Monthly Security Bulletin Briefing | December 2013 - Microsoft · Microsoft Scripting Runtime...

1

Monthly Security Bulletin

Briefing | December 2013

CSS Security Worldwide Programs

• Teresa GhiorzoeSecurity Program Manager- GBS LATAM

• Daniel MauserSenior Technical Lead - LATAM CTS

Blog de Segurança:

http://blogs.technet.com/b/risco/

Twitter: LATAMSRC

Email: [email protected]

December

2013

Agenda

New Security

Bulletins

11Critical Important

5 6

Other Security Resources

Detection and Deployment Table

Product Support Lifecycle Information

Post Release Issue Tracking, Escalations, and Contacts

Slide Decks and the Public Webcast

3 New Security

Advisories

1 Re-released

Security Advisory


December

2013

Security

Bulletins

Bulletin Impact Component Severity PriorityExploit

IndexPublic

MS13-096 Remote Code Execution GDI+ Critical 1 1 Yes

MS13-097 Remote Code Execution IE Critical 1 1 No

MS13-098 Remote Code Execution Windows Critical 2 1 No

MS13-099 Remote Code Execution Scripting Runtime Critical 1 1 No

MS13-100 Remote Code Execution SharePoint Important 2 1 No

MS13-101 Elevation of Privilege KMD Important 2 1 No

MS13-102 Elevation of Privilege Windows LRPC Important 2 1 No

MS13-103 Elevation of Privilege SignalR Important 3 1 No

MS13-104 Information Disclosure Office Important 3 3 No

MS13-105 Remote Code Execution Exchange Critical 2 1 Yes

MS13-106 Security Feature Bypass Office Important 3 3 Yes

Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not Rated


MS13-096

Vulnerability in

Microsoft

Graphics

Component

Could Allow

Remote Code

Execution

(2908005)

Affected Software Windows Vista

Windows Server 2008

Office 2003

Office 2007

Office 2010

Office Compatibility Pack

Lync 2010

Lync 2010 Attendee

Lync 2013

Lync Basic 2013

Severity | Critical

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

1 MS13-054Yes

SA2896666

Restart

Requirement

A restart is

required

Uninstall Support

Use Add or Remove

Programs in Control

Panel

For Office 2003, this

update may not be

removable.Detection and Deployment

WU MU MBSA WSUS ITMU SCCMThe Fix-It workaround from 2896666 does not

need to be removed prior to installing this

updateYes Yes Yes Yes Yes Yes


MS13-096

Vulnerability in

Microsoft

Graphics

Component

Could Allow

Remote Code

Execution

(2908005)

Vulnerability Details:

A remote code execution vulnerability exists in the way that affected Windows components and other

affected software handle specially crafted TIFF files. The vulnerability could allow remote code execution if a

user views TIFF files in shared content. An attacker who successfully exploited this vulnerability could take

complete control of an affected system.

CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory

CVE-2013-3906 Critical Remote Code Execution 1 1 * Yes Yes SA2896666

Attack Vectors

• Web-based: Attacker could host

a specially crafted website.

• File sharing: Attacker could

provide a specially crafted

document file.

• Email: Attacker could exploit the

vulnerability by sending

specially crafted Office data in

the contents of an email

message.

Mitigations

• Users whose accounts are

configured to have fewer user

rights on the system could be less

impacted than users who operate

with administrative user rights.

Workarounds

• Disable the TIFF codec with the

Fix it tool (see Microsoft

Knowledge Base Article

2896666).

• Deploy the Enhanced

Mitigation Experience Toolkit .

• Disable data collaboration in

Lync through the Lync Control

Panel.



DoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)

MS13-097

Cumulative

Security Update

for Internet

Explorer

(2898785)

Affected Software• Internet Explorer 6 on Windows XP and Windows

Server 2003.

• Internet Explorer 7 on Windows XP, Windows Server

2003, Windows Vista, and Windows Server 2008.

• Internet Explorer 8 on Windows XP, Windows Server

2003, Windows Vista, Windows Server 2008, Windows

7, and Windows Server 2008 R2.

• Internet Explorer 9 on Windows Vista, Windows

Server 2008, Windows 7, and Windows Server 2008

R2.

• Internet Explorer 10 on Windows 7, Windows Server

2008 R2, Windows 8, Windows Server 2012, and

Windows RT.

• Internet Explorer 11 on Windows 7, Windows Server

2008 R2, Windows 8.1, Windows Server 2012 R2, and

Windows RT 8.1.

Severity | Critical

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

1 MS13-088 No

Restart

Requirement

A restart is

required

Uninstall Support

Use Add or Remove

Programs in Control

Panel

Detection and Deployment

WU MU MBSA WSUS ITMU SCCMWindows RT devices can only be serviced with

Windows Update, Microsoft Update, and the

Windows Store.

Yes Yes Yes Yes Yes Yes


MS13-097

Cumulative

Security Update

for Internet

Explorer

(2898785)

Vulnerability Details• Two elevation of privilege vulnerabilities exist within Internet Explorer, which bypass Internet Explorer

Enhanced Protected Mode restrictions during validation of local file installation, and during secure creation

of registry keys.

• Five remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in

memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary

code in the context of the current user.


CVE-2013-

5049,5052Critical Remote Code Execution NA 1 * No No None

CVE-2013-

5047,5048Critical Remote code Execution 1 1 * No No None

CVE-2013-5051 Critical Remote Code Execution 3 2 * No No None

CVE-2013-5050 Important Security Feature Bypass 3 NA * No No None

CVE-2013-

5045,5046Important Elevation of Privilege 1 1 * No No None


Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not RatedDoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)

MS13-097

Cumulative

Security Update

for Internet

Explorer

(2898785)

Vulnerability Details (cont’d)

Attack VectorsAll

• An attacker could host a website that is used to attempt to exploit this vulnerability.

• Compromised websites and websites that accept or host user-provided content could contain

specially crafted content that could exploit this vulnerability.

MitigationsAll

Users would have to be persuaded to visit a malicious website.

Only CVE-2013-5047, CVE-2013-5048, CVE-2013-5049, CVE-2013-5051, CVE-2013-5052

• Exploitation only gains the same user rights as the logged-on account.

• By default, all Microsoft email clients open HTML email messages in the Restricted Sites zone.

• By default, IE runs in a restricted mode for all Windows Servers.

Workarounds

CVE-2013-5047, CVE-2013-5048, CVE-2013-5049, CVE-2013-5051, and CVE-2013-5052

• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and

Active Scripting in these zones.

• Configure Internet Explorer to prompt before running Active Scripting or to disable Active

Scripting in the Internet and Local intranet security zone.

• Add sites that you trust to the Internet Explorer Trusted sites zone.

CVE-2013-5045 and CVE-2013-5046

• Microsoft has not identified any workarounds for this vulnerabilities.


MS13-098

Vulnerability in

Windows Could

Allow Remote

Code Execution

(2893294)

Affected Software:• Windows XP

• Windows Server 2003

• Windows Vista


• Windows 7

• Windows Server 2008 R2

• Windows 8

• Windows 8.1



• Windows RT

• Windows RT 8.1

Severity | Critical

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2 NoneYes

SA2915720

Restart

Requirement

This update

requires a restart

Uninstall Support

Use Add or Remove

Programs in Control

Panel


WU MU MBSA WSUS ITMU SCCMIn addition to the changes that are listed in

the Vulnerability Information section of this

bulletin, this update includes changes to a

default behavior of Windows Authenticode

signature verification that will be enabled by

default on June 10, 2014. Note that this

change is not enabled by default with the

installation of this update..



1. Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.

MS13-098

Vulnerability in

Windows Could

Allow Remote

Code Execution

(2893294)


• A remote code execution vulnerability exists in the Windows Authenticode Signature Verification function

used for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying

an existing signed executable file to leverage unverified portions of the file in such a way as to add

malicious code to the file without invalidating the signature. An attacker who successfully exploited this

vulnerability could take complete control of an affected system.


CVE-2013-3900 Critical Remote Code Execution 1 1 * No Yes Yes

Attack Vectors

• Attacker sends email message

containing the specially crafted

PE file and convinces user to

open the file.

• Attacker convinces user to visit

specially crafted website,

typically by getting them to

click a link in an email message

or instant message that directs

them to the attacker's website.

Mitigations

• Microsoft has not identified any

mitigations for this vulnerability.

Workarounds

• Microsoft has not identified

any workarounds for this

vulnerability.




MS13-099

Vulnerability in

Microsoft

Scripting

Runtime Object

Library Could

Allow Remote

Code (2909158)

Affected Software Microsoft Windows XP

Windows Server 2003

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows 8.1

Windows Server 2012

Windows Server 2012 R2

Windows RT

Windows RT 8.1

Severity | Critical

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

1 None No

Restart

Requirement

A restart may be

required

Uninstall Support

Use Add or Remove

Programs in Control

Panel




Windows StoreYes Yes Yes 1 | 2 Yes 2 Yes 2 Yes 2


MS13-099

Vulnerability in

Microsoft

Scripting

Runtime Object

Library Could

Allow Remote

Code (2909158)

Vulnerability Details

• This is a memory corruption vulnerability in the Microsoft Scripting Runtime Object Library that could lead

to remote code execution. An attacker who successfully exploited this vulnerability could take complete

control of an affected system.


CVE-2013-5056 Critical Remote Code Execution 1 1 * No No None

Attack Vectors

• An attacker could exploit this

vulnerability by hosting a

specially crafted website that is

designed to exploit these

vulnerabilities through

components of Internet

Explorer, and then convince a

user to visit the website.

Mitigations

• An attacker would have to

convince users to visit the website,

typically by getting them to click a

link in an email message or Instant

Messenger message that takes

users to the attacker's website.

• Users whose accounts are

configured to have fewer user

rights on the system could be less

impacted than users who operate

with administrative user rights.

Workarounds



vulnerability.




MS13-100

Vulnerabilities in

Microsoft

SharePoint

Server Could

Allow Remote

Code Execution

(2904244)

Affected Software• Microsoft SharePoint Server 2010

• Office Web Apps 2013

• SharePoint Server 2013

Severity | Important

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2 MS13-067

MS13-084No

Restart

Requirement

A restart may be

required

Uninstall Support

This security update

cannot be removed.Detection and Deployment

WU MU MBSA WSUS ITMU SCCMNote: After you install this security update on

all SharePoint servers, you must run the

PSconfig tool to complete the installationNo Yes Yes Yes Yes Yes


MS13-100

Vulnerabilities in

Microsoft

SharePoint

Server Could

Allow Remote

Code Execution

(2904244)


• Remote code execution vulnerabilities exist in Microsoft SharePoint Server that could allow an attacker

who successfully exploited these vulnerabilities to run arbitrary code in the security context of the W3WP

service account.


CVE-2013-5059 Important Remote Code Execution 1 1 * No No None

Attack Vectors

• An authenticated attacker could

attempt to exploit these

vulnerabilities by sending

specially crafted page content

to a SharePoint server.

Mitigations

• An attacker must be able to

authenticate on the target

SharePoint site. Note that this is

not a mitigating factor if the

SharePoint site is configured to

allow anonymous users to access

the site. By default, anonymous

access is not enabled.

Workarounds



vulnerability.




MS13-101

Vulnerabilities in

Windows

Kernel-Mode

Drivers Could

Allow Elevation

of Privilege

(2880430)

Affected Software:• Windows XP


• Windows Vista


• Windows 7


• Windows 8/8.1

• Windows Server 2012/2012 R2

• Windows RT/RT 8.1


Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2 MS13-081 None

Restart

Requirement

This update

requires a restart

Uninstall Support

Use Add or Remove

Programs in Control

Panel


WU MU MBSA WSUS ITMU SCCM Multiple updates for a given system can be

applied in any sequence.




MS13-101

Vulnerabilities in

Windows

Kernel-Mode

Drivers Could

Allow Elevation

of Privilege

(2880430)




Vulnerability Details• An elevation of privilege vulnerability exists in the way that the Win32k.sys kernel-mode driver validates

address values in memory that could allow an attacker to execute arbitrary code with elevated privileges.

• An elevation of privilege vulnerability exists in the Microsoft Windows kernel that is caused when the

Windows kernel improperly handles objects in memory. An attacker who successfully exploited this

vulnerability could execute arbitrary code with elevated privileges.

• A denial of service vulnerability exists in the Microsoft Windows kernel that is caused when the Windows

kernel improperly processes a specifically crafted TrueType font file. An attacker who successfully exploited

this vulnerability could cause the affected system to stop responding and restart.

• An elevation of privilege vulnerability exists in the way that the Windows audio port-class driver

(portcls.sys) handles objects in memory that could allow an attacker to execute arbitrary code with

elevated privileges.

• An denial of service vulnerability exists in the way that the Win32k.sys kernel-mode driver handles objects

in memory that could allow an attacker to cause the target system to stop responding.


CVE-2013-

3899,3907Important Elevation of Privilege NA 2 P No No None

CVE-2013-3902 Important Elevation of Privilege NA 1 P No No None

CVE-2013-

3903,5058Moderate Denial of Service NA NA P No No None

MS13-101

Vulnerabilities in

Windows

Kernel-Mode

Drivers Could

Allow Elevation

of Privilege

(2880430)



Attack VectorsCVE-2013-3899, CVE-2013-3902, CVE-2013-3907

An attacker could run a specially crafted application that could exploit the vulnerability and take complete

control over an affected system.

CVE-2013-3903

An attacker could embed a specially crafted TrueType font on a website and when the user visited the site,

the browser would attempt to render the font. The specially crafted TrueType font could then exploit the

vulnerability and cause the system to stop responding.

CVE-2013-5058

An attacker could execute a specially crafted application that would cause the target system to stop

responding.

MitigationsAll

• An attacker must have valid logon credentials and be able to log on locally to exploit these

vulnerabilities.

WorkaroundsAll

• Microsoft has not identified any workarounds for the vulnerabilities .

MS13-102

Vulnerability in

LRPC Client

Could Allow

Elevation of

Privilege

(2898715)

Affected SoftwareAll editions of:

Windows XP

Windows Server 2003


Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2 MS13-062 No

Restart

Requirement

A restart is

required

Uninstall Support

Use Add or Remove

Programs in Control

PanelDetection and Deployment

WU MU MBSA WSUS ITMU SCCMLocal RPC (LRPC) is an Inter-Process

Communication (IPC) mechanism that enables

data exchange and invocation of functionality

residing in a different process that resides on

the same computer. LRPC is a component of

Microsoft RPCYes Yes Yes Yes Yes Yes


MS13-102

Vulnerability in

LRPC Client

Could Allow

Elevation of

Privilege

(2898715)

Vulnerability DetailsAn elevation of privilege vulnerability exists in Microsoft Local Procedure Call (LPC) where an attacker

uses a specially crafted LPC port message to cause a stack-based buffer overflow condition on either

the LPC client or server.


CVE-2013-3878 Important Elevation of Privilege NA 1 P No No None

Attack Vectors

An attacker who successfully

exploited this vulnerability could

use a specially crafted LPC server

to return a specially-crafted LPC

port message to a legitimate LPC

client, or use a specially crafted

LPC client to return a specially

crafted LPC port message to a

legitimate LPC server.

Mitigations

An attacker must have valid logon

credentials and be able to log on

locally to exploit this vulnerability.

Workarounds

Microsoft has not identified any

workarounds for this vulnerability.




MS13-103

Vulnerability in

ASP.NET

SignalR Could

Allow Elevation

of Privilege

(2905244)

Affected Software:• ASP.NET SignalR

• Microsoft Visual Studio Team Foundation Server

2013


Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

3 None None

Restart

Requirement

This update may

require a restart

Uninstall Support

Use Add or Remove

Programs in Control

Panel


WU MU MBSA WSUS ITMU SCCMASP.NET SignalR packages are available by

updating your VS project via Manage NuGet

Packages.No Yes Yes Yes Yes Yes


MS13-103

Vulnerability in

ASP.NET

SignalR Could

Allow Elevation

of Privilege

(2905244)


• An elevation of privilege vulnerability exists in ASP.NET SignalR that could allow an attacker access to

resources in the context of the targeted user.


CVE-2013-5042 Important Elevation of Privilege 1 1 * No No None

Attack Vectors

An attacker could reflect specially

crafted JavaScript back to the

user's browser, which could allow

the attacker to modify page

content, conduct phishing, or

perform actions on behalf of the

targeted user.

Mitigations


mitigations for this vulnerability.

Workarounds

• For Windows servers that host

web applications using

ASP.NET SignalR functionality,

turning off the ASP.NET

SignalR transport protocol

provides temporary protection

from the vulnerability.

• No workarounds for Microsoft

Visual Studio Team Foundation

Server 2013




MS13-104

Vulnerability in

Microsoft Office

Could Allow

Information

Disclosure

(2909976)

Affected Software• Office 2013

• Office 2013 RT


Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

3 None No


Restart

Requirement

A restart may be

required

Uninstall Support

Use Add or Remove

Programs in Control

Panel



Windows Store.No Yes Yes 1 Yes 1 Yes 1 Yes 1


MS13-104

Vulnerability in

Microsoft Office

Could Allow

Information

Disclosure

(2909976)


An information disclosure vulnerability exists when affected Microsoft Office software does not properly

handle a specially crafted response while attempting to open an Office file hosted on the malicious website.

An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate

the current user on a targeted SharePoint or other Microsoft Office server site.


CVE-2013-5054 Important Information Disclosure 3 NA * No No None

Attack Vectors

Exploitation of this vulnerability

requires that a user attempts to

open an Office file hosted on a

malicious website using an

affected version of Microsoft

Office software.

Mitigations

• A user must open an attachment

that is sent in an email message or

click a link contained inside an

email message.

• For web based attack, an attacker

would have to convince users to

take action, typically by getting

them to click a link in an email

message or Instant Messenger

message that takes users to the

attacker’s website.

Workarounds






24

MS13-105

Vulnerabilities in

Microsoft

Exchange Server

Could Allow

Remote Code

Execution

(2915705)

Affected Software• Microsoft Exchange Server 2007

• Microsoft Exchange Server 2010

• Microsoft Exchange Server 2013

Severity | Critical

Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues

2 MS13-061 No

Restart

Requirement

A restart is not

required

Uninstall Support

Use Add or Remove

Programs in Control

Panel


WU MU MBSA WSUS ITMU SCCM Addresses Oracle Outside In issues included in

the October 2013 security update:

http://www.oracle.com/technetwork/topics/sec

urity/cpuoct2013-1899837.htmlNo Yes Yes Yes Yes Yes


25

MS13-105

Vulnerabilities in

Microsoft

Exchange Server

Could Allow

Remote Code

Execution

(2915705)


Vulnerability Details• Two remote code execution vulnerabilities exist in Exchange Server 2007, Exchange Server 2010, and

Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow

remote code execution as the LocalService account if a user views a specially crafted file through Outlook

Web Access in a browser.

• One remote code execution vulnerability exists in Microsoft Exchange Server that could allow an attacker

to run arbitrary code in the context of the Outlook Web Access (OWA) service account.

• One elevation of privilege vulnerability exists in Microsoft Exchange Server that could allow an attacker to

run script in the context of the current user.


CVE-2013-

5763,5791Critical Remote Code Execution 2 2 P Yes No None

CVE-2013-1330 Critical Remote Code Execution 1 1 * Yes No None

CVE-2013-5072 Important Elevation of Privilege 1 1 * No No None

Exploitability Index: 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected | * - Not RatedDoS Rating: T = Temporary (DoS ends when an attack ceases) | P = Permanent (Administrative action required to recover)

26

MS13-105

Vulnerabilities in

Microsoft

Exchange Server

Could Allow

Remote Code

Execution

(2915705)


Attack VectorsCVE-2013-5763 and CVE-2013-5791

• An attacker could send an email message containing a specially crafted file to a user on an affected

Exchange server.

• In Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013, the vulnerabilities could be

exploited through the WebReady Document Viewing feature if a user previews an email message that

contains a specially crafted file using Outlook Web App (OWA).

• In Exchange Server 2013, the vulnerabilities could be exploited through the Data Loss Prevention

feature if an email message that contains a specially crafted file is received by the Exchange server.

CVE-2013-1330

• The attacker could send specially crafted content to the target server.

CVE-2013-5072

• The attacker could send a specially crafted URL, taking the user to the target server running OWA

MitigationsCVE-2013-5763 and CVE-2013-5791

• The transcoding service in Exchange that is used for WebReady Document Viewing is running in the

LocalService account , which has minimum privileges on the local computer and presents anonymous

credentials on the network.

• The Filtering Management service in Exchange that is used for Data Loss Prevention is running in the

LocalService account, which has minimum privileges on the local system and presents anonymous

credentials on the network.

CVE-2013-1330 and CVE-2013-5072

Microsoft has not identified any mitigations for this vulnerabilities.

WorkaroundsCVE-2013-5763 and CVE-2013-5791

• Disable Data Loss Prevention (Exchange Server 2013 only)

• Disable WebReady document view

CVE-2013-1330 and CVE-2013-5072

Microsoft has not identified any workarounds for this vulnerabilities.


MS13-106

Vulnerability in

a Microsoft

Office Shared

Component

Could Allow

Security Feature

Bypass

(2905238)

Affected Software• Office 2007

• Office 2010


Deployment

Priority

Update

Replacement

More Information

and / or

Known Issues


3 None No

Restart

Requirement

A restart may be

required

Uninstall Support

Use Add or Remove

Programs in Control

Panel

WU MU MBSA WSUS ITMU SCCMThe security feature bypass by itself does not

allow arbitrary code execution. However, an

attacker could use this ASLR bypass

vulnerability in conjunction with another

vulnerability, such as a remote code execution

vulnerability that could take advantage of the

ASLR bypass to run arbitrary code

No Yes Yes Yes Yes Yes


MS13-106

Vulnerability in

a Microsoft

Office Shared

Component

Could Allow

Security Feature

Bypass

(2905238)

Vulnerability Details• A security feature bypass exists in an Office shared component that does not properly implement Address

Space Layout Randomization (ASLR). The vulnerability could allow an attacker to bypass the ASLR security

feature, after which the attacker could load additional malicious code in the process in an attempt to

exploit another vulnerability.


CVE-2013-5057 Important Security Feature Bypass NA NA * Yes Yes None

Attack Vectors

• An attacker could host a website

that is used to attempt to exploit

this vulnerability.

• Compromised websites and

websites that accept or host user-

provided content could contain

specially crafted content that could

exploit this vulnerability.

Mitigations• The vulnerability cannot be exploited

automatically through email. For an

attack to be successful a user must

open an attachment that is sent in an

email message.

• An attacker would have to convince

users to take action, typically by

getting them to click a link in an email

message or instant message that

takes users to the attacker’s website.

Workarounds






New Security

Advisories

Security Advisory (2905247)Insecure ASP.NET Site Configuration Could Allow

Elevation of Privilege

Microsoft is announcing the availability of an update for Microsoft ASP.NET to

address a vulnerability in ASP.NET view state that exists when Machine

Authentication Code (MAC) validation is disabled through configuration

settings. The vulnerability could allow elevation of privilege and affects all

supported versions of Microsoft .NET Framework except .NET Framework 3.0

Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1.

Any ASP.NET site for which view state MAC has become disabled through

configuration settings is vulnerable to attack. An attacker who successfully

exploited the vulnerability could use specially crafted HTTP content to inject

code to be run in the context of the service account on the ASP.NET server.

Microsoft is aware of general information available publicly that could be used

to exploit this vulnerability, but is not aware of any active attacks.

Security Advisory (2915720)Changes in Windows Authenticode Signature

Verification

Microsoft is announcing the availability of an update for all supported releases of

Windows to change how signatures are verified for binaries signed with the

Windows Authenticode signature format. The change is included with Security

Bulletin MS13-098, but will not be enabled until June 10, 2014. Once enabled, the

new default behavior for Windows Authenticode signature verification will no

longer allow extraneous information in the WIN_CERTIFICATE structure. Note that

after June 10, 2014, Windows will no longer recognize non-compliant binaries as

signed.


New Security

Advisories

(cont’d)

Security Advisory (2871690)

Update to Revoke Non-compliant UEFI Boot

LoadersMicrosoft is announcing the availability of an update for Windows 8 and

Windows Server 2012 that revokes the digital signatures for specific UEFI (Unified

Extensible Firmware Interface) boot loaders. When the update is applied, the

affected UEFI boot loaders will no longer be trusted and will not be loaded

during UEFI Secure Boot. The affected UEFI boot loaders consist of specific

Microsoft-signed boot loaders that are either not in compliance with our

certification program or their authors have requested that the packages be

revoked.

At the time of publication of this advisory, Microsoft is not aware of any misuse

of the affected UEFI boot loaders. Microsoft is proactively revoking these non-

compliant boot loaders as part of our ongoing efforts to protect customers. This

action only affects systems running Windows 8 and Windows Server 2012 that

are configured to use UEFI Secure Boot.


Rereleased

Security

Advisories

Security Advisory (2755801)Update for Vulnerabilities in Adobe Flash Player

in Internet Explorer

On December 10, 2013, Microsoft released an update (2907997) for

Internet Explorer 10 on all supported editions of Windows 8,

Windows RT, and Windows Server 2012, and for Internet Explorer 11

on Windows 8.1, and Windows RT 8.1, Windows Server 2012 R2. The

update addresses the vulnerabilities described in Adobe Security

bulletin APSB13-28 For more information about this update,

including download links, see Microsoft Knowledge Base Article

2907997.

http://helpx.adobe.com/security/products/flash-player/apsb13-28.html

http://support.microsoft.com/kb/2907997

Microsoft

Support

Lifecycle


Lifecycle ChangesThe following product families and service pack levels are scheduled to

have their support lifecycle expire on January 14, 2014

Product Family

• Live Communications Server 2003

Remember that support for the entire Windows XP product

family will expire on 4/8/2014

http://support.microsoft.com/lifecycle

December

2013

Security

Bulletins


Bulletin Description Severity Priority

MS13-096Vulnerability in Microsoft Graphics Component Could allow Remote

Code ExecutionCritical 1

MS13-097 Cumulative Security Update for Internet Explorer Critical 1

MS13-098 Vulnerability in Windows Could Allow Remote Code Execution Critical 2

MS13-099Vulnerability in Microsoft Scripting Runtime Could Allow Remote Code

ExecutionCritical 1

MS13-100Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code

ExecutionImportant 2

MS13-101Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation

of PrivilegeImportant 2

MS13-102 Vulnerability in LRPC Client Could Allow Elevation of Privilege Important 2

MS13-103 Vulnerability in SignalR Could Allow Elevation of Privilege Important 3

MS13-104 Vulnerability in Microsoft Office Could Allow Information Disclosure Important 3

MS13-105Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code

ExecutionCritical 2

MS13-106Vulnerability in a Microsoft Office Shared Component Could Allow

Security Feature BypassImportant 3

Appendix


MSRT Changes

New malware families added

to the December 2013 MSRT

Win32/Rotbrow

This family of trojans install browser

addons that claim to protect you from

other addons. These addons can make

changes to your home page and also

install Win32/Sefnit

Additional ToolsMicrosoft Safety Scanner

• Same basic engine as the MSRT, but

with a full set of A/V signatures

Windows Defender Offline

• An offline bootable A/V tool with a

full set of signatures

• Designed to remove rootkits and

other advanced malware that can't

always be detected by antimalware

programs

• Requires you to download an ISO file

and burn a CD, DVD, or USB flash

drive

35

Malicious

Software

Removal Tool

(MSRT)

Updates


Public

Security

Bulletin

Links


Monthly Bulletin Links

• Microsoft Security Bulletin Summary for December 2013

http://technet.microsoft.com/en-us/security/bulletin/ms13-dec

• Security Bulletin Search

http://technet.microsoft.com/security/bulletin

• Security Advisories

http://technet.microsoft.com/security/advisory

• Microsoft Technical Security Notifications

http://technet.microsoft.com/en-us/security/dd252948.aspx

Blogs

• MSRC Blog

http://blogs.technet.com/msrc

• SRD Team Blog

http://blogs.technet.com/srd

• MMPC Team Blog

http://blogs.technet.com/mmpc

• MSRC Ecosystem Team Blog

http://blogs.technet.com/ecostrat

Supplemental Security Reference Articles

• Detailed Bulletin Information Spreadsheet

http://go.microsoft.com/fwlink/?LinkID=245778

• Security Tools for IT Pros

http://technet.microsoft.com/en-us/security/cc297183

• KB894199 Description of Software Update Services and Windows Server Update Services changes in

content


• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious

software


December 2013

Manageability

Tools

Reference


BulletinWindows

Update 1Microsoft

Update 1 MBSA 2 WSUS SMS ITMU SCCM

MS13-096 Yes Yes Yes Yes Yes Yes




MS13-100 No Yes Yes Yes Yes Yes








2. Microsoft Baseline Security Analyzer (MBSA) v2.3 now supports Windows 8, Windows 8.1, Windows Server 2012, and Windows

Server 2012 R2.

MBSA 2.3


MBSA 2.3 Now Available

The Microsoft Baseline Security Analyzer provides

a streamlined method to identify missing security

updates and common security misconfigurations.

MBSA 2.3 release now provides support for

Windows 8, Windows 8.1, Windows Server 2012,

and Windows Server 2012 R2.

Tool Information

• Available at the Download

Center at http://www.microsoft.com/downl

oad/details.aspx?id=7558

• Windows 2000 will no longer

be supported with this

release.

Links

Públicos

dos

Boletin de

Segurança

Português

LATAM

GBS Security Worldwide Programs

Links do Boletins em Português

• Microsoft Security Bulletin Summary for december

2013-Resumo

http://technet.microsoft.com/pt-

br/security/bulletin/ms13-dec

• Security Bulletin Search/Boletins de Segurança Busca

http://technet.microsoft.com/pt-br/security/bulletin

• Security Advisories/Comunicados de Segurança

http://technet.microsoft.com/pt-br/security/advisory

• Microsoft Technical Security Notifications - Notificações

http://technet.microsoft.com/pt-

br/security/dd252948.aspx

Blogs

Negócios de Risco

• http://blogs.technet.com/b/risco/

• MSRC Blog


• SRD Team Blog


• MMPC Team Blog


• MSRC Ecosystem Team Blog


Supplemental Security Reference Articles

• Detailed Bulletin Information Spreadsheet


• Security Tools for IT Pros- Ferramentas de Segurança

http://technet.microsoft.com/pt-br/security/cc297183

• KB894199 Description of Software Update Services and Windows Server Update Services changes in

content


• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious

software


http://technet.microsoft.com/pt-br/security/bulletin/ms13-nov

http://technet.microsoft.com/pt-br/security/bulletin/ms13-nov

http://technet.microsoft.com/pt-br/security/advisory

http://technet.microsoft.com/pt-br/security/dd252948.aspx







http://technet.microsoft.com/pt-br/security/cc297183



Webcast

Português

Janeiro

GBS Security Worldwide Programs41

Webcast Português (Externa)

• WEBCAST DE JANEIRO - CLIENTES16/DEZEMBRO/2013

15:30 Hrs

Brasília

Veja nosso blog para se inscrever:

Negócios de Risco

• http://blogs.technet.com/b/risco/

[email protected]


Monthly Security Bulletin Briefing | December 2013 - Microsoft · Microsoft Scripting Runtime...

Documents

Transcript of Monthly Security Bulletin Briefing | December 2013 - Microsoft · Microsoft Scripting Runtime...