July 2013 Microsoft Security BulletinsJonathan NessSecurity Development Manager

Dustin ChildsGroup ManagerResponse Communications

Live Video Stream

• To receive our video stream in LiveMeeting: - Click on “Voice & Video”

- Click the drop down next to the camera icon

- Select “Show Main Video”

• Dial-in Information: - 1 (877) 593-2001 Pin: 3959

What We Will Cover

• Review of July 2013 Bulletin Release Information

- Seven New Security Bulletins- One Updated Security Advisory- Microsoft Windows Malicious Software Removal Tool

• Resources

• Questions and Answers: Please Submit Now- Submit Questions via Twitter #MSFTSecWebcast

Severity & Exploitability Index

Exploitability Index

1

    

       

RISK2

3

DP 2 1 2 1 2 2 3  

Severity

Critical

 

   

IMPACT

Important

Moderate

Low

MS13-052 MS13-053 MS13-054 MS13-055 MS13-056 MS13-057 MS13-058

.NET

Fra

mew

ork

/Silverl

igh

t

GD

I+

Kern

el-

Mod

e D

rivers

Inte

rnet

Exp

lore

r

Win

dow

s

Defe

nd

er

Med

ia F

orm

at

Ru

nti

me

Dir

ectS

how

Bulletin Deployment Priority

BulletinProduct /

ComponentKB # Disclosure

AggregateSeverity

Exploit Index

Max ImpactDeployment

Priority

MS13-055Internet Explorer

2846071 Private Critical 1 RCE 1

MS13-053Kernel-Mode

Driver2850851 Public Critical 1 RCE 1

MS13-054 GDI+ 2848295 Private Critical 1 RCE 2

MS13-052.NET/

Silverlight 2861561 Public Critical 1 RCE 2

MS13-056 DirectShow 2845187 Private Critical 1 RCE 2

MS13-057Media Format

Runtime2847883 Private Critical 2 RCE 2

MS13-058Windows Defender

2847927 Private Important 1 EoP 3

CVE SeverityExploitability | Versions

Impact DisclosureLatest Older

CVE-2013-3129

Critical 1 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3131

Critical 2 2 Remote Code Execution Publically Disclosed

CVE-2013-3132

Important 3 3 Elevation of Privilege Cooperatively Disclosed

CVE-2013-3133

Important 3 3 Elevation of Privilege Cooperatively Disclosed

CVE-2013-3134

Critical 2 2 Remote Code Execution Publically Disclosed

CVE-2013-3171

Important 3 3 Elevation of Privilege Cooperatively Disclosed

CVE-2013-3178

Important 1 1 Remote Code Execution Cooperatively Disclosed

Affected Products

Severity levels are aggregate, please see update document for specifics: .NET Framework 2.0, 3.0, 4, 3.5, 3.5.1, and 4.5 on all supported versions of Windows Client and Windows Server; All editions of Silverlight 5, to include when installed on Mac

Severity levels are aggregate, please see update document for specifics: .NET Framework 1.0 and 1.1 on all supported versions of Windows Client and Windows Server

Affected Components Internet Explorer

Deployment Priority 2

Main Target Workstations

MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)

CVE SeverityExploitability | Versions

Impact DisclosureLatest Older

Possible Attack Vectors

• Web-based: An attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. (CVE-2013-3129)

• File sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file (CVE-2013-3129)

• Local attack: an attacker could exploit this vulnerability by running a specially crafted application to take complete control over the affected system. However, the attacker must have valid logon credentials and be able to log on locally (CVE-2013-3129)

• Web-based: an attacker could host a website that contains a specially crafted Silverlight application designed to exploit this vulnerability and then convince a user to view the website (CVE-2013-3131, 3178)

• .NET application: In a .NET application attack scenario, an attacker could modify the array data in a manner that would allow for remote code execution (CVE-2013-3131, 3134)

• Web-based: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website (CVE-2013-3132, 3133, 3171)

• This vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions (CVE-2013-3132, 3133, 3171)

Impact of Attack

• An attacker could run arbitrary code in kernel mode (CVE-2013-3129)• In a .NET application attack scenario, an attacker could obtain the same permissions as the

currently logged-on user (CVE-2013-3131, 3133, 3134, 3171)• In a web-browsing scenario, an attacker could execute arbitrary could on behalf of the targeted

user (CVE-2013-3131, 3133, 3171, 3178)• An attacker could take complete control of the affected system (CVE-2013-3132)

Mitigating Factors• An attacker cannot force users to view the attacker-controlled content. (All CVEs)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows

Mail open HTML email messages in the Restricted sites zone. (All CVEs)

Additional Information• Installations using Server Core are affected.• .NET Framework 4 and .NET Framework 4 Client Profile affected

MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)

CVE SeverityExploitability | Versions

Impact DisclosureLatest Older

CVE-2013-1300 Important 1 1 Elevation of Privilege Cooperatively Disclosed

CVE-2013-1340 Important 3 1 Elevation of Privilege Cooperatively Disclosed

CVE-2013-1345 Important 3 1 Elevation of Privilege Cooperatively Disclosed

CVE-2013-3129 Critical 1 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3167 Important NA 1 Elevation of Privilege Cooperatively Disclosed

CVE-2013-3172 Moderate Denial of Service Publically Disclosed

CVE-2013-3173 Important 1 1 Elevation of Privilege Cooperatively Disclosed

CVE-2013-3660 Critical 3 3 Remote Code Execution Publically Disclosed

Affected Products All supported versions of Windows Client and Windows Server

Affected Components Kernel-Mode Drivers

Deployment Priority 1

Main Target Workstations

Possible Attack Vectors

• Web-based attack: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. (CVE-2013-3129, 3660)

• File sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file. (CVE-2013-3129, 3660)

• Local attack: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system. The attacker must have valid logon credentials (CVE-2013-3129, 3660)

• An attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. (CVE-2013-1300, 1340, 1345, 3167, 3173)

• For an attacker to exploit this vulnerability, a user would have to execute a specially crafted application. (CVE-2013-3172)

MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)

CVE SeverityExploitability | Versions

Impact DisclosureLatest Older

Impact of Attack

• An attacker could run arbitrary code in kernel mode (CVE-2013-3129)• An attacker could run processes in an elevated context (CVE-2013-1300, 1340, 1345,

3167, 3173)• An attacker could cause the target system to stop responding (CVE-2013-3172)• In most scenarios, an attacker could achieve elevation of privilege on the target system.

It is also theoretically possible, but unlikely due to memory randomization, that an attacker could achieve remote code execution (CVE-2013-3660)

Mitigating Factors

• An attacker must have valid logon credentials and be able to log on to exploit this vulnerability (CVE-2013-1300, 1340, 1345, 3167, 3173)

• Microsoft has not identified any mitigating factors for this vulnerability (CVE-2013-3660)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and

Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default (CVE-2013-3129)

• An attacker would have no way to force a user to click on a malicious link or open a malicious file (CVE-2013-3129)

Additional Information

• Installations using Server Core are affected• Microsoft was aware of this vulnerability being used to achieve elevation of privilege in

targeted attacks (CVE-2013-3660)• Microsoft had not received any information to indicate that this vulnerability had been

publicly used to attack customers (CVE-2013-3129)

MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) (Cont’d)

CVE Severity

Exploitability | Versions Impact Disclosure

Latest Older

CVE-2013-3129

Critical 1 1 Remote Code Execution Cooperatively Disclosed

Affected Products

All supported versions of Windows and Windows Server except for Windows Server 2008 for Itanium; Lync 2010 32bit, x64 and Attendee; Lync 2013

Visual Studio .NET 2003 SP1; Office 2003, 2007, and all editions of 2010

Affected Components GDI+, Journal, DirectWrite, Office, Visual Studio .NET 2003, Lync

Deployment Priority 2

Main Target Workstations

Possible Attack Vectors

• Web based: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website.

• File Sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file

• Local attack: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system. However, the attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability in this scenario

Impact of Attack• An attacker could run arbitrary code in kernel mode and take complete control of an

affected system

Mitigating Factors

• An attacker could not force a user to visit a malicious website or click on a malicious link• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and

Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default

Additional Information• For some versions of Windows Server, DirectWrite is not installed by default. Customers

will only be offered the update on those systems if DirectWrite is installed

MS13-054: Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)

MS13-055: Cumulative Security Update for Internet Explorer (2846071)

CVE Severity

Exploitability | Versions

Impact DisclosureLatest Older

CVE-2013-3115CVE-2013-3143CVE-2013-3144

Critical 1 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3147CVE-2013-3149CVE-2013-3150CVE-2013-3164CVE-2013-3145

Critical NA 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3148CVE-2013-3161CVE-2013-3162CVE-2013-3153

Critical 3 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3151CVE-2013-3163

Critical 2 1 Remote Code Execution Cooperatively Disclosed

CVE-2013-3146CVE-2013-3152

Critical 1 NA Remote Code Execution Cooperatively Disclosed

CVE-2013-3166 Important 3 3 Information Disclosure Cooperatively Disclosed

Affected ProductsIE6 – IE10 on all supported versions of Windows Client

IE6 – IE10 on all supported versions of Windows Server

Affected Components Internet Explorer

Deployment Priority 1

Main Target Workstations

Possible Attack Vectors

• An attacker An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs)

• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs)

Impact of Attack• An attacker could gain the same user rights as the current user (All CVEs except CVE-2013-3166)• An attacker who successfully exploited this vulnerability could view content from another domain

or Internet Explorer zone (CVE-2013-3166)

Mitigating Factors

• An attacker cannot force users to view the attacker-controlled content. (All CVEs)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows

Mail open HTML email messages in the Restricted sites zone. (All CVEs)• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server

2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)

Additional Information

• Installations using Server Core not affected. (All CVEs)• Updates for Windows RT are only available via Windows Update• Microsoft is aware of targeted attacks attempting to exploit the vulnerability described in CVE-

2013-3163.

MS13-055: Cumulative Security Update for Internet Explorer (2846071) Continued

CVE Severity

Exploitability | Versions Impact Disclosure

Latest Older

CVE-2013-3174

Critical 1 1 Remote Code Execution Cooperatively Disclosed

Affected Products All supported versions Windows and Windows Server (except Windows Server 2008 for Itanium, Windows Server 2012, and Windows RT)

Affected Components DirectShow

Deployment Priority 2

Main Target Servers

Possible Attack Vectors

• Web-based: an attacker would have to host a web site that contains specially crafted content (GIF file) that is used to attempt to exploit this vulnerability

• Email: an attacker could exploit the vulnerability by sending a specially crafted GIF file as a mail attachment and by convincing the user to open the file

Impact of Attack• If a user is logged on with administrative user rights, an attacker who successfully

exploited this vulnerability could take complete control of an affected system.

Mitigating Factors• The vulnerability cannot be exploited automatically through e-mail.• An attacker could not force a user to visit a malicious website or click on a malicious link

Additional Information • Installations using Server Core are not affected.

MS13-056: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)

CVE Severity

Exploitability | Versions

Impact Disclosure

Latest Older

CVE-2013-3127

Critical 2 2 Remote Code Execution Cooperatively Disclosed

Affected Products

WMFR 9, 9.5, 11 and wmv9vcm.dll (codec) installed on Windows XP; WMFR 9.5 and wmv9vcm.dll (codec) installed on Windows Server 2003, WMFR 11 and wmv9vcm.dll (codec) installed on Windows Server 2008 (except Itanium); Windows Media Player 12 on Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT

Affected Components Windows Media Format Runtime (WMFR)

Deployment Priority 2

Main Target Workstations

Possible Attack Vectors• An attacker could exploit the vulnerability by hosting a specially crafted media file on a

network location and convincing a user to open the file

Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code as the

logged-on user

Mitigating Factors• The vulnerability cannot be exploited automatically through e-mail• An attacker could not force a user to visit a malicious website or click on a malicious link

Additional Information• Windows Server 2008 installations using Server Core are not affected.• This is not a supported or shipped product beyond Windows XP, the Vista/Windows

Server 2008 parts of this update are to protect customers in an upgrade scenario only.

MS13-057: Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)

CVE Severity

Exploitability | Versions

Impact Disclosure

Latest Older

CVE-2013-3154

Important NA 1 Elevation of Privilege Cooperatively Disclosed

Affected ProductsWindows Defender for Windows 7 32bit and x64, Windows Defender when installed on Windows Server 2008 R2 x64

Affected Components Windows Defender

Deployment Priority 3

Main Target Windows 7 workstations

Possible Attack Vectors• To exploit this vulnerability, an attacker would first have to log on to the system. An

attacker could then place a specially crafted application in a location that could be used to exploit the vulnerability

Impact of Attack• An attacker who successfully exploited this vulnerability could execute arbitrary code in

the security context of the LocalSystem account and take complete control of the system

Mitigating Factors

• An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.

• In a Windows 7 default configuration, a user running as a standard user account does not have permissions to write files to the root directory on the system

Additional Information• If a customer is running Windows 7 but Windows Defender is disabled, this update is not

required.

MS13-058: Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)

Microsoft Security Advisories

• Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer• Added the 2857645 update to the Current

Update section for all supported editions of Windows 8, Windows Server 2012, and Windows RT

• The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-17

Detection & DeploymentBulletin

Product / Component

Windows Update

Microsoft Update

MBSA WSUS 3.0SMS 2003 with ITMU

Configuration

Manager

MS13-052.NET/

Silverlight Yes3 Yes3 Yes1,2,3 Yes2,3 Yes2,3 Yes2,3

MS13-053

Kernel-Mode Driver

Yes Yes Yes1,2 Yes2 Yes2 Yes2

MS13-054

GDI+ Yes4 Yes5 Yes1 Yes Yes Yes

MS13-055

Internet Explorer

Yes Yes Yes1,2 Yes2 Yes2 Yes2

MS13-056

DirectShow Yes Yes Yes1,2 Yes2 Yes2 Yes2

MS13-057

Media Format Runtime

Yes Yes Yes1,2 Yes2 Yes2 Yes2

MS13-058

Windows Defender

Yes Yes Yes Yes Yes Yes

1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012.2. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the

Windows Store.3. Mac is not supported by our detection tools.4. Microsoft Office, Visual Studio, and Lync are not serviced by Windows Update.5. The update for Visual Studio is available thought the Download Center only.

Other Update Information

BulletinProduct /

ComponentRestart Uninstall Replaces

MS13-052 .NET/ Silverlight Maybe Yes

MS13-004, MS12-034, MS12-074, MS11-078, MS10-060, MS12-035, MS12-034, MS13-022

MS13-053 Kernel-Mode Driver Yes YesMS13-046, MS13-036

MS13-054 GDI+ Maybe YesMS12-034, MS09-062, MS13-041

MS13-055 Internet Explorer Yes Yes MS13-047

MS13-056 DirectShow Maybe Yes None

MS13-057Media Format

RuntimeMaybe Yes None

MS13-058 Windows Defender No Yes None

Windows Malicious Software Removal Tool (MSRT)• Microsoft will not add any new families to the MSRT

during this release

• Version 5 of MSRT is now available on DLC and for Microsoft Update customers who manually check

• Available as a priority update through Windows Update or Microsoft Update

• Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove

Blogs• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc • Security Research & Defense blog:

http://blogs.technet.com/srd • Microsoft Malware Protection Center

Blog: http://blogs.technet.com/mmpc/

Twitter• @MSFTSecResponse

Security Centers• Microsoft Security Home Page:

www.microsoft.com/security • TechNet Security Center:

www.microsoft.com/technet/security• MSDN Security Developer Center:

http://msdn.microsoft.com/en-us/security/default.aspx

Bulletins, Advisories Notifications & Newsletters• Security Bulletins Summary:

www.microsoft.com/technet/security/bulletin/summary.mspx

• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx

• Security Advisories:www.microsoft.com/technet/security/advisory/

• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx

• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews

Other Resources• Update Management Process

http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx

• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx

Resources

Questions & Answers

• Submit text questions using the “Ask” button.

• Don’t forget to fill out the survey.

• A recording of this webcast will be available within 48 hours on the MSRC blog.

http://blogs.technet.com/msrc

• Register for next month’s webcast at: http://microsoft.com/technet/security/current.aspx

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.