Transcript Live Video Stream - Home

• To receive our video stream in LiveMeeting:
- Click on “Voice & Video”
- Click the drop down next to the camera icon
- Select “Show Main Video”
• Dial-in Information:
- 1 (877) 593-2001
Pin: 3959
•
Review of June 2013 Bulletin Release Information
- Five New Security Bulletins
- One New Security Advisory
- One Security Advisory Update
- Microsoft Windows Malicious Software Removal Tool
⁻
•
Resources
•
Questions and Answers: Please Submit Now
- Submit Questions via Twitter #MSFTSecWebcast
Print Spooler
3
2
2
MS13-047
MS13-048
MS13- 049
MS13-050
IMPACT
Kernel-Mode Drivers
Critical
1
Office
Windows Kernel
Moderate Important
DP
Internet Explorer
Low
Severity
3
RISK
2
1
Exploitability Index
Severity & Exploitability Index
1
MS13-051
Bulletin Deployment Priority
Bulletin
Product/
Component
KB #
Disclosure
Aggregate
Severity
Exploit Index
Max Impact
Deployment
Priority
MS13-047
Internet
Explorer
2838727
Private
Critical
1
RCE
1
MS13-051
Office
2839571
Private
Important
1
RCE
1
MS13-049
Kernel-Mode
2845690
Private
Important
3
DoS
2
MS13-050
Print
Spooler
2839894
Private
Important
1
EoP
2
MS13-048
Kernel
2839229
Private
Important
3
ID
3
MS13-047: Cumulative Security Update for Internet Explorer
(2838727)
Exploitability | Versions
CVE
Severity
CVE-2013-3110
CVE-2013-3116
CVE-2013-3117
CVE-2013-3122
CVE-2013-3124
CVE-2013-3141
Latest
Older
NA
1
CVE-2013-3139
CVE-2013-3118
CVE-2013-3120
CVE-2013-3125
Disclosure
Remote Code Execution
Cooperatively Disclosed
1
1
Critical
NA
CVE-2013-3111
CVE-2013-3113
CVE-2013-3119
CVE-2013-3121
CVE-2013-3123
1
1
CVE-2013-3114
CVE-2013-3112
CVE-2013-3142
2
1
CVE-2013-3126
Impact
Moderate
N/A
Affected Products
IE6 – IE10 on all supported versions of Windows Client
Affected Components
Internet Explorer
Deployment Priority
1
Main Target
Workstations
•
Possible Attack Vectors
•
Additional Information
•
IE6 – IE10 on all supported versions of Windows Server
An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet
Explorer and then convince a user to view the website. (All CVEs)
The attacker could take advantage of compromised websites and websites that accept or host user-provided
content or advertisements. (All CVEs)
Installations using Server Core not affected. (All CVEs)
MS13-047: Cumulative Security Update for Internet Explorer
(2838727) Continued
Impact of Attack
• An attacker could gain the same user rights as the current user. (All CVEs)
Mitigating Factors
• An attacker cannot force users to view the attacker-controlled content. (All CVEs)
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open
HTML email messages in the Restricted sites zone. (All CVEs)
• By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and
Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)
• By default, script debugging is not enabled for CVE-2013-3126
Additional Information
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in
these zones (All CVEs)
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the
Internet and Local intranet security zone (All CVEs)
MS13-048: Vulnerability in Windows Kernel Could Allow
Information Disclosure (2839229)
CVE
CVE-2013-3136
Exploitability | Versions
Severity
Latest
Older
3
3
Important
Impact
Disclosure
Information Disclosure
Cooperatively Disclosed
Affected Products
Windows XP SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 for 32-bit
Systems SP2, Windows 7 for 32-bit Systems SP1, Windows 8 for 32-bit Systems, Windows Server for 32bit Systems SP2
Affected Components
Kernel
Deployment Priority
3
Main Target
Workstations and Terminal Servers
Possible Attack Vectors
• For an attacker to exploit this vulnerability, a user would have to execute a specially crafted
application.
• In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted
application to a user and convincing them to run it.
Impact of Attack
• An attacker could disclose information from kernel memory on the local system
Mitigating Factors
• An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability
or convince a locally authenticated user to execute a specially crafted application.
Additional Information
• This vulnerability would not allow an attacker to execute code or to elevate their user rights directly,
but it could be used to produce information that could be used to try to further compromise the
affected system.
MS13-049: Vulnerability in Kernel-Mode Drivers Could Allow
Denial of Service (2845690)
Exploitability | Versions
CVE
CVE-2013-3138
Severity
Important
Latest
Older
3
3
Impact
Disclosure
Denial of Service
Cooperatively Disclosed
Affected Products
Windows 8, Windows Server 2012, and Windows
RT
Windows Vista, Windows Server 2008, Windows 7,
and Windows Server 2008 R2
Affected Components
Kernel-Mode Driver
Deployment Priority
2
Main Target
Workstations and Terminal Servers
Possible Attack Vectors
• An attacker could exploit this vulnerability by sending specially crafted packets to the server.
Impact of Attack
• An attacker could cause the target system to stop responding.
MS13-050: Vulnerability in Windows Print Spooler
Components Could Allow Elevation of Privilege (2839894)
Exploitability | Versions
CVE
CVE-2013-1339
Severity
Important
Latest
Older
1
1
Impact
Disclosure
Elevation of Privilege
Cooperatively Disclosed
Affected Products
Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows
Server 2012, and Windows RT
Affected Components
Windows
Deployment Priority
2
Main Target
Workstations and Servers
Possible Attack Vectors
• An authenticated attacker could exploit the vulnerability by deleting a printer connection.
Impact of Attack
• An attacker could run arbitrary code on a user's system with system privileges.
• An attacker could take complete control of an affected system and install programs; view, change, or
delete data; or create new accounts.
Mitigating Factors
• An attacker must have valid logon credentials and be able to log on to exploit this vulnerability.
• Disabling the Print Spooler service will help protect the affected system from attempts to exploit this
vulnerability.
MS13-051: Vulnerability in Microsoft Office Could Allow
Remote Code Execution (2839571)
Exploitability | Versions
CVE
CVE-2013-1331
Severity
Important
Latest
Older
NA
1
Impact
Disclosure
Remote Code Execution
Cooperatively Disclosed
Affected Products
Microsoft Office 2003 and Microsoft Office for Mac 2011
Affected Components
Office
Deployment Priority
1
Main Target
Workstations
Possible Attack Vectors
• An attacker could host a website that contains a specially crafted Office file that is used to attempt to
exploit this vulnerability.
• Compromised websites and websites that accept or host user-provided content or advertisements
could contain specially crafted content that could exploit this vulnerability.
Impact of Attack
• An attacker could gain the same user rights as the current user.
Mitigating Factors
• Users whose accounts are configured to have fewer user rights on the system could be less impacted
than users who operate with administrative user rights.
• An attacker would have no way to force users to visit these websites.
• An attacker would have to convince users to visit the website and open the specially crafted Office
file.
Additional Information
• Microsoft is aware of targeted attacks that attempt to exploit this vulnerability.
• Microsoft Security Advisory (2854544): Update
to Improve Cryptography and Digital Certificate
Handling in Windows
⁻ On June 11, 2013, Microsoft released an update (2813430)
for all supported editions of Windows Vista, Windows Server
2008, Windows 7, Windows Server 2008 R2, Windows 8,
Windows Server 2012, and Windows RT. This update builds
on the expanded Certificate Trust List (CTL) functionality
provided in update 2677070, which gave enterprises more
options for managing their private PKI environments.
• Microsoft Security Advisory (2755801): Update
for Vulnerabilities in Adobe Flash Player in
Internet Explorer 10
⁻ On June 11, 2013, Microsoft released an update (2847928)
for all supported editions of Windows 8, Windows Server
2012, and Windows RT. The update addresses the
vulnerabilities described in Adobe Security bulletin APSB1316.
Detection & Deployment
Bulletin
Windows
Update
Microsoft
Update
MS13-047
IE
Yes
Yes
Yes
MS13-048
Kernel
Yes
Yes
Yes
MS13-049
Kernel-Mode
Yes
Yes
Yes
MS13-050
Print Spooler
Yes
Yes
Yes
MS13-051
Office
No
3
Yes
3
MBSA
1,2
1
1,2
1,2
Yes3
WSUS 3.0
Yes
2
Yes
Yes
Yes
Yes
2
2
3
SMS 2003 with
ITMU
Yes
2
Yes
Yes
Yes
2
2
Yes3
Configuration
Manager
Yes
2
Yes
Yes
Yes
2
2
Yes3
1. The MBSA does not support detection on Windows 8, Windows RT, and Windows Server 2012.
2. Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store.
3. Mac is not supported by detection tools.
Other Update Information
Bulletin
Restart
Uninstall
Replaces
MS13-047
IE
Yes
Yes
MS13-037, MS13-038
MS13-048
Kernel
Yes
Yes
MS13-031, MS13-046
MS13-049
Kernel-Mode
Yes
Yes
MS13-018
MS13-050
Print Spooler
Yes
Yes
MS13-001
MS13-051
Office
Maybe
Yes
MS11-073, MS13-026
During this release Microsoft will increase detection capability for the
following families in the MSRT:
- WIN32/Tupym: Tupym is a worm - a self-propagating program
that can spread itself from one computer to another. Worms may
spread themselves via a variety of different channels in order to
compromise new machines.
Available as a priority update through Windows Update or Microsoft
Update.
Offered through WSUS 3.0 or as a download at:
www.microsoft.com/malwareremove.
http://blogs.technet.com/msrc
http://blogs.technet.com/srd
http://blogs.technet.com/mmpc/
www.microsoft.com/technet/security/bulletin/summary.
mspx
www.microsoft.com/technet/security/current.aspx
www.microsoft.com/technet/security/advisory/
•
@MSFTSecResponse
Security Centers
•
•
•
Microsoft Security Home Page:
www.microsoft.com/security
TechNet Security Center:
www.microsoft.com/technet/security
MSDN Security Developer Center:
http://msdn.microsoft.com/enus/security/default.aspx
www.microsoft.com/technet/security/bulletin/notify.ms
px
www.microsoft.com/technet/security/secnews
Other Resources
http://www.microsoft.com/technet/security/guidance/p
atchmanagement/secmod193.mspx
http://www.microsoft.com/security/msrc/mapp/partners
.mspx
•
Submit text questions using the “Ask” button.
•
Don’t forget to fill out the survey.
•
A recording of this webcast will be available within 48 hours
on the MSRC blog.
http://blogs.technet.com/msrc
•
Register for next month’s webcast at:
http://microsoft.com/technet/security/current.aspx