Monthly Security Bulletin Briefing - Microsoft€¦ · privilege and affects Microsoft .NET...
Transcript of Monthly Security Bulletin Briefing - Microsoft€¦ · privilege and affects Microsoft .NET...
1
Monthly Security
Bulletin Briefing
September 2014
CSS Security Worldwide Programs
• Teresa GhiorzoeSecurity Program Manager- GBS LATAM
• Daniel Mauser
Senior Technical Lead - LATAM CTS
Blog de Segurança: http://blogs.technet.com/b/risco/
Twitter: LATAMSRC
Email: [email protected]
CSS Security Worldwide ProgramsSlide 2
Security Bulletin Release OverviewSeptember
2014
Other content
• Product Support Lifecycle Info
Appendix
• Public Webcast Details
• Manageability Tools Reference
• Related Resources
Critical Important
1 3
New
Security
Bulletins4
Security
Advisories 0Rereleased
Security
Advisories3
CSS Security Worldwide ProgramsSlide 3
Security Bulletin Release OverviewSeptember
2014
Bulletin Impact Component Severity PriorityExploit
Index
Publicly
Known
Publicly
Exploited
MS14-052
Remote
Code
Execution
IE Critical 1 0 Yes Yes
MS14-053Denial of
Service.NET Important 3 3 No No
MS14-054Elevation of
Privilege
Task
SchedulerImportant 2 1 No No
MS14-055Denial of
ServiceLync Important 2 3 No No
Exploitability Index: 0 – Exploitation Detected | 1 - Exploitation more likely | 2 – Exploitation less likely | 3 – Exploitation unlikely | NA -
Not Affected
CSS Security Worldwide ProgramsSlide 4
Affected Software• Internet Explorer 6 on Windows Server 2003
• Internet Explorer 7 on Windows Server 2003, Windows
Vista, and Windows Server 2008.
• Internet Explorer 8 on Windows Server 2003, Windows
Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2.
• Internet Explorer 9 on Windows Vista, Windows Server
2008, Windows 7, and Windows Server 2008 R2.
• Internet Explorer 10 on Windows 7, Windows Server 2008
R2, Windows 8, Windows Server 2012, and Windows RT.
• Internet Explorer 11 on Windows 7, Windows Server 2008
R2, Windows 8.1, Windows Server 2012 R2, and Windows
RT 8.1.
Severity | Critical
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
1 MS14-051
Outdated ActiveX
blocking
KB2991000
Uninstall Support• Use the Add or Remove
Programs Control Panel
applet
Restart Requirement• A restart is required
Detection and Deployment
WU MU MBSA WSUS ITMU SCCMOut-of-date ActiveX control blocking
http://technet.microsoft.com/en-us/library/dn761713.aspxYes Yes Yes Yes Yes Yes
Cumulative Security Update for Internet Explorer (2977629)MS14-052
Note: Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.
CSS Security Worldwide Programs
Vulnerability Details
• Remote code execution vulnerabilities exist when Internet Explorer improperly accesses objects in memory. These vulnerabilities
could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
• An information disclosure vulnerability exists in Internet Explorer which allows resources loaded into memory to be queried. This
vulnerability could allow an attacker to detect anti-malware applications in use on a target and use the information to avoid
detection
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
Multiple Critical Remote Code Execution 1 1 * No No No
CVE-2013-7331 Important Information Disclosure 0 0 * Yes Yes No
Attack Vectors• Attacker hosts a malicious website
utilizing the vulnerability, then
convinces users to visit the site.
• Attacker takes advantage of
compromised websites and/or sites
hosting ads from other providers.
Mitigations• Attacker would have to convince users to take
action, typically by getting them to click a link in
an email message or in an Instant Messenger
message that takes users to the attacker's website,
or by getting them to open an attachment sent
through email. No way for attacker to force user to
view malicious content.
• Exploitation only gains the same user rights as the
logged-on account.
• By default, all Microsoft email clients open HTML
email messages in the Restricted Sites zone.
• By default, Internet Explorer runs in Enhanced
Security Configuration mode for all Windows
Servers.
Workarounds
• Set Internet and Local intranet security zone
settings to "High" to block ActiveX Controls and
Active Scripting in these zones.
• Configure Internet Explorer to prompt before
running Active Scripting or to disable Active
Scripting in the Internet and Local intranet
security zone.
• Add sites that you trust to the Internet Explorer
Trusted sites zone.
• CVE-2013-7331: Read email messages in plain
text.
Slide 5
MS14-052 Cumulative Security Update for Internet Explorer (2977629)
Exploitability Index (XI): 0 – Exploitation Detected | 1 – Exploitation more likely | 2 – Exploitation less likely | 3 - Exploitation unlikely | NA - Not Affected
DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Affected Software
• Microsoft .NET Framework 1.1 SP1
• Microsoft .NET Framework 2.0 SP2
• Microsoft .NET Framework 3.0 SP2
• Microsoft .NET Framework 3.5
• Microsoft .NET Framework 3.5.1
• Microsoft .NET Framework 4.0
• Microsoft .NET Framework 4.5/4.5.1/4.5.2
On all supported editions of:
• Windows Server 2003
• Windows Vista
• Windows Server 2008
• Windows 7
• Windows Server 2008 R2
• Windows 8 and 8.1
• Windows Server 2012 and 2012 R2
Severity | Important
Deployment
PriorityUpdate Replacement
More Information
and / or
Known Issues
3MS13-004
MS14-009
MS13-052None
Restart Requirement
• A restart may be required
Uninstall Support
• Use Add or Remove Programs in
Control Panel
WU MU MBSA WSUS ITMU SCCM
Yes Yes Yes Yes Yes Yes
CSS Security Worldwide ProgramsSlide 6
Vulnerability in .NET Framework Could Allow Denial of
Service (2990931) MS14-053
CSS Security Worldwide Programs
Vulnerability Details
• A denial of service vulnerability exists in the way that Microsoft .NET Framework handles specially crafted requests, causing a hash
collision. An attacker who successfully exploited this vulnerability could send a small number of specially crafted requests to a .NET
server, causing performance to degrade significantly enough to cause a denial of service condition..
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-4072 Important Denial of Service 3 3 P No No No
Attack Vectors
Attacker sends a small number of specially
crafted requests to .NET-enabled website.
Mitigations
By default, ASP.NET is not installed when
Microsoft .NET Framework is installed on
any supported edition of Microsoft
Windows
Workarounds
For .NET Framework 4.5 and higher
Enable
UseRandomizedStringHashAlgorithm
application configuration runtime setting
for desktop applications
Slide 7
MS14-053 Vulnerability in .NET Framework Could Allow Denial of
Service (2990931)
Exploitability Index (XI): 0 – Exploitation Detected | 1 – Exploitation more likely | 2 – Exploitation less likely | 3 - Exploitation unlikely | NA - Not Affected
DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
CSS Security Worldwide ProgramsSlide 8
Affected Software• Windows 8, Windows 8.1
• Windows Server 2012 and 2012 R2
• Windows RT and RT 8.1
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 None None
Restart Requirement
• A restart is required
Uninstall Support
• Use the Add or Remove
Programs Control Panel
applet.
Detection and Deployment
WU MU MBSA WSUS ITMU SCCM Note: Windows RT devices can only be serviced with
Windows Update, Microsoft Update, and the Windows
StoreYes Yes Yes Yes Yes Yes
Vulnerability in Windows Task Scheduler Could Allow
Elevation of Privilege (2988948)MS14-054
CSS Security Worldwide Programs
Exploitability Index (XI): 1 - Exploit code likely | 2 - Exploit code difficult | 3 - Exploit code unlikely | NA - Not Affected
DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
Slide 9
Vulnerability in Windows Task Scheduler Could Allow
Elevation of Privilege (2988948)MS14-054
Vulnerability Details:
• An elevation of privilege vulnerability exists in how Windows Task Scheduler improperly conducts integrity checks on
tasks. An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local
system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-4074 Important Remote Code Execution 1 1 * No No None
Attack Vectors
• Attacker would first have to log on to
the system, then run a specially crafted
application that could exploit the
vulnerability and take complete control
over an affected system.
Mitigations
Attacker must be able to log on locally to
the system.
Workarounds
Disable Task Scheduler service.
Exploitability Index (XI): 0 – Exploitation Detected | 1 – Exploitation more likely | 2 – Exploitation less likely | 3 - Exploitation unlikely | NA - Not Affected
DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
CSS Security Worldwide ProgramsSlide 10
Vulnerabilities in Microsoft Lync Server Could Allow Denial of
Service (2990928)MS14-055
Affected Software• Microsoft Lync Server 2010
• Microsoft Lync Server 2013
Severity | Important
Deployment
Priority
Update
Replacement
More Information
and / or
Known Issues
2 MS14-032Prerequisite – see
below
Restart Requirement
• A restart may be
required
Uninstall Support
• Use Add or Remove
Programs in Control PanelDetection and Deployment
WU MU MBSA WSUS ITMU SCCMLatest cumulative update for Lync Server:
•For Lync Server 2013:
http://support.microsoft.com/kb/2809243
•For Lync Server 2010:
http://support.microsoft.com/kb/2493736No Yes Yes Yes Yes Yes
CSS Security Worldwide ProgramsSlide 11
Vulnerabilities in Microsoft Lync Server Could Allow Denial of
Service (2990928)MS14-055
Vulnerability Details
• Two denial of service vulnerabilities exist in Lync Server. An attacker who successfully exploited these vulnerabilities could cause the
affected system to stop responding.
• A reflected cross-site scripting (XSS) vulnerability which could result in information disclosure exists when Lync Server fails to
properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could potentially execute scripts
in the user’s browser to obtain information from web sessions.
CVE Severity Impact XI Latest XI Legacy XI DoS Public Exploited Advisory
CVE-2014-4068 Important Denial of Service 3 3 T No No None
CVE-2014-4071 Important Denial of Service 3 NA T No No None
CVE-2014-4070 Important Information Disclosure 3 NA * No No None
Attack Vectors
• CVE-2014-4068 & 4071: Attacker executes a
specially crafted request to a Lync server.
• CVE-2014-4070: Attacker hosts a malicious
website utilizing the vulnerability, then
convinces users to visit the site.
• Attacker takes advantage of compromised
websites and/or sites hosting ads from other
providers.
• Email: Attacker sends an email containing a
URL linking to the malicious web site and
convinces user to click the link.
Mitigations
• Microsoft has not identified any
mitigating factors for these
vulnerabilities.
Workarounds
• CVE-2014-4070: Read email messages in plain
text.
• Set Internet and Local intranet security zone
settings to "High" to block ActiveX Controls
and Active Scripting in these zones.
• Add sites that you trust to the Internet
Explorer Trusted sites zone.
• CVE-2014-4068 & 4071: no workarounds
Exploitability Index (XI): 0 – Exploitation Detected | 1 – Exploitation more likely | 2 – Exploitation less likely | 3 - Exploitation unlikely | NA - Not Affected
DoS Rating: T - Temporary (DoS ends when attack ceases) | P - Permanent (Administrative action required to recover) | * - Not Applicable
CSS Security Worldwide ProgramsSlide 12
(2905247) Insecure ASP.NET Site Configuration Could Allow
Elevation of Privilege
Rereleased
Security
Advisory
What Has Changed?
This advisory was rereleased to offer the security update via Microsoft Update, in addition to
the download-center-only option that was provided when this advisory was originally
released.
Furthermore, the updates for some of the affected .NET Framework versions were rereleased
to address an issue that occasionally caused Page.IsPostBack to return an incorrect value.
Executive Summary
Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a
vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC)
validation is disabled through configuration settings. The vulnerability could allow elevation of
privilege and affects Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework
2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft
.NET Framework 4, and Microsoft .NET Framework 4.5/4.5.1
Recommendations
Most customers have automatic updating enabled and will not need to take any action
because this security update will be downloaded and installed automatically. For information
about specific configuration options in automatic updating, see Microsoft Knowledge Base
Article 294871. For customers who do not have automatic updating enabled, the steps in Turn automatic updating on or off can be used to enable automatic updating.
More Information http://technet.microsoft.com/library/2905247
CSS Security Worldwide ProgramsSlide 13
Update to Improve Credentials Protection and Management
(2871997)
Rereleased
Security
Advisory
What Has Changed?
On September 9, 2014, Microsoft released the 2982378 update for supported editions of
Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’
credentials when logging into a Windows 7 or Windows Server 2008 R2 system by ensuring
that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket
Granting Ticket) has been obtained. For more information about this update, including
download links, see Microsoft Knowledge Base Article 2982378.
Executive Summary
Microsoft is announcing the availability of an update for supported editions of Windows 8 for
32-bit Systems, Windows 8 for x64-based Systems, Windows RT, Windows Server 2012,
Window 7 for 32-bit Systems, Windows 7 for x64-based Systems, Windows Server 2008 R2 for
x64-based Systems, and Windows 2008 R2 for Itanium-based Systems that improves
credential protection and domain authentication controls to reduce credential theft. This
update provides additional protection for the Local Security Authority (LSA), adds a restricted
admin mode for Credential Security Support Provider (CredSSP), introduces support for
protected account-restricted domain user category, and enforces stricter authentication
policies for Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
machines as clients.
RecommendationsMicrosoft recommends that customers apply the update immediately using update
management software, or by checking for updates using the Microsoft Update service.
More InformationMicrosoft Security Advisory 2871997
https://technet.microsoft.com/library/2871997.aspx
CSS Security Worldwide ProgramsSlide 14
(2755801) Update for Vulnerabilities in Adobe Flash Player in
Internet Explorer
Rereleased
Security
Advisory
What Has Changed?
Microsoft updated this advisory to announce the availability of a new update for Adobe Flash
Player. On September 9, 2014, Microsoft released an update (2987114) for Internet Explorer 10
on Windows 8, Windows Server 2012, and Windows RT, and for Internet Explorer 11 on
Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the
vulnerabilities described in Adobe Security bulletin APSB14-21. For more information about
this update, including download links, see Microsoft Knowledge Base Article 2987114.
Executive Summary
Microsoft is announcing the availability of an update for Adobe Flash Player in Internet
Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT,
Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the
vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained
within Internet Explorer 10 and Internet Explorer 11.
Recommendations
Microsoft recommends that customers apply the current update immediately using update
management software, or by checking for updates using the Microsoft Update service. Since
the update is cumulative, only the current update will be offered. Customers do not need to install previous updates as a prerequisite for installing the current update.
More Information http://technet.microsoft.com/library/2755801
CSS Security Worldwide ProgramsSlide 15
Product Families and Service Packs Reaching End of SupportSupport
Lifecycle
Product Families Nothing scheduled to enter Extended Support in September
Service PacksNo Service Packs expiring in September
October: Office 2010 SP1, Project 2010 SP1, SharePoint Server 2010 SP1, Visio 2010 SP1
More InformationMicrosoft Support Lifecycle information
http://support.microsoft.com/lifecycle/
CSS Security Worldwide ProgramsSlide 16
Security Bulletin SummarySeptember
2014Bulletin Bulletin title Severity Priority
MS14-052 Cumulative Security Update for Internet Explorer Critical 1
MS14-053 Vulnerability in .NET Framework Could Allow Denial of Service Important 3
MS14-054 Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege Important 2
MS14-055 Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service Important 2
Appendix
CSS Security Worldwide Programs
CSS Security Worldwide ProgramsSlide 18
MSRT Changes, Tools, and Public Security Bulletin WebcastRelated
Resources
Malicious Software
Removal Tool (MSRT)
Win32/Zemot – The threat is used by other malware to download more malware onto your PC. This
means that if you have this malware, it's highly likely you also have Win32/Kuluoz, Win32/Zbot,
Win32/Rovnix, or others.
Additional Malware
Removal Tools
Microsoft Safety Scanner
• Same basic engine as the MSRT, but with a full set of A/V signatures.
Windows Defender Offline
• An offline bootable A/V tool with a full set of signatures.
• Designed to remove rootkits and other advanced malware that can't always be detected by
antimalware programs.
• Requires you to download an ISO file and burn a CD, DVD, or USB flash drive.
Public Webcast
Information About Microsoft's Security Bulletins
Wednesday, September 10, 2014, 11:00 A.M. Pacific Time (US & Canada)
Details at: http://technet.microsoft.com/security/dn756352
Microsoft Security
Blogs
Microsoft Security Response Center Blog: http://blogs.technet.com/msrc
Microsoft Security Research Defense Blog: http://blogs.technet.com/srd
Microsoft Malware Protection Center Blog: http://blogs.technet.com/mmpc
Microsoft Security Development Lifecycle Blog: http://blogs.technet.com/sdl
CSS Security Worldwide ProgramsSlide 19
Detection & Deployment (Manageability Tools) ReferenceSeptember
2014
BulletinWindows
Update 1Microsoft
Update 1 MBSA WSUS SMS ITMU SCCM
MS14-052 Yes Yes Yes Yes Yes Yes
MS14-053 Yes Yes Yes Yes Yes Yes
MS14-054 Yes Yes Yes Yes Yes Yes
MS14-055 No Yes Yes Yes Yes Yes
1. Windows RT devices can only be serviced with Windows Update, Microsoft Update, and the Windows Store.
Links
Públicos
dos
Boletin de
Segurança
Português
LATAM
Links do Boletins em Português
• Microsoft Security Bulletin Summary for sep 2014-
Resumo
http://technet.microsoft.com/pt-
br/security/bulletin/ms14-sep
• Security Bulletin Search/Boletins de Segurança Busca
http://technet.microsoft.com/pt-br/security/bulletin
• Security Advisories/Comunicados de Segurança
http://technet.microsoft.com/pt-br/security/advisory
• Microsoft Technical Security Notifications - Notificações
http://technet.microsoft.com/pt-
br/security/dd252948.aspx
Blogs
Negócios de Risco
• http://blogs.technet.com/b/risco/
• MSRC Blog
http://blogs.technet.com/msrc
• SRD Team Blog
http://blogs.technet.com/srd
• MMPC Team Blog
http://blogs.technet.com/mmpc
• MSRC Ecosystem Team Blog
http://blogs.technet.com/ecostrat
Supplemental Security Reference Articles
• Detailed Bulletin Information Spreadsheet
http://go.microsoft.com/fwlink/?LinkID=245778
• Security Tools for IT Pros- Ferramentas de Segurança
http://technet.microsoft.com/pt-br/security/cc297183
• KB894199 Description of Software Update Services and Windows Server Update Services changes in content
http://support.microsoft.com/kb/894199
• The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious
software
http://support.microsoft.com/kb/890830
• Mybulletins
• http://mybulletins.technet.microsoft.com/
Webcast
Português
Outubro
GBS Security Worldwide Programs22
Webcast Português (Externo)
WEBCAST – CLIENTEShttps://msevents.microsoft.com/CUI/EventDet
ail.aspx?EventID=1032575592
16/Outubro/2014
15:30 Hrs Brasília
Para receber convite para a conferência escrever para [email protected]