Monthly Security Bulletin Briefing | December 2013 - Microsoft · Microsoft Scripting Runtime...
Transcript of Monthly Security Bulletin Briefing | December 2013 - Microsoft · Microsoft Scripting Runtime...
1
Monthly Security Bulletin
Briefing | December 2013
CSS Security Worldwide Programs
• Teresa GhiorzoeSecurity Program Manager- GBS LATAM
• Daniel MauserSenior Technical Lead - LATAM CTS
Blog de Segurança:
http://blogs.technet.com/b/risco/
Twitter: LATAMSRC
Email: [email protected]
December
2013
Agenda
New Security
Bulletins
11Critical Important
5 6
Other Security Resources
Detection and Deployment Table
Product Support Lifecycle Information
Post Release Issue Tracking, Escalations, and Contacts
Slide Decks and the Public Webcast
3 New Security
Advisories
1 Re-released
Security Advisory
CSS Security Worldwide Programs
December
2013
Security
Bulletins
Bulletin Impact Component Severity PriorityExploit
IndexPublic
MS13-096 Remote Code Execution GDI+ Critical 1 1 Yes
MS13-097 Remote Code Execution IE Critical 1 1 No
MS13-098 Remote Code Execution Windows Critical 2 1 No
MS13-099 Remote Code Execution Scripting Runtime Critical 1 1 No
MS13-100 Remote Code Execution SharePoint Important 2 1 No
MS13-101 Elevation of Privilege KMD Important 2 1 No
MS13-102 Elevation of Privilege Windows LRPC Important 2 1 No
MS13-103 Elevation of Privilege SignalR Important 3 1 No
MS13-104 Information Disclosure Office Important 3 3 No
MS13-105 Remote Code Execution Exchange Critical 2 1 Yes
MS13-106 Security Feature Bypass Office Important 3 3 Yes
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
CSS Security Worldwide Programs
MS13-096
Vulnerability in
Microsoft
Graphics
Component
Could Allow
Remote Code
Execution
(2908005)
Affected Software Windows Vista
Windows Server 2008
Office 2003
Office 2007
Office 2010
Office Compatibility Pack
Lync 2010
Lync 2010 Attendee
Lync 2013
Lync Basic 2013
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 MS13-054Yes
SA2896666
Restart
Requirement
A restart is
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
For Office 2003, this
update may not be
removable.Detection and Deployment
WU MU MBSA WSUS ITMU SCCMThe Fix-It workaround from 2896666 does not
need to be removed prior to installing this
updateYes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-096
Vulnerability in
Microsoft
Graphics
Component
Could Allow
Remote Code
Execution
(2908005)
Vulnerability Details:
A remote code execution vulnerability exists in the way that affected Windows components and other
affected software handle specially crafted TIFF files. The vulnerability could allow remote code execution if a
user views TIFF files in shared content. An attacker who successfully exploited this vulnerability could take
complete control of an affected system.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3906 Critical Remote Code Execution 1 1 * Yes Yes SA2896666
Attack Vectors
• Web-based: Attacker could host
a specially crafted website.
• File sharing: Attacker could
provide a specially crafted
document file.
• Email: Attacker could exploit the
vulnerability by sending
specially crafted Office data in
the contents of an email
message.
Mitigations
• Users whose accounts are
configured to have fewer user
rights on the system could be less
impacted than users who operate
with administrative user rights.
Workarounds
• Disable the TIFF codec with the
Fix it tool (see Microsoft
Knowledge Base Article
2896666).
• Deploy the Enhanced
Mitigation Experience Toolkit .
• Disable data collaboration in
Lync through the Lync Control
Panel.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-097
Cumulative
Security Update
for Internet
Explorer
(2898785)
Affected Software• Internet Explorer 6 on Windows XP and Windows
Server 2003.
• Internet Explorer 7 on Windows XP, Windows Server
2003, Windows Vista, and Windows Server 2008.
• Internet Explorer 8 on Windows XP, Windows Server
2003, Windows Vista, Windows Server 2008, Windows
7, and Windows Server 2008 R2.
• Internet Explorer 9 on Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008
R2.
• Internet Explorer 10 on Windows 7, Windows Server
2008 R2, Windows 8, Windows Server 2012, and
Windows RT.
• Internet Explorer 11 on Windows 7, Windows Server
2008 R2, Windows 8.1, Windows Server 2012 R2, and
Windows RT 8.1.
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 MS13-088 No
Restart
Requirement
A restart is
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCMWindows RT devices can only be serviced with
Windows Update, Microsoft Update, and the
Windows Store.
Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-097
Cumulative
Security Update
for Internet
Explorer
(2898785)
Vulnerability Details• Two elevation of privilege vulnerabilities exist within Internet Explorer, which bypass Internet Explorer
Enhanced Protected Mode restrictions during validation of local file installation, and during secure creation
of registry keys.
• Five remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in
memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary
code in the context of the current user.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-
5049,5052Critical Remote Code Execution NA 1 * No No None
CVE-2013-
5047,5048Critical Remote code Execution 1 1 * No No None
CVE-2013-5051 Critical Remote Code Execution 3 2 * No No None
CVE-2013-5050 Important Security Feature Bypass 3 NA * No No None
CVE-2013-
5045,5046Important Elevation of Privilege 1 1 * No No None
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not RatedDoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-097
Cumulative
Security Update
for Internet
Explorer
(2898785)
Vulnerability Details (cont’d)
Attack VectorsAll
• An attacker could host a website that is used to attempt to exploit this vulnerability.
• Compromised websites and websites that accept or host user-provided content could contain
specially crafted content that could exploit this vulnerability.
MitigationsAll
Users would have to be persuaded to visit a malicious website.
Only CVE-2013-5047, CVE-2013-5048, CVE-2013-5049, CVE-2013-5051, CVE-2013-5052
• Exploitation only gains the same user rights as the logged-on account.
• By default, all Microsoft email clients open HTML email messages in the Restricted Sites zone.
• By default, IE runs in a restricted mode for all Windows Servers.
Workarounds
CVE-2013-5047, CVE-2013-5048, CVE-2013-5049, CVE-2013-5051, and CVE-2013-5052
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and
Active Scripting in these zones.
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active
Scripting in the Internet and Local intranet security zone.
• Add sites that you trust to the Internet Explorer Trusted sites zone.
CVE-2013-5045 and CVE-2013-5046
• Microsoft has not identified any workarounds for this vulnerabilities.
CSS Security Worldwide Programs
MS13-098
Vulnerability in
Windows Could
Allow Remote
Code Execution
(2893294)
Affected Software:• Windows XP
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8
• Windows 8.1
• Windows Server 2012
• Windows Server 2012 R2
• Windows RT
• Windows RT 8.1
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 NoneYes
SA2915720
Restart
Requirement
This update
requires a restart
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCMIn addition to the changes that are listed in
the Vulnerability Information section of this
bulletin, this update includes changes to a
default behavior of Windows Authenticode
signature verification that will be enabled by
default on June 10, 2014. Note that this
change is not enabled by default with the
installation of this update..
Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
1. Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.
MS13-098
Vulnerability in
Windows Could
Allow Remote
Code Execution
(2893294)
Vulnerability Details:
• A remote code execution vulnerability exists in the Windows Authenticode Signature Verification function
used for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying
an existing signed executable file to leverage unverified portions of the file in such a way as to add
malicious code to the file without invalidating the signature. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3900 Critical Remote Code Execution 1 1 * No Yes Yes
Attack Vectors
• Attacker sends email message
containing the specially crafted
PE file and convinces user to
open the file.
• Attacker convinces user to visit
specially crafted website,
typically by getting them to
click a link in an email message
or instant message that directs
them to the attacker's website.
Mitigations
• Microsoft has not identified any
mitigations for this vulnerability.
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-099
Vulnerability in
Microsoft
Scripting
Runtime Object
Library Could
Allow Remote
Code (2909158)
Affected Software Microsoft Windows XP
Windows Server 2003
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows 8.1
Windows Server 2012
Windows Server 2012 R2
Windows RT
Windows RT 8.1
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 None No
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCMWindows RT devices can only be serviced with
Windows Update, Microsoft Update, and the
Windows StoreYes Yes Yes 1 | 2 Yes 2 Yes 2 Yes 2
CSS Security Worldwide Programs
MS13-099
Vulnerability in
Microsoft
Scripting
Runtime Object
Library Could
Allow Remote
Code (2909158)
Vulnerability Details
• This is a memory corruption vulnerability in the Microsoft Scripting Runtime Object Library that could lead
to remote code execution. An attacker who successfully exploited this vulnerability could take complete
control of an affected system.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-5056 Critical Remote Code Execution 1 1 * No No None
Attack Vectors
• An attacker could exploit this
vulnerability by hosting a
specially crafted website that is
designed to exploit these
vulnerabilities through
components of Internet
Explorer, and then convince a
user to visit the website.
Mitigations
• An attacker would have to
convince users to visit the website,
typically by getting them to click a
link in an email message or Instant
Messenger message that takes
users to the attacker's website.
• Users whose accounts are
configured to have fewer user
rights on the system could be less
impacted than users who operate
with administrative user rights.
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-100
Vulnerabilities in
Microsoft
SharePoint
Server Could
Allow Remote
Code Execution
(2904244)
Affected Software• Microsoft SharePoint Server 2010
• Office Web Apps 2013
• SharePoint Server 2013
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-067
MS13-084No
Restart
Requirement
A restart may be
required
Uninstall Support
This security update
cannot be removed.Detection and Deployment
WU MU MBSA WSUS ITMU SCCMNote: After you install this security update on
all SharePoint servers, you must run the
PSconfig tool to complete the installationNo Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-100
Vulnerabilities in
Microsoft
SharePoint
Server Could
Allow Remote
Code Execution
(2904244)
Vulnerability Details
• Remote code execution vulnerabilities exist in Microsoft SharePoint Server that could allow an attacker
who successfully exploited these vulnerabilities to run arbitrary code in the security context of the W3WP
service account.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-5059 Important Remote Code Execution 1 1 * No No None
Attack Vectors
• An authenticated attacker could
attempt to exploit these
vulnerabilities by sending
specially crafted page content
to a SharePoint server.
Mitigations
• An attacker must be able to
authenticate on the target
SharePoint site. Note that this is
not a mitigating factor if the
SharePoint site is configured to
allow anonymous users to access
the site. By default, anonymous
access is not enabled.
Workarounds
• Microsoft has not identified
any workarounds for this
vulnerability.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-101
Vulnerabilities in
Windows
Kernel-Mode
Drivers Could
Allow Elevation
of Privilege
(2880430)
Affected Software:• Windows XP
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8/8.1
• Windows Server 2012/2012 R2
• Windows RT/RT 8.1
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-081 None
Restart
Requirement
This update
requires a restart
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM Multiple updates for a given system can be
applied in any sequence.
Yes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
1. Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.
MS13-101
Vulnerabilities in
Windows
Kernel-Mode
Drivers Could
Allow Elevation
of Privilege
(2880430)
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
Vulnerability Details• An elevation of privilege vulnerability exists in the way that the Win32k.sys kernel-mode driver validates
address values in memory that could allow an attacker to execute arbitrary code with elevated privileges.
• An elevation of privilege vulnerability exists in the Microsoft Windows kernel that is caused when the
Windows kernel improperly handles objects in memory. An attacker who successfully exploited this
vulnerability could execute arbitrary code with elevated privileges.
• A denial of service vulnerability exists in the Microsoft Windows kernel that is caused when the Windows
kernel improperly processes a specifically crafted TrueType font file. An attacker who successfully exploited
this vulnerability could cause the affected system to stop responding and restart.
• An elevation of privilege vulnerability exists in the way that the Windows audio port-class driver
(portcls.sys) handles objects in memory that could allow an attacker to execute arbitrary code with
elevated privileges.
• An denial of service vulnerability exists in the way that the Win32k.sys kernel-mode driver handles objects
in memory that could allow an attacker to cause the target system to stop responding.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-
3899,3907Important Elevation of Privilege NA 2 P No No None
CVE-2013-3902 Important Elevation of Privilege NA 1 P No No None
CVE-2013-
3903,5058Moderate Denial of Service NA NA P No No None
MS13-101
Vulnerabilities in
Windows
Kernel-Mode
Drivers Could
Allow Elevation
of Privilege
(2880430)
CSS Security Worldwide Programs
Vulnerability Details (cont’d)
Attack VectorsCVE-2013-3899, CVE-2013-3902, CVE-2013-3907
An attacker could run a specially crafted application that could exploit the vulnerability and take complete
control over an affected system.
CVE-2013-3903
An attacker could embed a specially crafted TrueType font on a website and when the user visited the site,
the browser would attempt to render the font. The specially crafted TrueType font could then exploit the
vulnerability and cause the system to stop responding.
CVE-2013-5058
An attacker could execute a specially crafted application that would cause the target system to stop
responding.
MitigationsAll
• An attacker must have valid logon credentials and be able to log on locally to exploit these
vulnerabilities.
WorkaroundsAll
• Microsoft has not identified any workarounds for the vulnerabilities .
MS13-102
Vulnerability in
LRPC Client
Could Allow
Elevation of
Privilege
(2898715)
Affected SoftwareAll editions of:
Windows XP
Windows Server 2003
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-062 No
Restart
Requirement
A restart is
required
Uninstall Support
Use Add or Remove
Programs in Control
PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCMLocal RPC (LRPC) is an Inter-Process
Communication (IPC) mechanism that enables
data exchange and invocation of functionality
residing in a different process that resides on
the same computer. LRPC is a component of
Microsoft RPCYes Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-102
Vulnerability in
LRPC Client
Could Allow
Elevation of
Privilege
(2898715)
Vulnerability DetailsAn elevation of privilege vulnerability exists in Microsoft Local Procedure Call (LPC) where an attacker
uses a specially crafted LPC port message to cause a stack-based buffer overflow condition on either
the LPC client or server.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-3878 Important Elevation of Privilege NA 1 P No No None
Attack Vectors
An attacker who successfully
exploited this vulnerability could
use a specially crafted LPC server
to return a specially-crafted LPC
port message to a legitimate LPC
client, or use a specially crafted
LPC client to return a specially
crafted LPC port message to a
legitimate LPC server.
Mitigations
An attacker must have valid logon
credentials and be able to log on
locally to exploit this vulnerability.
Workarounds
Microsoft has not identified any
workarounds for this vulnerability.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-103
Vulnerability in
ASP.NET
SignalR Could
Allow Elevation
of Privilege
(2905244)
Affected Software:• ASP.NET SignalR
• Microsoft Visual Studio Team Foundation Server
2013
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 None None
Restart
Requirement
This update may
require a restart
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCMASP.NET SignalR packages are available by
updating your VS project via Manage NuGet
Packages.No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-103
Vulnerability in
ASP.NET
SignalR Could
Allow Elevation
of Privilege
(2905244)
Vulnerability Details:
• An elevation of privilege vulnerability exists in ASP.NET SignalR that could allow an attacker access to
resources in the context of the targeted user.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-5042 Important Elevation of Privilege 1 1 * No No None
Attack Vectors
An attacker could reflect specially
crafted JavaScript back to the
user's browser, which could allow
the attacker to modify page
content, conduct phishing, or
perform actions on behalf of the
targeted user.
Mitigations
Microsoft has not identified any
mitigations for this vulnerability.
Workarounds
• For Windows servers that host
web applications using
ASP.NET SignalR functionality,
turning off the ASP.NET
SignalR transport protocol
provides temporary protection
from the vulnerability.
• No workarounds for Microsoft
Visual Studio Team Foundation
Server 2013
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
MS13-104
Vulnerability in
Microsoft Office
Could Allow
Information
Disclosure
(2909976)
Affected Software• Office 2013
• Office 2013 RT
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
3 None No
Detection and Deployment
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
WU MU MBSA WSUS ITMU SCCMWindows RT devices can only be serviced with
Windows Update, Microsoft Update, and the
Windows Store.No Yes Yes 1 Yes 1 Yes 1 Yes 1
CSS Security Worldwide Programs
MS13-104
Vulnerability in
Microsoft Office
Could Allow
Information
Disclosure
(2909976)
Vulnerability Details
An information disclosure vulnerability exists when affected Microsoft Office software does not properly
handle a specially crafted response while attempting to open an Office file hosted on the malicious website.
An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate
the current user on a targeted SharePoint or other Microsoft Office server site.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-5054 Important Information Disclosure 3 NA * No No None
Attack Vectors
Exploitation of this vulnerability
requires that a user attempts to
open an Office file hosted on a
malicious website using an
affected version of Microsoft
Office software.
Mitigations
• A user must open an attachment
that is sent in an email message or
click a link contained inside an
email message.
• For web based attack, an attacker
would have to convince users to
take action, typically by getting
them to click a link in an email
message or Instant Messenger
message that takes users to the
attacker’s website.
Workarounds
Microsoft has not identified any
workarounds for this vulnerability.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
24
MS13-105
Vulnerabilities in
Microsoft
Exchange Server
Could Allow
Remote Code
Execution
(2915705)
Affected Software• Microsoft Exchange Server 2007
• Microsoft Exchange Server 2010
• Microsoft Exchange Server 2013
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS13-061 No
Restart
Requirement
A restart is not
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM Addresses Oracle Outside In issues included in
the October 2013 security update:
http://www.oracle.com/technetwork/topics/sec
urity/cpuoct2013-1899837.htmlNo Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
25
MS13-105
Vulnerabilities in
Microsoft
Exchange Server
Could Allow
Remote Code
Execution
(2915705)
CSS Security Worldwide Programs
Vulnerability Details• Two remote code execution vulnerabilities exist in Exchange Server 2007, Exchange Server 2010, and
Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow
remote code execution as the LocalService account if a user views a specially crafted file through Outlook
Web Access in a browser.
• One remote code execution vulnerability exists in Microsoft Exchange Server that could allow an attacker
to run arbitrary code in the context of the Outlook Web Access (OWA) service account.
• One elevation of privilege vulnerability exists in Microsoft Exchange Server that could allow an attacker to
run script in the context of the current user.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-
5763,5791Critical Remote Code Execution 2 2 P Yes No None
CVE-2013-1330 Critical Remote Code Execution 1 1 * Yes No None
CVE-2013-5072 Important Elevation of Privilege 1 1 * No No None
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not RatedDoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
26
MS13-105
Vulnerabilities in
Microsoft
Exchange Server
Could Allow
Remote Code
Execution
(2915705)
Vulnerability Details (cont’d)
Attack VectorsCVE-2013-5763 and CVE-2013-5791
• An attacker could send an email message containing a specially crafted file to a user on an affected
Exchange server.
• In Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013, the vulnerabilities could be
exploited through the WebReady Document Viewing feature if a user previews an email message that
contains a specially crafted file using Outlook Web App (OWA).
• In Exchange Server 2013, the vulnerabilities could be exploited through the Data Loss Prevention
feature if an email message that contains a specially crafted file is received by the Exchange server.
CVE-2013-1330
• The attacker could send specially crafted content to the target server.
CVE-2013-5072
• The attacker could send a specially crafted URL, taking the user to the target server running OWA
MitigationsCVE-2013-5763 and CVE-2013-5791
• The transcoding service in Exchange that is used for WebReady Document Viewing is running in the
LocalService account , which has minimum privileges on the local computer and presents anonymous
credentials on the network.
• The Filtering Management service in Exchange that is used for Data Loss Prevention is running in the
LocalService account, which has minimum privileges on the local system and presents anonymous
credentials on the network.
CVE-2013-1330 and CVE-2013-5072
Microsoft has not identified any mitigations for this vulnerabilities.
WorkaroundsCVE-2013-5763 and CVE-2013-5791
• Disable Data Loss Prevention (Exchange Server 2013 only)
• Disable WebReady document view
CVE-2013-1330 and CVE-2013-5072
Microsoft has not identified any workarounds for this vulnerabilities.
CSS Security Worldwide Programs
MS13-106
Vulnerability in
a Microsoft
Office Shared
Component
Could Allow
Security Feature
Bypass
(2905238)
Affected Software• Office 2007
• Office 2010
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
Detection and Deployment
3 None No
Restart
Requirement
A restart may be
required
Uninstall Support
Use Add or Remove
Programs in Control
Panel
WU MU MBSA WSUS ITMU SCCMThe security feature bypass by itself does not
allow arbitrary code execution. However, an
attacker could use this ASLR bypass
vulnerability in conjunction with another
vulnerability, such as a remote code execution
vulnerability that could take advantage of the
ASLR bypass to run arbitrary code
No Yes Yes Yes Yes Yes
CSS Security Worldwide Programs
MS13-106
Vulnerability in
a Microsoft
Office Shared
Component
Could Allow
Security Feature
Bypass
(2905238)
Vulnerability Details• A security feature bypass exists in an Office shared component that does not properly implement Address
Space Layout Randomization (ASLR). The vulnerability could allow an attacker to bypass the ASLR security
feature, after which the attacker could load additional malicious code in the process in an attempt to
exploit another vulnerability.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2013-5057 Important Security Feature Bypass NA NA * Yes Yes None
Attack Vectors
• An attacker could host a website
that is used to attempt to exploit
this vulnerability.
• Compromised websites and
websites that accept or host user-
provided content could contain
specially crafted content that could
exploit this vulnerability.
Mitigations• The vulnerability cannot be exploited
automatically through email. For an
attack to be successful a user must
open an attachment that is sent in an
email message.
• An attacker would have to convince
users to take action, typically by
getting them to click a link in an email
message or instant message that
takes users to the attacker’s website.
Workarounds
Microsoft has not identified any
workarounds for this vulnerability.
CSS Security Worldwide Programs
Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated
DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)
New Security
Advisories
Security Advisory (2905247)Insecure ASP.NET Site Configuration Could Allow
Elevation of Privilege
Microsoft is announcing the availability of an update for Microsoft ASP.NET to
address a vulnerability in ASP.NET view state that exists when Machine
Authentication Code (MAC) validation is disabled through configuration
settings. The vulnerability could allow elevation of privilege and affects all
supported versions of Microsoft .NET Framework except .NET Framework 3.0
Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1.
Any ASP.NET site for which view state MAC has become disabled through
configuration settings is vulnerable to attack. An attacker who successfully
exploited the vulnerability could use specially crafted HTTP content to inject
code to be run in the context of the service account on the ASP.NET server.
Microsoft is aware of general information available publicly that could be used
to exploit this vulnerability, but is not aware of any active attacks.
Security Advisory (2915720)Changes in Windows Authenticode Signature
Verification
Microsoft is announcing the availability of an update for all supported releases of
Windows to change how signatures are verified for binaries signed with the
Windows Authenticode signature format. The change is included with Security
Bulletin MS13-098, but will not be enabled until June 10, 2014. Once enabled, the
new default behavior for Windows Authenticode signature verification will no
longer allow extraneous information in the WIN_CERTIFICATE structure. Note that
after June 10, 2014, Windows will no longer recognize non-compliant binaries as
signed.
CSS Security Worldwide Programs
New Security
Advisories
(cont’d)
Security Advisory (2871690)
Update to Revoke Non-compliant UEFI Boot
LoadersMicrosoft is announcing the availability of an update for Windows 8 and
Windows Server 2012 that revokes the digital signatures for specific UEFI (Unified
Extensible Firmware Interface) boot loaders. When the update is applied, the
affected UEFI boot loaders will no longer be trusted and will not be loaded
during UEFI Secure Boot. The affected UEFI boot loaders consist of specific
Microsoft-signed boot loaders that are either not in compliance with our
certification program or their authors have requested that the packages be
revoked.
At the time of publication of this advisory, Microsoft is not aware of any misuse
of the affected UEFI boot loaders. Microsoft is proactively revoking these non-
compliant boot loaders as part of our ongoing efforts to protect customers. This
action only affects systems running Windows 8 and Windows Server 2012 that
are configured to use UEFI Secure Boot.
CSS Security Worldwide Programs
Rereleased
Security
Advisories
Security Advisory (2755801)Update for Vulnerabilities in Adobe Flash Player
in Internet Explorer
On December 10, 2013, Microsoft released an update (2907997) for
Internet Explorer 10 on all supported editions of Windows 8,
Windows RT, and Windows Server 2012, and for Internet Explorer 11
on Windows 8.1, and Windows RT 8.1, Windows Server 2012 R2. The
update addresses the vulnerabilities described in Adobe Security
bulletin APSB13-28 For more information about this update,
including download links, see Microsoft Knowledge Base Article
2907997.
Microsoft
Support
Lifecycle
CSS Security Worldwide Programs
Lifecycle ChangesThe following product families and service pack levels are scheduled to
have their support lifecycle expire on January 14, 2014
Product Family
• Live Communications Server 2003
Remember that support for the entire Windows XP product
family will expire on 4/8/2014
http://support.microsoft.com/lifecycle
December
2013
Security
Bulletins
CSS Security Worldwide Programs
Bulletin Description Severity Priority
MS13-096Vulnerability in Microsoft Graphics Component Could allow Remote
Code ExecutionCritical 1
MS13-097 Cumulative Security Update for Internet Explorer Critical 1
MS13-098 Vulnerability in Windows Could Allow Remote Code Execution Critical 2
MS13-099Vulnerability in Microsoft Scripting Runtime Could Allow Remote Code
ExecutionCritical 1
MS13-100Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code
ExecutionImportant 2
MS13-101Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation
of PrivilegeImportant 2
MS13-102 Vulnerability in LRPC Client Could Allow Elevation of Privilege Important 2
MS13-103 Vulnerability in SignalR Could Allow Elevation of Privilege Important 3
MS13-104 Vulnerability in Microsoft Office Could Allow Information Disclosure Important 3
MS13-105Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code
ExecutionCritical 2
MS13-106Vulnerability in a Microsoft Office Shared Component Could Allow
Security Feature BypassImportant 3
MSRT Changes
New malware families added
to the December 2013 MSRT
Win32/Rotbrow
This family of trojans install browser
addons that claim to protect you from
other addons. These addons can make
changes to your home page and also
install Win32/Sefnit
Additional ToolsMicrosoft Safety Scanner
• Same basic engine as the MSRT, but
with a full set of A/V signatures
Windows Defender Offline
• An offline bootable A/V tool with a
full set of signatures
• Designed to remove rootkits and
other advanced malware that can't
always be detected by antimalware
programs
• Requires you to download an ISO file
and burn a CD, DVD, or USB flash
drive
35
Malicious
Software
Removal Tool
(MSRT)
Updates
CSS Security Worldwide Programs
Public
Security
Bulletin
Links
CSS Security Worldwide Programs
Monthly Bulletin Links
• Microsoft Security Bulletin Summary for December 2013
http://technet.microsoft.com/en-us/security/bulletin/ms13-dec
• Security Bulletin Search
http://technet.microsoft.com/security/bulletin
• Security Advisories
http://technet.microsoft.com/security/advisory
• Microsoft Technical Security Notifications
http://technet.microsoft.com/en-us/security/dd252948.aspx
Blogs
• MSRC Blog
http://blogs.technet.com/msrc
• SRD Team Blog
http://blogs.technet.com/srd
• MMPC Team Blog
http://blogs.technet.com/mmpc
• MSRC Ecosystem Team Blog
http://blogs.technet.com/ecostrat
Supplemental Security Reference Articles
• Detailed Bulletin Information Spreadsheet
http://go.microsoft.com/fwlink/?LinkID=245778
• Security Tools for IT Pros
http://technet.microsoft.com/en-us/security/cc297183
• KB894199 Description of Software Update Services and Windows Server Update Services changes in
content
http://support.microsoft.com/kb/894199
• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious
software
http://support.microsoft.com/kb/890830
December 2013
Manageability
Tools
Reference
CSS Security Worldwide Programs
BulletinWindows
Update 1Microsoft
Update 1 MBSA 2 WSUS SMS ITMU SCCM
MS13-096 Yes Yes Yes Yes Yes Yes
MS13-097 Yes Yes Yes Yes Yes Yes
MS13-098 Yes Yes Yes Yes Yes Yes
MS13-099 Yes Yes Yes Yes Yes Yes
MS13-100 No Yes Yes Yes Yes Yes
MS13-101 Yes Yes Yes Yes Yes Yes
MS13-102 Yes Yes Yes Yes Yes Yes
MS13-103 No Yes Yes Yes Yes Yes
MS13-104 No Yes Yes Yes Yes Yes
MS13-105 No Yes Yes Yes Yes Yes
MS13-106 No Yes Yes Yes Yes Yes
1. Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.
2. Microsoft Baseline Security Analyzer (MBSA) v2.3 now supports Windows 8, Windows 8.1, Windows Server 2012, and Windows
Server 2012 R2.
MBSA 2.3
CSS Security Worldwide Programs
MBSA 2.3 Now Available
The Microsoft Baseline Security Analyzer provides
a streamlined method to identify missing security
updates and common security misconfigurations.
MBSA 2.3 release now provides support for
Windows 8, Windows 8.1, Windows Server 2012,
and Windows Server 2012 R2.
Tool Information
• Available at the Download
Center at http://www.microsoft.com/downl
oad/details.aspx?id=7558
• Windows 2000 will no longer
be supported with this
release.
Links
Públicos
dos
Boletin de
Segurança
Português
LATAM
GBS Security Worldwide Programs
Links do Boletins em Português
• Microsoft Security Bulletin Summary for december
2013-Resumo
http://technet.microsoft.com/pt-
br/security/bulletin/ms13-dec
• Security Bulletin Search/Boletins de Segurança Busca
http://technet.microsoft.com/pt-br/security/bulletin
• Security Advisories/Comunicados de Segurança
http://technet.microsoft.com/pt-br/security/advisory
• Microsoft Technical Security Notifications - Notificações
http://technet.microsoft.com/pt-
br/security/dd252948.aspx
Blogs
Negócios de Risco
• http://blogs.technet.com/b/risco/
• MSRC Blog
http://blogs.technet.com/msrc
• SRD Team Blog
http://blogs.technet.com/srd
• MMPC Team Blog
http://blogs.technet.com/mmpc
• MSRC Ecosystem Team Blog
http://blogs.technet.com/ecostrat
Supplemental Security Reference Articles
• Detailed Bulletin Information Spreadsheet
http://go.microsoft.com/fwlink/?LinkID=245778
• Security Tools for IT Pros- Ferramentas de Segurança
http://technet.microsoft.com/pt-br/security/cc297183
• KB894199 Description of Software Update Services and Windows Server Update Services changes in
content
http://support.microsoft.com/kb/894199
• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious
software
http://support.microsoft.com/kb/890830
Webcast
Português
Janeiro
GBS Security Worldwide Programs41
Webcast Português (Externa)
• WEBCAST DE JANEIRO - CLIENTES16/DEZEMBRO/2013
15:30 Hrs
Brasília
Veja nosso blog para se inscrever:
Negócios de Risco
• http://blogs.technet.com/b/risco/