To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down...
-
Upload
antony-peters -
Category
Documents
-
view
214 -
download
2
Transcript of To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down...
July 2013 Microsoft Security BulletinsJonathan NessSecurity Development Manager
Dustin ChildsGroup ManagerResponse Communications
Live Video Stream
• To receive our video stream in LiveMeeting: - Click on “Voice & Video”
- Click the drop down next to the camera icon
- Select “Show Main Video”
• Dial-in Information: - 1 (877) 593-2001 Pin: 3959
What We Will Cover
• Review of July 2013 Bulletin Release Information
- Seven New Security Bulletins- One Updated Security Advisory- Microsoft Windows Malicious Software Removal Tool
• Resources
• Questions and Answers: Please Submit Now- Submit Questions via Twitter #MSFTSecWebcast
Severity & Exploitability Index
Exploitability Index
1
RISK2
3
DP 2 1 2 1 2 2 3
Severity
Critical
IMPACT
Important
Moderate
Low
MS13-052 MS13-053 MS13-054 MS13-055 MS13-056 MS13-057 MS13-058
.NET
Fra
mew
ork
/Silverl
igh
t
GD
I+
Kern
el-
Mod
e D
rivers
Inte
rnet
Exp
lore
r
Win
dow
s
Defe
nd
er
Med
ia F
orm
at
Ru
nti
me
Dir
ectS
how
Bulletin Deployment Priority
BulletinProduct /
ComponentKB # Disclosure
AggregateSeverity
Exploit Index
Max ImpactDeployment
Priority
MS13-055Internet Explorer
2846071 Private Critical 1 RCE 1
MS13-053Kernel-Mode
Driver2850851 Public Critical 1 RCE 1
MS13-054 GDI+ 2848295 Private Critical 1 RCE 2
MS13-052.NET/
Silverlight 2861561 Public Critical 1 RCE 2
MS13-056 DirectShow 2845187 Private Critical 1 RCE 2
MS13-057Media Format
Runtime2847883 Private Critical 2 RCE 2
MS13-058Windows Defender
2847927 Private Important 1 EoP 3
CVE SeverityExploitability | Versions
Impact DisclosureLatest Older
CVE-2013-3129
Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2013-3131
Critical 2 2 Remote Code Execution Publically Disclosed
CVE-2013-3132
Important 3 3 Elevation of Privilege Cooperatively Disclosed
CVE-2013-3133
Important 3 3 Elevation of Privilege Cooperatively Disclosed
CVE-2013-3134
Critical 2 2 Remote Code Execution Publically Disclosed
CVE-2013-3171
Important 3 3 Elevation of Privilege Cooperatively Disclosed
CVE-2013-3178
Important 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products
Severity levels are aggregate, please see update document for specifics: .NET Framework 2.0, 3.0, 4, 3.5, 3.5.1, and 4.5 on all supported versions of Windows Client and Windows Server; All editions of Silverlight 5, to include when installed on Mac
Severity levels are aggregate, please see update document for specifics: .NET Framework 1.0 and 1.1 on all supported versions of Windows Client and Windows Server
Affected Components Internet Explorer
Deployment Priority 2
Main Target Workstations
MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)
CVE SeverityExploitability | Versions
Impact DisclosureLatest Older
Possible Attack Vectors
• Web-based: An attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. (CVE-2013-3129)
• File sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file (CVE-2013-3129)
• Local attack: an attacker could exploit this vulnerability by running a specially crafted application to take complete control over the affected system. However, the attacker must have valid logon credentials and be able to log on locally (CVE-2013-3129)
• Web-based: an attacker could host a website that contains a specially crafted Silverlight application designed to exploit this vulnerability and then convince a user to view the website (CVE-2013-3131, 3178)
• .NET application: In a .NET application attack scenario, an attacker could modify the array data in a manner that would allow for remote code execution (CVE-2013-3131, 3134)
• Web-based: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability and then convince a user to view the website (CVE-2013-3132, 3133, 3171)
• This vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions (CVE-2013-3132, 3133, 3171)
Impact of Attack
• An attacker could run arbitrary code in kernel mode (CVE-2013-3129)• In a .NET application attack scenario, an attacker could obtain the same permissions as the
currently logged-on user (CVE-2013-3131, 3133, 3134, 3171)• In a web-browsing scenario, an attacker could execute arbitrary could on behalf of the targeted
user (CVE-2013-3131, 3133, 3171, 3178)• An attacker could take complete control of the affected system (CVE-2013-3132)
Mitigating Factors• An attacker cannot force users to view the attacker-controlled content. (All CVEs)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows
Mail open HTML email messages in the Restricted sites zone. (All CVEs)
Additional Information• Installations using Server Core are affected.• .NET Framework 4 and .NET Framework 4 Client Profile affected
MS13-052: Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)
CVE SeverityExploitability | Versions
Impact DisclosureLatest Older
CVE-2013-1300 Important 1 1 Elevation of Privilege Cooperatively Disclosed
CVE-2013-1340 Important 3 1 Elevation of Privilege Cooperatively Disclosed
CVE-2013-1345 Important 3 1 Elevation of Privilege Cooperatively Disclosed
CVE-2013-3129 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2013-3167 Important NA 1 Elevation of Privilege Cooperatively Disclosed
CVE-2013-3172 Moderate Denial of Service Publically Disclosed
CVE-2013-3173 Important 1 1 Elevation of Privilege Cooperatively Disclosed
CVE-2013-3660 Critical 3 3 Remote Code Execution Publically Disclosed
Affected Products All supported versions of Windows Client and Windows Server
Affected Components Kernel-Mode Drivers
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• Web-based attack: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. (CVE-2013-3129, 3660)
• File sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file. (CVE-2013-3129, 3660)
• Local attack: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system. The attacker must have valid logon credentials (CVE-2013-3129, 3660)
• An attacker would first have to log on to the system. An attacker could then run a specially crafted application designed to increase privileges. (CVE-2013-1300, 1340, 1345, 3167, 3173)
• For an attacker to exploit this vulnerability, a user would have to execute a specially crafted application. (CVE-2013-3172)
MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
CVE SeverityExploitability | Versions
Impact DisclosureLatest Older
Impact of Attack
• An attacker could run arbitrary code in kernel mode (CVE-2013-3129)• An attacker could run processes in an elevated context (CVE-2013-1300, 1340, 1345,
3167, 3173)• An attacker could cause the target system to stop responding (CVE-2013-3172)• In most scenarios, an attacker could achieve elevation of privilege on the target system.
It is also theoretically possible, but unlikely due to memory randomization, that an attacker could achieve remote code execution (CVE-2013-3660)
Mitigating Factors
• An attacker must have valid logon credentials and be able to log on to exploit this vulnerability (CVE-2013-1300, 1340, 1345, 3167, 3173)
• Microsoft has not identified any mitigating factors for this vulnerability (CVE-2013-3660)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and
Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default (CVE-2013-3129)
• An attacker would have no way to force a user to click on a malicious link or open a malicious file (CVE-2013-3129)
Additional Information
• Installations using Server Core are affected• Microsoft was aware of this vulnerability being used to achieve elevation of privilege in
targeted attacks (CVE-2013-3660)• Microsoft had not received any information to indicate that this vulnerability had been
publicly used to attack customers (CVE-2013-3129)
MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851) (Cont’d)
CVE Severity
Exploitability | Versions Impact Disclosure
Latest Older
CVE-2013-3129
Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products
All supported versions of Windows and Windows Server except for Windows Server 2008 for Itanium; Lync 2010 32bit, x64 and Attendee; Lync 2013
Visual Studio .NET 2003 SP1; Office 2003, 2007, and all editions of 2010
Affected Components GDI+, Journal, DirectWrite, Office, Visual Studio .NET 2003, Lync
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors
• Web based: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website.
• File Sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability, and then convince a user to open the document file
• Local attack: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system. However, the attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability in this scenario
Impact of Attack• An attacker could run arbitrary code in kernel mode and take complete control of an
affected system
Mitigating Factors
• An attacker could not force a user to visit a malicious website or click on a malicious link• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and
Windows Mail open HTML email messages in the Restricted sites zone, which disables font download by default
Additional Information• For some versions of Windows Server, DirectWrite is not installed by default. Customers
will only be offered the update on those systems if DirectWrite is installed
MS13-054: Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)
MS13-055: Cumulative Security Update for Internet Explorer (2846071)
CVE Severity
Exploitability | Versions
Impact DisclosureLatest Older
CVE-2013-3115CVE-2013-3143CVE-2013-3144
Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2013-3147CVE-2013-3149CVE-2013-3150CVE-2013-3164CVE-2013-3145
Critical NA 1 Remote Code Execution Cooperatively Disclosed
CVE-2013-3148CVE-2013-3161CVE-2013-3162CVE-2013-3153
Critical 3 1 Remote Code Execution Cooperatively Disclosed
CVE-2013-3151CVE-2013-3163
Critical 2 1 Remote Code Execution Cooperatively Disclosed
CVE-2013-3146CVE-2013-3152
Critical 1 NA Remote Code Execution Cooperatively Disclosed
CVE-2013-3166 Important 3 3 Information Disclosure Cooperatively Disclosed
Affected ProductsIE6 – IE10 on all supported versions of Windows Client
IE6 – IE10 on all supported versions of Windows Server
Affected Components Internet Explorer
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• An attacker An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs)
• The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs)
Impact of Attack• An attacker could gain the same user rights as the current user (All CVEs except CVE-2013-3166)• An attacker who successfully exploited this vulnerability could view content from another domain
or Internet Explorer zone (CVE-2013-3166)
Mitigating Factors
• An attacker cannot force users to view the attacker-controlled content. (All CVEs)• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows
Mail open HTML email messages in the Restricted sites zone. (All CVEs)• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server
2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)
Additional Information
• Installations using Server Core not affected. (All CVEs)• Updates for Windows RT are only available via Windows Update• Microsoft is aware of targeted attacks attempting to exploit the vulnerability described in CVE-
2013-3163.
MS13-055: Cumulative Security Update for Internet Explorer (2846071) Continued
CVE Severity
Exploitability | Versions Impact Disclosure
Latest Older
CVE-2013-3174
Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products All supported versions Windows and Windows Server (except Windows Server 2008 for Itanium, Windows Server 2012, and Windows RT)
Affected Components DirectShow
Deployment Priority 2
Main Target Servers
Possible Attack Vectors
• Web-based: an attacker would have to host a web site that contains specially crafted content (GIF file) that is used to attempt to exploit this vulnerability
• Email: an attacker could exploit the vulnerability by sending a specially crafted GIF file as a mail attachment and by convincing the user to open the file
Impact of Attack• If a user is logged on with administrative user rights, an attacker who successfully
exploited this vulnerability could take complete control of an affected system.
Mitigating Factors• The vulnerability cannot be exploited automatically through e-mail.• An attacker could not force a user to visit a malicious website or click on a malicious link
Additional Information • Installations using Server Core are not affected.
MS13-056: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)
CVE Severity
Exploitability | Versions
Impact Disclosure
Latest Older
CVE-2013-3127
Critical 2 2 Remote Code Execution Cooperatively Disclosed
Affected Products
WMFR 9, 9.5, 11 and wmv9vcm.dll (codec) installed on Windows XP; WMFR 9.5 and wmv9vcm.dll (codec) installed on Windows Server 2003, WMFR 11 and wmv9vcm.dll (codec) installed on Windows Server 2008 (except Itanium); Windows Media Player 12 on Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT
Affected Components Windows Media Format Runtime (WMFR)
Deployment Priority 2
Main Target Workstations
Possible Attack Vectors• An attacker could exploit the vulnerability by hosting a specially crafted media file on a
network location and convincing a user to open the file
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code as the
logged-on user
Mitigating Factors• The vulnerability cannot be exploited automatically through e-mail• An attacker could not force a user to visit a malicious website or click on a malicious link
Additional Information• Windows Server 2008 installations using Server Core are not affected.• This is not a supported or shipped product beyond Windows XP, the Vista/Windows
Server 2008 parts of this update are to protect customers in an upgrade scenario only.
MS13-057: Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)
CVE Severity
Exploitability | Versions
Impact Disclosure
Latest Older
CVE-2013-3154
Important NA 1 Elevation of Privilege Cooperatively Disclosed
Affected ProductsWindows Defender for Windows 7 32bit and x64, Windows Defender when installed on Windows Server 2008 R2 x64
Affected Components Windows Defender
Deployment Priority 3
Main Target Windows 7 workstations
Possible Attack Vectors• To exploit this vulnerability, an attacker would first have to log on to the system. An
attacker could then place a specially crafted application in a location that could be used to exploit the vulnerability
Impact of Attack• An attacker who successfully exploited this vulnerability could execute arbitrary code in
the security context of the LocalSystem account and take complete control of the system
Mitigating Factors
• An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
• In a Windows 7 default configuration, a user running as a standard user account does not have permissions to write files to the root directory on the system
Additional Information• If a customer is running Windows 7 but Windows Defender is disabled, this update is not
required.
MS13-058: Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)
Microsoft Security Advisories
• Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer• Added the 2857645 update to the Current
Update section for all supported editions of Windows 8, Windows Server 2012, and Windows RT
• The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-17
Detection & DeploymentBulletin
Product / Component
Windows Update
Microsoft Update
MBSA WSUS 3.0SMS 2003 with ITMU
Configuration
Manager
MS13-052.NET/
Silverlight Yes3 Yes3 Yes1,2,3 Yes2,3 Yes2,3 Yes2,3
MS13-053
Kernel-Mode Driver
Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-054
GDI+ Yes4 Yes5 Yes1 Yes Yes Yes
MS13-055
Internet Explorer
Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-056
DirectShow Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-057
Media Format Runtime
Yes Yes Yes1,2 Yes2 Yes2 Yes2
MS13-058
Windows Defender
Yes Yes Yes Yes Yes Yes
1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012.2. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the
Windows Store.3. Mac is not supported by our detection tools.4. Microsoft Office, Visual Studio, and Lync are not serviced by Windows Update.5. The update for Visual Studio is available thought the Download Center only.
Other Update Information
BulletinProduct /
ComponentRestart Uninstall Replaces
MS13-052 .NET/ Silverlight Maybe Yes
MS13-004, MS12-034, MS12-074, MS11-078, MS10-060, MS12-035, MS12-034, MS13-022
MS13-053 Kernel-Mode Driver Yes YesMS13-046, MS13-036
MS13-054 GDI+ Maybe YesMS12-034, MS09-062, MS13-041
MS13-055 Internet Explorer Yes Yes MS13-047
MS13-056 DirectShow Maybe Yes None
MS13-057Media Format
RuntimeMaybe Yes None
MS13-058 Windows Defender No Yes None
Windows Malicious Software Removal Tool (MSRT)• Microsoft will not add any new families to the MSRT
during this release
• Version 5 of MSRT is now available on DLC and for Microsoft Update customers who manually check
• Available as a priority update through Windows Update or Microsoft Update
• Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove
Blogs• Microsoft Security Response Center (MSRC) Blog: http://blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center
Blog: http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Resources
Questions & Answers
• Submit text questions using the “Ask” button.
• Don’t forget to fill out the survey.
• A recording of this webcast will be available within 48 hours on the MSRC blog.
http://blogs.technet.com/msrc
• Register for next month’s webcast at: http://microsoft.com/technet/security/current.aspx
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.