Dial In Number 1-800-227-8104 Pin: 3879 Information About Microsoft May 2012 Security Bulletins...

Dial In Number 1-800-227-8104 Pin: 3879

Information About Microsoft May 2012 Security Bulletins

Dustin ChildsSr. Security Program ManagerMicrosoft Corporation

Pete VossSr. Response Communications ManagerMicrosoft Corporation


Live Video Stream

• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon

– Select Show Main Video


What We Will Cover

• Review of May 2012 Bulletin Release Information– New Security Bulletins– Security Advisory 2695962– Microsoft® Windows® Malicious Software Removal Tool

• Resources

• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast


Severity and Exploitability Index

Exploitabili

ty Index

1

RISK2

3

DP 1 2 2 3 3 1 2

Severity

Critical

IMPACT

Important

Moderate

Low

MS12-029 MS12-030 MS12-031 MS12-032 MS12-033 MS12-034 MS12-035

Off

ice

Off

ice

Vis

io

Win

do

ws

Win

do

ws

Off

ice

, W

ind

ow

s,

.NE

T, S

ilv

erl

igh

t

.NE

T


Bulletin Deployment Priority

Bulletin KB Disclosure Aggregate Severity

Exploit Index

MaxImpact

Deployment Priority Notes

MS12-034GDI+/TTF

2681578 Public Critical 1 RCE 1 All updates are required for each affected product.

MS12-029Word

2680352 Private Critical 1 RCE 1 Does not affect Office 2010.

MS12-035NETFX

2693777 Private Critical 1 RCE 2 Both MS12-035 and MS12-034 required for NETFX.

MS12-030Office

2663830 Public Important 1 RCE 2 Multiple updates per product may be required.

MS12-031Visio

2597981 Private Important 1 RCE 2 Users should not open attachments from untrusted sources.

MS12-033Partition Mgr.

2690533 Private Important 1 EoP 3 Requires local system access.

MS12-032TCP/IP

2688338 Public Important 1 EoP 3 Elevation of privilege requires local system access.


MS12-029: Vulnerability In Microsoft Word Could Allow Remote Code Execution (2680352)

CVE SeverityExploitability

Comment NoteLatest Software Older Versions

CVE-2012-0183 Critical N/A 1 Remote Code Execution Cooperatively Disclosed

Affected Products Office 2007 SP2, SP3Office 2003 SP3, Office 2008 For Mac, Office For Mac 2011, Office Compatibility Pack SP2, Office Compatibility Pack SP3

Affected Components Microsoft Word

Deployment Priority 1

Main Target Workstations

Possible Attack Vectors

• Web-Browsing Scenario: An attacker could host a website that contains an RTF file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.

• Email Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an email attachment, and convince the user to open the attachment.

Impact of Attack• An attacker who successfully exploited this vulnerability could cause arbitrary code to run with the

privileges of the user who opens a specially crafted RTF file or previews or opens a specially crafted RTF email message.

Mitigating Factors• An attacker would have no way to force a user to visit a malicious website.

Additional Information

• For Microsoft Word 2007, in addition to security update package KB2596917, customers also need to install the security update for Microsoft Office Compatibility Pack (KB2596880) to be protected from the vulnerability described in this bulletin.

• Workarounds: • Read email in plain text (for more, consult KB831607).• Use Office File Block Policy to block the opening of RTF documents from unknown or untrusted

sources or locations.

http://support.microsoft.com/kb/2596917




MS12-030: Vulnerabilities In Microsoft Office Could Allow Remote Code Execution (2663830)



CVE-2012-0141 Important 3 3 Remote Code Execution Cooperatively Disclosed


CVE-2012-0143 Important N/A 1 Remote Code Execution Publicly Disclosed




Affected ProductsMicrosoft Office 2010 SP1, Office 2010, Office 2007 SP3, Office 2007 SP2, Office 2003 SP3, Office 2008 for Mac, Office for Mac 2011, Microsoft Excel Viewer, Office Compatibility Pack SP2 and SP3

Affected Components Microsoft Excel




• Web-Browsing Scenario: An attacker could host a website that contains a specially crafted Excel file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.


Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.

Mitigating Factors• An attacker would have no way to force users to visit a website or open an email attachment.• The vulnerability cannot be exploited automatically through email. For an attack to be successful a user must open an attachment

that is sent in an email message.

Additional Information

• For Microsoft Excel 2007, in addition to security update package KB2597161, customers also need to install the security update for the Microsoft Office Compatibility Pack (KB2597162).

• Microsoft Excel Viewer must be updated to a supported service pack level (Excel Viewer 2007 Service Pack 2 or Excel Viewer 2007 Service Pack 3) before installing this update.




MS12-031: Vulnerability In Microsoft Visio Viewer Could Allow Remote Code Execution (2597981)



CVE-2012-0018 Important 1 N/A Remote Code Execution Cooperatively Disclosed

Affected Products All supported versions of Microsoft Visio Viewer 2010

Affected Components Visio Viewer




• Web-Browsing Scenario: An attacker could host a website that contains a Visio file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.


Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in the context

of the current user.

Mitigating Factors

• An attacker would have no way to force users to visit a website or open an email attachment.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows

Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and

Windows Mail open HTML email messages in the Restricted Sites Zone.

http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx


MS12-032: Vulnerability In TCP/IP Could Allow Elevation of Privilege (2688338)



CVE-2012-0174 Important N/A N/A Security Bypass Cooperatively Disclosed

CVE-2012-0179 Important 1 N/A Elevation of Privilege Publicly Disclosed

Affected Products All supported versions of Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Affected Components Windows Firewall, TCP/IP


Main Target Workstations and Servers


• CVE-2012-0174: • In order to use this vulnerability, an attacker would first have to gain access to the local subnet of the target

computer. An attacker could then use another vulnerability to acquire information about the target system or execute code on the target system.

• CVE-2012-0179:• To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a

specially crafted application that could exploit the vulnerability and take complete control over the affected system.

Impact of Attack

• CVE-2012-0174: • An attacker who successfully exploited this vulnerability could bypass Windows Firewall.

• CVE-2012-0179: • An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another

process.

Mitigating Factors

• CVE-2012-0174: • An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

• CVE-2012-0179:• Microsoft has not identified any mitigating factors for this vulnerability.


MS12-033: Vulnerability In Windows Partition Manager Could Allow Elevation of Privilege (2690533)



CVE-2012-0178 Important 1 1 Elevation of Privilege Cooperatively Disclosed

Affected Products All supported versions of Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2

Affected Components Windows Partition Manager



Possible Attack Vectors• To exploit this vulnerability, an attacker would first have to log on to the system. Then, an attacker

could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and

take complete control of an affected system.

Mitigating Factors• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Additional Information• Installations using Server Core are affected.


MS12-034: Combined Security Update For Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)Slide 1 of 3



CVE-2011-3402 Critical 1 1 Remote Code Execution Publicly Disclosed

CVE-2012-0159 Critical 1 1 Remote Code Execution Cooperatively Disclosed

CVE-2012-0162 Critical 1 N/A Remote Code Execution Cooperatively Disclosed

CVE-2012-0164 Moderate N/A N/A Denial of Service Publicly Disclosed


CVE-2012-0167 Important N/A 1 Remote Code Execution Cooperatively Disclosed

CVE-2012-0176 Critical N/A 1 Remote Code Execution Cooperatively Disclosed


CVE-2012-0181 Important 3 1 Elevation of Privilege Publicly Disclosed


Affected Products and Components

All supported versions of Windows and Windows Server, All supported versions of .NET 3, .NET 3.5.1, and .NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5

All supported versions of Office (except Compatibility Pack SP2 and SP3, and Office For Mac)

.NET Framework





All supported versions of Windows and Windows Server; All supported versions of .NET 3, .NET 3.5.1, and .NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5

All supported versions of Office (except Compatibility SP2 and SP3, and Office For Mac)

.NET Framework


• CVE-2011-3402, CVE-2012-0159, CVE-2012-0165:• File Sharing Scenario: An attacker could exploit this vulnerability by convincing a user to open a specially

crafted document file or malicious image on a file or network share.

• CVE-2011-3402, CVE-2012-0159, CVE-2012-0162, CVE-2012-0165, CVE-2012-0176, CVE-2012-0167:• Web-Browsing Scenario: An attacker could host a website that contains a webpage that is used to exploit this

vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability. In the case of CVE-2012-0167, a webpage would have to host a specially crafted Office document.

• CVE-2012-0159, CVE-2012-0180, CVE-2012-0181, CVE-2012-1848:• Local Attack Scenario: To exploit this vulnerability, an attacker would first have to log on to the system. Then, an

attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

• CVE-2012-0164:• An unauthenticated attacker could send a small number of specially crafted requests to an affected site.

• CVE-2012-0165, CVE-2012-0167:• Email Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an

email attachment, and convince the user to open the attachment.

CVE-2011-3402RCE

CVE-2012-0159RCE

CVE-2012-0162RCE

CVE-2012-0164DoS

CVE-2012-0165RCE

CVE-2012-0167RCE

CVE-2012-0176RCE

CVE-2012-0180EoP

CVE-2012-0181EoP

CVE-2012-1848EoP




All supported versions of Windows and Windows Server, All supported versions of .NET 3, .NET 3.5.1, and .NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5

All supported versions of Office (except Compatibility SP2 and SP3, and Office For Mac)

.NET Framework

Impact of Attack

• CVE-2011-3402, CVE-2012-0159, CVE-2012-0162, CVE-2012-0165, CVE-2012-0167, CVE-2012-0176:• An attacker successfully exploiting this issue could gain the same user rights as a logged-on user.

• CVE-2012-0159:• An attacker who successfully exploited this vulnerability could run arbitrary code in Kernel mode and take complete control of an affected

system.

• CVE-2012-0181, CVE-2012-1848:• An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process.

• CVE-2012-0164:• An attacker could cause applications created using WPF APIs that are running on a user's system to stop responding until manually

restarted.

Mitigating Factors

• CVE-2011-3402, CVE-2012-0159, CVE-2012-0162, CVE-2012-0165, CVE-2012-0167, CVE-2012-0176:• An attacker would have no way to force users to visit a website or open an email attachment.

• CVE-2011-3402, CVE-2012-0159:• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the

Restricted Sites Zone.

• CVE-2012-0162, CVE-2012-0176, CVE-2012-1848:• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is

known as Enhanced Security Configuration.

• CVE-2012-0180, CVE-2012-0181:• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

• CVE-2012-0162:• On systems where MS11-044 has been applied, users will be prompted before XBAP applications will execute when in the Internet Zone of

Internet Explorer. A user must click through this prompt in order to run the XBAP application on their system.

• CVE-2012-0164:• Microsoft has not identified any mitigating factors for this vulnerability.

CVE-2011-3402RCE

CVE-2012-0159RCE

CVE-2012-0162RCE

CVE-2012-0164DoS

CVE-2012-0165RCE

CVE-2012-0167RCE

CVE-2012-0176RCE

CVE-2012-0180EoP

CVE-2012-0181EoP

CVE-2012-1848EoP



http://technet.microsoft.com/security/bulletin/ms11-044


MS12-035: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)





Affected Products All supported versions of .NET Framework on all supported versions of Windows and Windows Server

Affected Components .NET Framework




• Web-Browsing Scenario: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.

• This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Impact of Attack • An attacker successfully exploiting this issue could gain the same user rights as a logged-on user.

Mitigating Factors

• An attacker would have no way to force users to visit a website.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a

restricted mode that is known as Enhanced Security Configuration.• Standard .NET Framework applications are not affected by this vulnerability. Only specially crafted .NET Framework

applications could exploit this vulnerability. (CVE-2012-0160)

Additional Information • .NET Framework 4 and .NET Framework 4 Client Profile Affected



Security Advisory 2695962 – Remote Code ExecutionUpdate Rollup For Active X Kill Bits• This update sets the kill bits for the following third-party software:

Cisco Clientless VPN solution.– Installing this update will block the vulnerable control from running in Internet

Explorer.– For more information regarding security issues in the Cisco Clientless VPN

solution ActiveX control, please see the Cisco Security Advisory, Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability.

• This advisory affects all supported versions of Windows.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120314-asaclient




Detection & Deployment

Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007

MS12-029Word

No Yes* Yes* Yes* Yes* Yes*

MS12-030Office No Yes Yes* Yes* Yes* Yes*

MS12-031Visio No Yes Yes Yes Yes Yes

MS12-032TCP/IP Yes Yes Yes Yes Yes Yes


Yes Yes Yes Yes Yes Yes

MS12-034GDI+/TTF

Yes Yes** Yes Yes Yes Yes**

MS12-035NETFX

Yes Yes Yes Yes Yes Yes

*Except in Microsoft Office 2008 for Mac and Microsoft Office for Mac 2011**Except Silverlight 4 installed on Mac OS


Other Update Information

Bulletin Restart Uninstall Replaces

MS12-029Word

Maybe Yes MS11-089, MS11-094

MS12-030Office Maybe Yes MS11-072, MS11-089,

MS11-096

MS12-031Visio Maybe Yes MS12-015

MS12-032TCP/IP Yes Yes MS11-083


Yes Yes None

MS12-034GDI+/TTF

Yes No MS10-087, MS12-018

MS12-035NETFX

No YesMS11-028, MS11-044,MS11-078, MS11-100,

MS12-016


Windows Malicious Software Removal Tool (MSRT)

• During this release Microsoft will increase detection capability for the following families in the MSRT:– Win32/Unruy: A trojan that is capable of connecting to certain remote servers to download and

execute arbitrary files. It can also delete files, schedule tasks, and perform other actions. Depending on the computer's Internet Explorer settings, may also disable third-party browser extensions and BHOs from running.

– Win32/Dishigy: A trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". It sends captured data to a remote attacker and is capable of downloading additional malicious components.

• For the first time, Microsoft is releasing MSRT to Windows 8 machines.

• Available as a priority update through Windows Update or Microsoft Update.

• Is offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Gamarue




http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Bocinex.gen!A

http://www.microsoft.com/malwareremove


ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:

www.blogs.technet.com/msrc • Security Research & Defense blog:

http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:

http://blogs.technet.com/mmpc/

Twitter• @MSFTSecResponse

Security Centers• Microsoft Security Home Page:

www.microsoft.com/security • TechNet Security Center:

www.microsoft.com/technet/security• MSDN Security Developer Center:

http://msdn.microsoft.com/en-us/security/default.aspx

Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:

www.microsoft.com/technet/security/bulletin/summary.mspx

• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx

• Security Advisories:www.microsoft.com/technet/security/advisory/

• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx

• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews

Other Resources• Update Management Process

http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx

• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.blogs.technet.com/msrc

http://blogs.technet.com/srd

http://blogs.technet.com/mmpc/

http://www.microsoft.com/security

http://www.microsoft.com/technet/security

http://msdn.microsoft.com/en-us/security/default.aspx

http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/current.aspx

http://www.microsoft.com/technet/security/advisory/

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/secnews



http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.microsoft.com/security/msrc/mapp/partners.mspx


Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the

MSRC Blog:http://blogs.technet.com/msrc

• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx

http://blogs.technet.com/msrc

http://microsoft.com/technet/security/current.aspx


© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dial In Number 1-800-227-8104 Pin: 3879 Information About Microsoft May 2012 Security Bulletins...

Documents

Transcript of Dial In Number 1-800-227-8104 Pin: 3879 Information About Microsoft May 2012 Security Bulletins...