Dial In Number 1-800-227-8104 PIN: 1056 Information About Microsoft December 2011 Security Bulletins...

Dial In Number 1-800-227-8104 PIN: 1056

Information About Microsoft December 2011 Security Bulletins

Jonathan NessSecurity Development ManagerMicrosoft Corporation

Jerry BryantGroup Manager, Response CommunicationsMicrosoft Corporation


What We Will Cover

• Review of December 2011 bulletin release information:– New Security Bulletins– Announcements– Microsoft® Windows® Malicious Software Removal Tool

• Resources• Questions and answers: Please Submit Now


Severity and Exploitability Index

Exploitabilit

y Index

1

RISK

2

3

DP 1 3 2 2 2 1 3 2 2 2 3 3 2

Severit

y

Critical

IMPACT

Important

Moderat

e

Low

MS11-087 MS11-088 MS11-089 MS11-090 MS11-091 MS11-092 MS11-093 MS11-094 MS11-095 MS11-096 MS11-097 MS11-098 MS11-099

Win

dow

s

Win

dow

s

Win

dow

s

Win

dow

s

Offi

ce

Win

dow

s

Offi

ce

Win

dow

s

Win

dow

s

Offi

ce

Inte

rnet

Exp

lore

r

Offi

ce

Offi

ce


Bulletin Deployment Priority

Bulletin KB Disclosure Aggregate Severity

Exploit Index

MaxImpact

Deployment Priority Note

MS11-087 2639417 Public Critical 1 RCE 1 Addresses the issue described in Security Advisory 2639658.

MS11-092 2648048 Private Critical 1 RCE 1 A would-be attacker has no guarantee of convincing the targeted user to visit a malicious Web page or open a malicious file.

MS11-090 2618451 Private Critical 1 RCE 2 Includes killbits offered by various third-party vendors.

MS11-089 2590602 Private Important 1 RCE 2 Preview Pane is not a vector for the issue addressed in this bulletin.

MS11-096 2640241 Private Important 1 RCE 2 Office File Validation technology effectively mitigates the issue addressed in this bulletin.

MS11-094 2639142 Private Important 2 RCE 2 Addresses a DLL preloading issue.

MS11-099 2618444 Private Important 1 RCE 2 Includes a defense-in-depth change. Addresses IE-relevant issues concerning the vulnerability mentioned in Security Advisory 2588513.

MS11-095 2640045 Private Important 1 RCE 2 A would-be attacker would need to have member account credentials within the targeted Active Directory domain.

MS11-091 2607702 Public Important 1 RCE 2 Microsoft Office 2010 is not affected by the issue covered in this bulletin.

MS11-098 2633171 Private Important 1 EoP 3 A would-be attacker would require authorized, local access to exploit this issue.

MS11-097 2620712 Private Important 1 EoP 3 As with MS11-098, a would-be attacker would require authorized, local access to the targeted system to exploit this issue.

MS11-088 2652016 Private Important 1 EoP 3 Customers who have not installed the Microsoft Office IME (Chinese) 2010 module are unaffected by this issue,

MS11-093 2624667 Private Important 1 RCE 3 Only Windows XP and Server 2003 are affected by the addressed issue.


MS11-087: Vulnerability In Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)

CVE SeverityExploitability

Comment NoteLatest Software Older Versions

CVE-2011-3402 Critical 1 1 Remote Code Execution Publicly Disclosed

Affected ProductsAll supported releases of Microsoft Windows, including XP, Server 2003, Vista, Server 2008, Windows 7, and Server 2008 R2

Server 2008, Server 2008 R2 under certain circumstances. See “Additional Information” for details.

Affected Components Windows Kernel

Deployment Priority 1

Main Target Workstations and Servers

Possible Attack Vectors• An attacker could exploit this vulnerability if a user opens a specially crafted document or visits a

malicious web page that embeds TrueType font files.

Impact of Attack• An attacker who successfully exploited this vulnerability could take complete control of the affected

system.

Mitigating Factors

• An attacker would have to convince users to open a specially-crafted document or visit a web site, typically by getting them to click a link in an email or IM message.

Additional Information

• This addresses the vulnerability first described in Microsoft Security Advisory 2639658. • This update applies with a lower severity rating to supported editions of Server 2008 or Server 2008 R2,

when installed using the Server Core installation option.


MS11-088: Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2652016)



CVE-2011-2010 Important 1 N/A Elevation of Privilege Cooperatively Disclosed

Affected ProductsAll supported editions of Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Microsoft Office Pinyin SimpleFast Style 2010, and Microsoft Office Pinyin New Experience Style 2010.

Affected Components Microsoft Pinyin Input Method Editor for Simplified Chinese


Main Target Workstations

Possible Attack Vectors

• An attacker who exposes configuration options in Microsoft Office IME (Chinese) can exploit this vulnerability, and perform specific actions utilizing the MSPY IME toolbar to launch Internet Explorer with system-level privileges.

Impact of Attack• An attacker who exploits this vulnerability could run arbitrary code in kernel mode, and then install

programs, view, change or delete data, or create new accounts with full user rights.

Mitigating Factors

• An attacker must have valid logon credentials to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users.


• Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.

• This will only be available through the Microsoft Download Center.


MS11-089: Vulnerabilities In Microsoft Office Could Allow Remote Code Execution (2590602)



CVE-2011-1983 Important 1 1 Remote Code Execution Cooperatively Disclosed

Affected Products All supported editions of Office 2007, Office 2010, and Office For Mac 2011

Affected Components Microsoft Word




• An attacker could exploit this vulnerability if a user opens a specially crafted Word file.

Impact of Attack• An attacker could gain the same user rights as the exploited logged-on user, which could include installing

programs, viewing, changing or deleting data, or create new accounts with full user rights.

Mitigating Factors

• An attacker could not force a user to visit a specially crafted site.• An attacker cannot exploit this vulnerability automatically through email; instead, the user would have to

click on an attachment in an email message.


• None


MS11-090: Cumulative Security Update of ActiveX Kill Bits (2518451)



CVE-2011-3397 Critical N/A 1 Remote Code Execution Cooperatively Disclosed

Affected Products All supported editions of Windows XP and Windows Server 2003

Affected Components ActiveX


Main Target Servers and Workstations

Possible Attack Vectors• An attacker could exploit this vulnerability if a user views a specially crafted web page that uses a specific

binary behavior in Internet Explorer.

Impact of Attack• An attacker who exploits this vulnerability could gain the same user rights as the logged on user.

Mitigating Factors

• An attacker would have to convince users to visit a website, typically by getting them to click a link in an email or IM message.

Additional Information• Installations using Server Core are not affected.


MS11-091: Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2607702)



CVE-2011-1508 Moderate N/A N/A Remote Code Execution Publicly Disclosed

CVE-2011-3410 Important N/A 1 Remote Code Execution Cooperatively Disclosed



Affected Products All supported editions of Microsoft Office 2003 and 2007

Affected Components Microsoft Publisher



Possible Attack Vectors• An attacker can exploit this vulnerability by creating a specially crafted Publisher file that could be included

as an email attachment, or hosted on a specially crafted/compromised web site, and then convince the user to open the specially crafted Publisher file.

Impact of Attack• An attacker who exploits this vulnerability could take complete control of an affected system, including

installing programs, view, change or delete data, or create new accounts with full user rights.

Mitigating Factors• An attacker has to convince the user to visit a web site or open an attachment.

Additional Information• None


MS11-092: Vulnerability In Windows Media Could Allow Remote Code Execution (2648048)



CVE-2011-3401 Critical 1 1 Remote Code Execution Cooperatively Disclosed

Affected Products All supported versions of Windows

Affected Components Windows Media Center, Windows Media Player




• An attacker can exploit this vulnerability if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.

Impact of Attack• An attacker who exploits this vulnerability could take complete control of an affected system, including

installing programs, view, change or delete data, or create new accounts with full user rights.

Mitigating Factors• An attacker has to convince the user to open the specially crafted media file.

Additional Information• None


MS11-093: Vulnerability in OLE Could Allow Remote Code Execution (2624667)




Affected Products All supported editions of Windows XP and Windows Server 2003

Affected Components OLE



Possible Attack Vectors• An attacker could exploit this vulnerability if a user opens a file that contains a specially crafted OLE

object.

Impact of Attack

• An attacker who successfully exploits this vulnerability could take complete control of an affected system, including the ability to install programs; view, change or delete data; or create new accounts with full user rights.

Mitigating Factors• An attacker has to convince the user to open a malicious attachment contained in an email message.

Additional Information• Windows Vista, Server 2008, Windows 7, and Windows Server 2008 R2 are not affected by this vulnerability.


MS11-094: Vulnerabilities In Microsoft PowerPoint Could Allow Remote Code Execution (2639142)CVE Severity

ExploitabilityComment Note

Latest Software Older Versions



Affected ProductsOffice 2007, Office 2010, Office 2008 for Mac, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, PowerPoint Viewer 2007

Affected Components PowerPoint




• CVE-2011-3396:• In a network attack scenario, an attacker could place a legitimate file and a specially crafted DLL file in a

network share, a UNC, or WebDAV location and then convince the user to open the file.• In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a legitimate file attachment

to a user, and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file.

• CVE-2011-3413:• In a Web-based attack scenario, an attacker would have to convince users to visit the Web site and open the

specially crafted PowerPoint file• In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially-crafted

PowerPoint file to the user and convincing the user to open the file.

Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.

Mitigating Factors

• The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability.

• An attacker cannot force a user to open a malicious file or to place files in a specific directory.

Additional Information • This bulletin is related to Security Advisory 2269637.


MS11-095: Vulnerability In Active Directory Could Allow Remote Code Execution (2640045)




Affected ProductsWindows XP, Windows Server 2003 (Standard, Itanium, x64), Vista, Windows Server 2008 Standard and x64), Windows 7, Windows Server 2008 R2 x64

Affected Components ADAM, Active Directory, AD LDS


Main Target Servers


• An attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.

Impact of Attack• An attacker who successfully exploited this vulnerability could take complete control of the affected

system.

Mitigating Factors

• In order to successfully exploit this vulnerability, an attacker must have member account credentials within the target Active Directory domain.

Additional Information• Installations using Server Core are affected.


MS11-096: Vulnerability in Microsoft Excel Could Allow Remote Code Execution (2640241)




Affected Products Microsoft Office 2003 SP3, Office 2004 for Mac

Affected Components Excel




• In an e-mail attack scenario, an attacker could exploit the vulnerability by sending a specially crafted Excel file to the user and by convincing the user to open the file.

• In a Web-based attack scenario, an attacker would have to host a Web site that contains an Excel file that is used to attempt to exploit this vulnerability.

Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.

Mitigating Factors

• An attacker would have no way to force users to visit these Web sites or to open malicious files.

Additional Information• When the Office File Validation feature is enabled in Microsoft Excel 2003, malicious files attempting to

exploit this issue are not opened automatically.


MS11-097: Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2620712)



CVE-2011-3408 Important 1 1 Elevation of Privilege Cooperatively Disclosed

Affected Products All supported versions of Windows and Windows Server

Affected Components Windows Client/Server Run-time Subsystem (CSRSS)




• To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to send a device event message to a higher-integrity process.

Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another

process.

Mitigating Factors

• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.


• Installations using Server Core are affected.


MS11-098: Vulnerability In Windows Kernel Could Allow Elevation of Privilege (2633171)



CVE-2011-2018 Important 1 1 Elevation of Privilege Cooperatively Disclosed

Affected Products Windows XP, Windows Server 2003, Vista, Windows 7

Affected Components Kernel




• To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over an affected system.

Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

Mitigating Factors

• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. • The vulnerability could not be exploited remotely or by anonymous users.

Additional Information• Installations using Server Core are affected.


MS11-099: Cumulative Security Update For Internet Explorer (2618444)CVE Severity

ExploitabilityComment Note

Latest Software Older Versions

CVE-2011-1992 Important 3 3 Information Disclosure Cooperatively Disclosed

CVE-2011-2019 Important 1 N/A Remote Code Execution Cooperatively Disclosed

CVE-2011-3404 Moderate N/A N/A Information Disclosure Cooperatively Disclosed

Affected ProductsIE6, IE7, IE 8 and IE 9 on all supported versions of Windows clients.

IE6, IE7, IE 8 and IE 9 on all supported versions of Windows servers.

Affected Components Internet Explorer




• CVE-2011-1992 & CVE-2011-3404:• Browse and Own: An attacker could host a specially crafted Web site that is designed to exploit this vulnerability

through Internet Explorer and then convince a user to view the Web site. • CVE 2011-2019:

• An attacker could exploit a vulnerability that exists in the way Internet Explorer loads libraries .

Impact of Attack

• CVE-2011-1992 & CVE-2011-3404:• An attacker could view content from another domain or Internet Explorer zone.

• CVE-2011-2019: • An attacker could take complete control of an affected system, including installing programs, view, change or

delete data, or create new accounts with full user rights.

Mitigating Factors

• The Server Message Block (SMB) is often disabled on the perimeter firewall. This limits the potential attack vectors for this vulnerability.

• An attacker could not force a user to visit a specially crafted site.

Additional Information• Installations using Server Core are not affected.


Detection & Deployment

Bulletin Windows Update

Microsoft Update MBSA 2.1 WSUS 3.0 SMS 2003

with SUITSMS 2003 with ITMU SCCM 2007

MS11-087 Yes Yes Yes Yes Yes Yes Yes

MS11-088 Yes# Yes# Yes# Yes# Yes# Yes# Yes#




MS11-092 Yes Yes Yes* Yes Yes Yes Yes


MS11-094 Yes Yes Yes** Yes** Yes** Yes** Yes**


MS11-096 Yes Yes Yes*** Yes*** Yes*** Yes*** Yes***




# Microsoft Office Pinyin SimpleFast Style Available Through Download Center* Except For Windows XP Media Center Edition 2005 SP3

** Except For Office 2008 For Mac*** Except For Office 2004 For Mac


Other Update Information

Bulletin Restart Uninstall Replaces

MS11-087 Yes Yes MS11-077, MS11-084

MS11-088 Maybe Yes None

MS11-089 Maybe Yes MS11-072





MS11-094 Maybe Yes MS11-036, MS11-022, MS11-072

MS11-095 Yes Yes MS11-086



MS11-098 Yes Yes MS10-047, MS10-021, MS11-068



Windows Malicious Software Removal Tool (MSRT)

• During this release Microsoft will increase detection capability for the following families in the MSRT:– Win32/Helompy: This is an AutoIt worm that propagates via

removable drives, network share, email, and IM. It aims to steal Web credentials for various services, including Facebook, eBay, and Gmail. The worm contacts a remote host in order to download arbitrary files and to upload stolen personal information.

• Available as a priority update through Windows Update or Microsoft Update.

• Is offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Helompy.B



http://www.microsoft.com/malwareremove


ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:

www.blogs.technet.com/msrc • Security Research & Defense blog:

http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:

http://blogs.technet.com/mmpc/

Twitter• @MSFTSecResponse

Security Centers• Microsoft Security Home Page:

www.microsoft.com/security • TechNet Security Center:

www.microsoft.com/technet/security• MSDN Security Developer Center:

http://msdn.microsoft.com/en-us/security/default.aspx

Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:

www.microsoft.com/technet/security/bulletin/summary.mspx

• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx

• Security Advisories:www.microsoft.com/technet/security/advisory/

• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx

• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews

Other Resources• Update Management Process

http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx

• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.blogs.technet.com/msrc

http://blogs.technet.com/srd

http://blogs.technet.com/mmpc/

http://www.microsoft.com/security

http://www.microsoft.com/technet/security

http://msdn.microsoft.com/en-us/security/default.aspx

http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/bulletin/summary.mspx

http://www.microsoft.com/technet/security/current.aspx

http://www.microsoft.com/technet/security/advisory/

http://www.microsoft.com/technet/security/bulletin/notify.mspx

http://www.microsoft.com/technet/security/secnews



http://www.microsoft.com/security/msrc/mapp/partners.mspx

http://www.microsoft.com/security/msrc/mapp/partners.mspx


Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the

MSRC Blog:http://blogs.technet.com/msrc

• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx

http://blogs.technet.com/msrc

http://microsoft.com/technet/security/current.aspx

Dial In Number 1-800-227-8104 PIN: 1056 Information About Microsoft December 2011 Security Bulletins...

Documents

Transcript of Dial In Number 1-800-227-8104 PIN: 1056 Information About Microsoft December 2011 Security Bulletins...