 CVE-2013-3874 CVE-2013-3875 CVE-2013-3882 CVE-2013-3885 CVE-2013-3886 Critical NA 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3893 Critical 1 1 Remote Code Execution Publicly Disclosed CVE-2013-3897 Critical 1 1 Remote Code Execution Cooperatively Disclosed IE6 – IE11 on all supported versions of Windows Server (except for IE11 on Windows Server 2008 R2 x64) Affected Products IE6 – IE11 on all supported versions of Windows Client (except for IE11 on Windows 7) Affected Components Internet Explorer Deployment Priority 1 Main Target Workstations Possible Attack Vectors • An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs) • The attacker could take advantage of compromised websites and websites that accept or host userprovided content or advertisements. (All CVEs) Impact of Attack • An attacker could gain the same user rights as the current user. (All CVEs) Mitigating Factors • An attacker cannot force users to view the attacker-controlled content. (All CVEs) • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. (All CVEs) • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs) Additional Information • Installations using Server Core are not affected. MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008) Exploitability | Versions Severity CVE Impact Latest Older Disclosure CVE-2013-3128 Critical NA 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3894 Critical NA 2 Remote Code Execution Cooperatively Disclosed CVE-2013-3200 CVE-2013-3880 CVE-2013-3881 Important NA 1 Elevation of Privilege Cooperatively Disclosed CVE-2013-3879 CVE-2013-3888 Important NA 2 Elevation of Privilege Cooperatively Disclosed Affected Products All supported versions of Windows Client and Windows Server through Windows 8 Affected Components Kernel-Mode Driver Deployment Priority 1 Main Target Workstations Possible Attack Vectors • An attacker could exploit the vulnerability by convincing a user to view a specially crafted font. (CVE2013-3128/3894) • An attacker could exploit the vulnerability by inserting a malicious USB device into the system. (CVE 2013-3200) All other CVEs • For an attacker to exploit this vulnerability, a user would have to execute a specially crafted application. • In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted application to a user and convincing them to run it. MS13-081: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008) Impact of Attack CVE-2013-3880 • An attacker who successfully exploited this vulnerability could disclose info from a different App Container All other CVEs • An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. Mitigating Factors CVE-2013-3128/3894 • An attacker would have no way to force users to visit specially crafted websites. • An attacker would have to convince users to visit the website and open the specially crafted font CVE-2013-3200 • In a default scenario, an attacker would require physical access to exploit this vulnerability. All other CVEs • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability or convince a locally authenticated user to execute a specially crafted application. • Installations using Server Core are affected. Additional Information CVE-2013-3128/3894 • Disable Preview Pane and Details Pane in Windows Explorer • CVE-2003-3128 is shared with MS13-082 Vulnerabilities in .NET Framework Could Allow Remote Code Execution. Both updates are required to fully address this issue. MS13-082: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890) Exploitability | Versions Severity CVE Impact Latest Older Disclosure CVE-2013-3128 Critical 2 2 Remote Code Execution Cooperatively Disclosed CVE-2013-3860 CVE-2013-3861 Important 3 3 Denial of Service Cooperatively Disclosed .NET Framework 3.0, .NET Framework 3.5, .NET Framework 3.5.1 SP1, .NET Framework 4, and .NET Framework 4.5 on all supported versions of Windows Client and Windows Server. Affected Products .NET Framework 2.0 SP2 and .NET Framework 3.5.1, on all supported versions of Windows Client and Windows Server. Affected Components .NET Framework Deployment Priority 2 Main Target Workstations and Servers that run .NET and/or WCF Possible Attack Vectors • In a .NET application attack scenario, an attacker could host an XAML Browser Application (XBAP) containing a specially crafted OTF file on a website (CVE-2013-3128) • In a .NET application attack scenario, an attacker could cause an application or server to crash or become unresponsive until an administrator restarts the application or server. (CVE-2013-3860/3861) Impact of Attack • An attacker who successfully exploited this vulnerability could execute code in the context of the logged on user. (CVE-2013-3128) • An attacker could cause an application or server to crash or become unresponsive until an administrator restarts the application or server. (CVE-2013-3860/3861) Mitigating Factors • Microsoft has not identified any mitigating factors for this vulnerability. (CVE-2013-3128) • Affected systems do not accept and validate XML digital signatures by default. (CVE-2013-3860) • Affected systems do not accept and validate JSON data by default. (CVE-2012-3861) Additional Information • .NET Framework 4 and .NET Framework 4 Client Profile affected. • CVE-2003-3128 is shared with MS13-081 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution. Both updates are required to fully address this issue. MS13-083: Vulnerabilities in Windows Common Control Library Could Allow Remote Code Execution (2864058) Exploitability | Versions Severity CVE CVE-2013-3195 Impact Critical Latest Older NA 1 Remote Code Execution Disclosure Cooperatively Disclosed All supported 32-bit versions of Windows Client and Windows Server (except Windows XP and Windows 8.1) Affected Products All supported 64-bit versions of Windows Client and Windows Server (except Windows 8.1) Affected Components Microsoft Common Control Library Deployment Priority 1 Main Target Web application servers Possible Attack Vectors • An attacker could exploit the vulnerability by sending a specially crafted request to an affected system. Impact of Attack • An attacker who successfully exploited this vulnerability could gain the same rights as the logged on user. Mitigating Factors • An attacker who successfully exploited this vulnerability could gain the same user rights as the local user Additional Information • Installations using Server Core are affected. • Severity ratings do not apply to 32-bit software because the known attack vectors for the vulnerability discussed in this bulletin are blocked in a default configuration. MS13-084: Vulnerabilities in SharePoint Could Allow Remote Code Execution (2885059) Exploitability | Versions Severity CVE Impact Latest Older Disclosure CVE-2013-3889 Important 1 2 Remote Code Execution Cooperatively Disclosed CVE-2013-3895 Important NA 3 Elevation of Privilege Cooperatively Disclosed Affected Products Microsoft SharePoint Server 2007, 2010 and 2013, All supported versions of Excel Services, Word Automation Services, and Web Services for SharePoint Server 2007, 2010 and 2013, Office Web Apps 2010 Affected Components SharePoint Deployment Priority 3 Main Target Servers where SharePoint is installed • Possible Attack Vectors Impact of Attack Mitigating Factors Additional Information • This vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Excel software. (CVE-2013-3889) An unauthenticated attacker could create a specially crafted page and then convince an authenticated SharePoint user to visit the page. (CVE-2013-3895) • An attacker who successfully exploited this vulnerability could cause arbitrary code to run in the security context of the current user. (CVE-2013-3889) • An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim. (CVE-2013-3895) • • An attacker would have no way to force users to open specially crafted Office files. (CVE-2013-3889) Microsoft has not identified any mitigating factors for these vulnerabilities. (CVE-2013-3895) • CVE-2013-3889 is also addressed by MS13-085 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution. Both updates are required to fully address this issue. MS13-085: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2885080) Exploitability | Versions Severity CVE Impact Latest Older Disclosure CVE-2013-3889 Important 1 2 Remote Code Execution Cooperatively Disclosed CVE-2013-3890 Important NA 3 Remote Code Execution Cooperatively Disclosed Affected Products All supported versions of Microsoft Office (except 2003 SP3), Excel Viewer, and Office Compatibility Pack SP3 Affected Components Microsoft Office Deployment Priority 2 Main Target Workstations Possible Attack Vectors • This vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Excel software. (CVE-2013-3889) • This vulnerability requires that a user open a specially crafted Office file with an affected version of Microsoft Office software. (CVE-2013-3890) Impact of Attack • An attacker who successfully exploited this vulnerability could cause arbitrary code to run in the security context of the current user. (All CVEs) Mitigating Factors • An attacker would have no way to force users to open specially crafted Office or Excel files. • CVE-2013-3889 is also addressed by MS13-084 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution . Both updates are required to fully address this issue. MS13-086: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2885084) Exploitability | Versions Severity CVE Impact Latest Older Disclosure CVE-2013-3891 Important NA 1 Remote Code Execution Cooperatively Disclosed CVE-2013-3892 Important NA 3 Remote Code Execution Cooperatively Disclosed Affected Products Microsoft Word 2003, Microsoft Word 2007, and Microsoft Office Compatibility Pack Affected Components Microsoft Word Deployment Priority 2 Main Target Workstations Possible Attack Vectors • Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. (All CVEs) Impact of Attack • An attacker who successfully exploited this vulnerability could cause arbitrary code to run in the security context of the current user. (All CVEs) Mitigating Factors • An attacker would have no way to force users to open specially crafted Office files. • Install and configure MOICE to be the registered handler for .doc files. • Use Microsoft Office File Block policy to prevent the opening of .doc and .dot binary files MS13-087: Vulnerability in Silverlight Could Allow Information Disclosure (2890788) Exploitability | Versions Severity CVE CVE-2013-2896 Impact Important Latest Older 3 3 Information Disclosure Disclosure Cooperatively Disclosed Affected Products Microsoft Silverlight 5 and Microsoft Silverlight 5 Developer Runtime when installed on Mac and all supported versions of Windows Client (except Windows RT) and Windows Server Affected Components Silverlight Deployment Priority 3 Main Target Workstations Possible Attack Vectors • An attacker could host a website that contains a specially crafted Silverlight application designed to exploit this vulnerability and then convince a user to view the website. • The attacker could take advantage of compromised websites and websites that accept or host userprovided content or advertisements. Impact of Attack • An attacker could disclose information on the local system. Mitigating Factors • An attacker cannot force users to visit specially crafted websites. • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. Additional Information • Microsoft Silverlight build 5.1.20913.0, which was the current build of Microsoft Silverlight when this bulletin was first released, addresses the vulnerability and is not affected. Builds of Microsoft Silverlight prior to 5.1.20913.0 are affected. Detection & Deployment Bulletin Windows Update Microsoft Update MS13-080 IE Yes Yes Yes MS13-081 KMD Yes Yes3 Yes1 MS13-082 .NET Yes Yes Yes MS13-083 Common Ctls Yes Yes Yes1 Yes Yes Yes MS13-084 SharePoint No Yes Yes Yes Yes Yes MS13-085 Excel No Yes3 Yes2,3 Yes2,3 Yes2,3 Yes2,3 MS13-086 Word No Yes Yes Yes Yes Yes MS13-087 Silverlight Yes 3 Yes 3 MBSA Yes 1,2 1,2 1,2,3 WSUS 3.0 Yes 2 Yes Yes Yes 2 2,3 SMS 2003 with ITMU Yes 2 Yes Yes Yes 2 2,3 Configuration Manager Yes 2 Yes Yes Yes 2 2,3 1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012. 2. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store. 3. Mac is not supported by detection tools. Other Update Information Bulletin Restart Uninstall Replaces MS13-080 IE Yes Yes MS13-069 MS13-081 KMD Yes Yes MS13-076 MS13-046 MS12-078 MS13-082 .NET Maybe Yes MS13-052 MS13-040 MS11-100 MS13-083 Common Ctls Yes Yes MS10-081 MS13-084 SharePoint Maybe No MS13-067 MS13-085 Excel Maybe Yes MS13-073 MS11-072 MS13-086 Word Maybe Yes MS13-072 MS13-087 Silverlight No Yes MS13-052 • During this release, Microsoft will increase/add detection capability for the following families in the MSRT: • Win32/Shiotob - a family of trojans that monitors network activities of the affected system to steal system information and user credentials. • Win32/Foidan - a family of trojans that monitors and may also change internet traffics of an affected computer. • Available as a priority update through Windows Update or Microsoft Update • Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove http://blogs.technet.com/msrc http://blogs.technet.com/srd http://blogs.technet.com/mmpc/ www.microsoft.com/technet/security/bulletin/summary. mspx www.microsoft.com/technet/security/current.aspx www.microsoft.com/technet/security/advisory/ • @MSFTSecResponse Security Centers • • • Microsoft Security Home Page: www.microsoft.com/security TechNet Security Center: www.microsoft.com/technet/security MSDN Security Developer Center: http://msdn.microsoft.com/enus/security/default.aspx www.microsoft.com/technet/security/bulletin/notify.ms px www.microsoft.com/technet/security/secnews Other Resources http://www.microsoft.com/technet/security/guidance/p atchmanagement/secmod193.mspx http://www.microsoft.com/security/msrc/mapp/partners .mspx • Submit text questions using the “Ask” button. • Don’t forget to fill out the survey. • A recording of this webcast will be available within 48 hours on the MSRC blog. http://blogs.technet.com/msrc • Register for next month’s webcast at: http://microsoft.com/technet/security/current.aspx