dial in number 1-800-829-9747 pin: 5453 information about microsoft june 2012 security bulletins...
TRANSCRIPT
Dial In Number 1-800-829-9747 Pin: 5453
Information About Microsoft June 2012 Security Bulletins
Jonathan NessSecurity Development ManagerMicrosoft Corporation
Dustin ChildsGroup Manager, Response CommunicationsMicrosoft Corporation
Dial In Number 1-800-829-9747 Pin: 5453
Live Video Stream
• To receive our video stream in LiveMeeting:– Click on Voice & Video– Click the drop down next to the camera icon
– Select Show Main Video
Dial In Number 1-800-829-9747 Pin: 5453
What We Will Cover
• Review of June 2012 Bulletin Release Information– New Security Bulletins– Security Advisory 2719615– KB 2677070 - Automatic Updater of Revoked Certificates– Microsoft® Windows® Malicious Software Removal Tool
• Resources
• Questions and Answers: Please Submit Now– Submit Questions via Twitter #MSFTSecWebcast
Dial In Number 1-800-829-9747 Pin: 5453
Severity and Exploitability Index
Exploitabilit
y Index
1
RISK2
3
DP 1 1 2 2 2 3 3
Severity
Critical
IMPACT
Important
Moderate
Low
MS12-036 MS12-037 MS12-038 MS12-039 MS12-040 MS12-041 MS12-042
Win
do
ws
Win
do
ws
Win
do
ws
Ly
nc
Inte
rne
t E
xp
lore
r
.NE
T
Dy
na
mic
s A
X
Dial In Number 1-800-829-9747 Pin: 5453
Bulletin Deployment Priority
Bulletin KB Disclosure Aggregate Severity
Exploit Index
MaxImpact
Deployment Priority Notes
MS12-037IE
2699988 Public Critical 1 RCE 1 All eight of the Critical-class issues in this bulletin were disclosed to Microsoft cooperatively.
MS12-036RDP
2685939 Private Critical 1 RCE 1 The issue addressed in this bulletin was cooperatively disclosed and no exploits are known to exist in the wild.
MS12-038.NET
2706726 Private Critical 1 RCE 2 A would-be attacker would have to convince a targeted customer to visit a Web site containing malicious code.
MS12-039Lync
2707956 Public Important 1 RCE 2 Includes one DLL-preloading issue as well as defense-in-depth updates for Lync and Microsoft Communicator.
MS12-040Dynamics AX
2709100 Private Important 1 EoP 2 The cross-site scripting issue addressed here affects only Dynamics AX 2012.
MS12-041KMD
2709162 Private Important 1 EoP 3 All five issues addressed require that would-be attackers have both valid logon credentials and local system access.
MS12-042Kernel
2711167 Public Important 1 EoP 3 Though one of the two issues addressed here was publicly disclosed, we have no evidence of active exploits against it.
Dial In Number 1-800-829-9747 Pin: 5453
MS12-036: Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0173 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected ProductsWindows Server 2003 SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows Server 2008 R2, Windows Server 2008 R2 SP1
Windows XP SP3, Windows Vista SP2, Windows 7
Affected Components Remote Desktop Protocol
Deployment Priority 1
Main Target Terminal servers
Possible Attack Vector
• A remote unauthenticated attacker could exploit this vulnerability by sending a sequence of specially crafted RDP packets to the target system.
Impact of Attack
• An attacker who successfully exploited this vulnerability on systems for which the issue is marked as Critical could take complete control of the affected system.
• For platforms marked as moderately affected by this issue, exploit would lead only to a Denial of Service.
Mitigating Factors
• By default, the Remote Desktop Protocol is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.
Additional Information • Installations using Server Core are affected.
Dial In Number 1-800-829-9747 Pin: 5453
MS12-037: Cumulative Security Update for Internet Explorer (2699988) – slide 1 of 2
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-1523 Critical N/A 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1858 Important 3 3 Information Disclosure Cooperatively Disclosed
CVE-2012-1872 Moderate N/A N/A Information Disclosure Cooperatively Disclosed
CVE-2012-1873 Important 3 3 Information Disclosure Cooperatively Disclosed
CVE-2012-1874 Important 1 3 Remote Code Execution Cooperatively Disclosed
CVE-2012-1875 Critical N/A 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1876 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1877 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1878 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1879 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1880 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1881 Critical 1 1 Remote Code Execution Cooperatively Disclosed
CVE-2012-1882 Moderate N/A N/A Information Disclosure Publicly Disclosed
Dial In Number 1-800-829-9747 Pin: 5453
MS12-037: Cumulative Security Update for Internet Explorer (2699988) – slide 2 of 2
CVE-2012-1523RCE
CVE-2012-1858
ID
CVE-2012-1872
ID
CVE-2012-1873
ID
CVE-2012-1874RCE
CVE-2012-1875RCE
CVE-2012-1876RCE
CVE-2012-1877RCE
CVE-2012-1878RCE
CVE-2012-1879RCE
CVE-2012-1880RCE
CVE-2012-1881RCE
CVE-2012-1882
ID
Affected Products Internet Explorer 6, 7, 8, 9 on all supported versions of Windows Internet Explorer 6, 7, 8, 9 on all supported versions of WindowsServer
Affected Components Internet Explorer
Deployment Priority 1
Main Target Workstations
Possible Attack Vectors
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website, or place a malicious ActiveX control in an application or Microsoft Office document. (CVE-2012-1523, CVE-2012-1874, CVE-2012-1875, CVE-2012-1876, CVE-2012-1877, CVE-2012-1878, CVE-2012-1879, CVE-2012-1880, CVE-2012-1881)
• An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (CVE-2012-1858, CVE-2012-1872, CVE-2012-1873, CVE-2012-1882)
Impact of Attack
• An attacker successfully exploiting this issue could inflict a cross-site scripting attack on the user. (CVE-2012-1858, CVE-2012-1872)
• An attacker successfully exploiting this issue could gain access to and read IE’s process memory. (CVE-2012-1873)• An attacker successfully exploiting this issue could view context from another domain or Internet Explorer zone. (CVE-
2012-1882)• An attacker successfully exploiting this issue could execute arbitrary code in the context of the current user. (CVE-2012-
1874, CVE-2012-1875, CVE-2012-1876, CVE-2012-1877, CVE-2012-1878, CVE-2012-1879, CVE-2012-1880, CVE-2012-1881, CVE-2012-1523)
Mitigating Factors
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone.
• An attacker has no way of forcing users to visit a maliciously constructed Web site. • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a
restricted mode that is known as Enhanced Security Configuration.• A targeted user must be convinced to open the Internet Explorer Developer Toolbar while visiting a malicious site. (CVE-
2012-1874)
Additional Information• Installations using Server Core 2008 or 2008 R2 are not affected.
Dial In Number 1-800-829-9747 Pin: 5453
MS12-038: Vulnerability in .NET Framework Could Allow Remote Code Execution (2706726)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-1855 Critical 1 1 Remote Code Execution Cooperatively Disclosed
Affected Products .NET Framework 2.0 SP2, .NET Framework 3.5.1, .NET Framework 4 on all supported editions of Microsoft Windows
Affected Components .NET Framework
Deployment Priority 2
Main Target Servers and workstations
Possible Attack Vectors
• An attacker could host a website that contains an XAML Browser Application (XBAP) that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.
Impact of Attack
• An attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user.
• Code Access Security (CAS) Bypass: An attacker could use this issue to bypass CAS restrictions.
Mitigating Factors
• An attacker would have no way to force users to visit a malicious website.• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows
Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.• Standard .NET Framework applications are not affected by this issue.
Additional Information• This bulletin applies to .NET Framework 4 and .NET Framework 4 Client Profile, and to users of
the .NET Framework 3.5 and 4.5 Windows Consumer Preview software.
Dial In Number 1-800-829-9747 Pin: 5453
MS12-039: Vulnerabilities in Lync Could Allow Remote Code Execution (2707956)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2011-3402 Important 3 N/A Remote Code Execution Publicly Disclosed
CVE-2012-0159 Important 3 N/A Remote Code Execution Cooperatively Disclosed
CVE-2012-1849 Important 1 N/A Remote Code Execution Cooperatively Disclosed
CVE-2012-1858 Important 3 3 Information Disclosure Cooperatively Disclosed
Affected Products Microsoft Lync 2010, Microsoft Lync 2010 Attendee, Microsoft Lync 2010 Attendant (32- and 64-bit), Office Communicator 2007 R2
Affected Components Lync
Deployment Priority 2
Main Target Workstations and Servers
Possible Attack Vectors
• An attacker could create content containing a specially crafted TrueType font used to exploit this vulnerability. (CVE-2011-3402, CVE-2012-0159)
• In an email attack scenario, an attacker could exploit the vulnerability by sending a legitimate Microsoft Office file to a user, and convincing the user to place the attachment into a directory containing a specially crafted DLL file and to open the legitimate file. (CVE-2012-1849)
• In a network attack scenario, an attacker could place a legitimate Office file and a specially crafted DLL in a network share, a UNC, or WebDAV location and then convince the user to open the file. (CVE-2012-1849)
Impact of Attack
• An attacker successfully exploiting this issue could take control of an affected system. (CVE-2011-3402, CVE-2012-0159)• An attacker successfully exploiting this issue could run arbitrary code in the context of the current user. (CVE-2012-1849)• An attacker successfully exploiting this issue could perform cross-site scripting attacks against Lync or Microsoft Communicator users.
(CVE-2012-1858)
Mitigating Factors
• Users whose accounts are configured to have fewer user rights on the system are less affected than users operating with administrative rights. (CVE-2011-3402)
• The file sharing protocol, Server Message Block (SMB), is often disabled on the perimeter firewall. (CVE-2012-1849)• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file from
this location that is then loaded by a vulnerable application. (CVE-2012-1849)
Additional Information
• The update for Lync 2010 Attendee (user-level install) is available only via Download Center.• Though the vulnerability described in CVE-2011-3402 has previously been exploited in limited, targeted attacks, the vector used in those
attacks was addressed in MS11-087, and we have detected no use of this vector in attacks.• The vulnerability addressed by CVE-2012-1849 is related to the class of vulnerabilities described in Microsoft Security Advisory 2269637.
Dial In Number 1-800-829-9747 Pin: 5453
MS12-040: Vulnerability in Microsoft Dynamics AX Enterprise Portal Could Allow Elevation of Privilege (2709100)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-0178 Important 1 N/A Elevation of Privilege Cooperatively Disclosed
Affected Products Microsoft Dynamics AX 2012 Enterprise Portal
Affected Components Microsoft Dynamics AX Enterprise Portal
Deployment Priority 2
Main Target Workstations connecting to a Microsoft Dynamics AX Enterprise Portal server
Possible Attack Vectors• An attacker could exploit the vulnerability hosting a web site with a malicious page and convincing a
targeted user to click on the specially crafted URL.
Impact of Attack
• An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read, use the victim's identity to take actions on the Microsoft Dynamics AX Enterprise Portal site on behalf of the victim, or inject malicious content in the browser of the victim.
Mitigating Factors
• An attacker would have no way to force users to visit a malicious website.• The vulnerability cannot be exploited automatically through email.• Internet Explorer 8 and Internet Explorer 9 users browsing to a Microsoft Dynamics AX Enterprise
Portal site in the Internet Zone are at a reduced risk because, by default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 prevents this attack in the Internet Zone.
Additional Information
• Earlier versions of Microsoft Dynamics AX are not affected by this cross-site scripting issue.• This update is available via the Download Center and via the Microsoft Dynamics CustomerSource
and Microsoft Dynamics PartnerSource websites.
Dial In Number 1-800-829-9747 Pin: 5453
MS12-041: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)
CVE SeverityExploitability
Comment Cooperatively DisclosedLatest Software Older Versions
CVE-2012-1864 Important 1 1 Elevation of Privilege Cooperatively Disclosed
CVE-2012-1865 Important 1 1 Elevation of Privilege Cooperatively Disclosed
CVE-2012-1866 Important 1 1 Elevation of Privilege Cooperatively Disclosed
CVE-2012-1867 Important 1 1 Elevation of Privilege Cooperatively Disclosed
CVE-2012-1868 Important N/A 1 Elevation of Privilege Cooperatively Disclosed
Affected Products All versions of Microsoft Windows
Affected Components Kernel-Mode Drivers
Deployment Priority 3
Main Target Workstations
Possible Attack Vectors
• An attacker who is able to log onto the targeted system could then run a specially crafted application that could exploit the vulnerability.
Impact of Attack • An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.
Mitigating Factors• An attacker would require both valid logon credentials and the ability to logon locally to the targeted
machine.
Additional Information• Installations using Server Core are affected.
Dial In Number 1-800-829-9747 Pin: 5453
MS12-042: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)
CVE SeverityExploitability
Comment NoteLatest Software Older Versions
CVE-2012-1515 Important N/A 1 Elevation of Privilege Publicly Disclosed
CVE-2012-0217 Important 1 N/A Elevation of Privilege Cooperatively Disclosed
Affected Products Windows XP SP3, Windows Server 2003 SP2, Windows 7 x64, Windows 7 x64 SP1, Windows Server 2008 R2 x64, Windows Server 2008 R2 x64 SP1
Affected Components User Mode Scheduler (CVE-2012-0127) and BIOS ROM (CVE-2012-1515)
Deployment Priority 3
Main Target Workstations
Possible Attack Vectors
• To exploit this vulnerability, an attacker would have to log on to the system, then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.
Impact of Attack• An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and
take complete control of an affected system.
Mitigating Factors
• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.• Systems with AMD- or ARM-based CPUs are unaffected (CVE-2012-0217)• Only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2 (CVE-2012-0217)
Additional Information
• Windows Server 2008 R2 and 2008 R2 SP1 installations using Server Core are affected.• CVE-2012-1515 applies only to Windows XP and 2003, while CVE-2012-0217 applies only to Windows 7
and Server 2008 R2.
Dial In Number 1-800-829-9747 Pin: 5453
Security Advisory 2719615:Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
• We are releasing a Security Advisory to address a vulnerability in Microsoft XML Core Services. – The issue, if exploited, would permit remote code execution.– The Security Advisory describes the issue in greater detail and
provides a no-reboot Fix it that blocks the vector in Internet Explorer. – We recommend that customers deploy EMET (the Enhanced Mitigation
Experience Toolkit) for additional protection.
• This advisory affects all supported versions of Windows as well as Office 2003 and 2007 and Microsoft SQL.
• Please see Security Advisory 2719615 for more information.
Dial In Number 1-800-829-9747 Pin: 5453
KB 2677070: Automatic Updater of Revoked Certificates
• Microsoft is improving the process by which customers interact with untrusted or compromised certificates and keys. – In the past, we issued CRLs – Certificate Revocation Lists – and
customers would update their systems manually.– We are rolling out an automated process that will update Windows
clients with no manual interaction on the part of customers. See KB 2677070 for more information
• KB 2677070 makes this feature available to customers using Windows Vista SP2, Windows Server 2008 SP2, Windows 7, or Windows Server 2008 R2 SP1, and is included in Windows 8 Release Preview and the Windows Server 2012 Release Candidate.
• In August, we will release a change to how Windows manages certificates that have RSA keys of less than 1024 bits in length. We will treat all of these certificates as invalid, even if they are currently valid and signed by a trusted certificate authority.
Dial In Number 1-800-829-9747 Pin: 5453
Detection & Deployment
Bulletin Windows Update Microsoft Update MBSA WSUS 3.0 SMS 2003 with ITMU SCCM 2007
MS12-036RDP Yes Yes Yes Yes Yes Yes
MS12-037IE
Yes Yes Yes Yes Yes Yes
MS12-038.NET
Yes Yes Yes Yes Yes Yes
MS12-039Lync
Yes*** Yes*** Yes*** Yes*** Yes*** Yes***
MS12-040Dynamics AX
No ** No ** No ** No ** No ** No **
MS12-041KMD
Yes Yes Yes Yes Yes Yes
MS12-042Kernel
Yes Yes Yes Yes Yes Yes
**Available via the Download Center and the Microsoft Dynamics Customer Source and Microsoft Dynamics Partner Source*** Except for Microsoft Lync 2010 Attendee (user-level install), which is available only via the Download Center.
Dial In Number 1-800-829-9747 Pin: 5453
Other Update Information
Bulletin Restart Uninstall Replaces
MS12-036RDP Yes Yes MS11-065, MS12-020
MS12-037IE
Yes Yes MS12-023
MS12-038.NET
Maybe Yes None
MS12-039Lync
Maybe Yes None
MS12-040Dynamics AX
Maybe No None
MS12-041KMD
Yes Yes MS12-018
MS12-042Kernel
Yes Yes MS11-068, MS11-098
Dial In Number 1-800-829-9747 Pin: 5453
Windows Malicious Software Removal Tool (MSRT)
• During this release Microsoft will increase detection capability for the following families in the MSRT:– Win32/Cleaman: A malicious program lacking the ability to propagate on its own, Cleaman
can perform a variety of actions on an infected machine as directed by a remote attacker.– Win32/Kuluoz: This trojan takes instruction from remote servers and is known in
particular to download variants of Trojan:Win32/FakeSysdef, a fake security scanner.
• Available as a priority update through Windows Update or Microsoft Update.
• Offered through WSUS 3.0 or as a download at: www.microsoft.com/malwareremove.
Dial In Number 1-800-829-9747 Pin: 5453
ResourcesBlogs• Microsoft Security Response Center (MSRC) blog:
www.blogs.technet.com/msrc • Security Research & Defense blog:
http://blogs.technet.com/srd • Microsoft Malware Protection Center Blog:
http://blogs.technet.com/mmpc/
Twitter• @MSFTSecResponse
Security Centers• Microsoft Security Home Page:
www.microsoft.com/security • TechNet Security Center:
www.microsoft.com/technet/security• MSDN Security Developer Center:
http://msdn.microsoft.com/en-us/security/default.aspx
Bulletins, Advisories, Notifications & Newsletters• Security Bulletins Summary:
www.microsoft.com/technet/security/bulletin/summary.mspx
• Security Bulletins Search:www.microsoft.com/technet/security/current.aspx
• Security Advisories:www.microsoft.com/technet/security/advisory/
• Microsoft Technical Security Notifications:www.microsoft.com/technet/security/bulletin/notify.mspx
• Microsoft Security Newsletter:www.microsoft.com/technet/security/secnews
Other Resources• Update Management Process
http://www.microsoft.com/technet/security/guidance/patchmanagement/secmod193.mspx
• Microsoft Active Protection Program Partners: http://www.microsoft.com/security/msrc/mapp/partners.mspx
Dial In Number 1-800-829-9747 Pin: 5453
Questions and Answers• Submit text questions using the “Ask” button. • Don’t forget to fill out the survey.• A recording of this webcast will be available within 48 hours on the
MSRC Blog:http://blogs.technet.com/msrc
• Register for next month’s webcast at:http://microsoft.com/technet/security/current.aspx
Dial In Number 1-800-829-9747 Pin: 5453
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.