Dial In Number Pin: 3879 Information About Microsoft May 2012 Security Bulletins Dustin Childs Sr. Security Program Manager Microsoft Corporation Pete Voss Sr. Response Communications Manager Microsoft Corporation

Dial In Number Pin: 3879 Live Video Stream To receive our video stream in LiveMeeting:To receive our video stream in LiveMeeting: –Click on Voice & Video –Click the drop down next to the camera icon –Select Show Main Video

Dial In Number Pin: 3879 What We Will Cover Review of May 2012 Bulletin Release InformationReview of May 2012 Bulletin Release Information –New Security Bulletins –Security Advisory –Microsoft ® Windows ® Malicious Software Removal Tool ResourcesResources Questions and Answers: Please Submit NowQuestions and Answers: Please Submit Now –Submit Questions via Twitter #MSFTSecWebcast

Dial In Number Pin: 3879 Severity and Exploitability Index Exploitability Index 1 RISK 2 3 DP Severity Critical IMPACT Important Moderate Low MS12-029MS12-030MS12-031MS12-032MS12-033MS12-034MS OfficeOfficeVisioWindows Windows Office, Windows,.NET, Silverlight.NET

Dial In Number Pin: 3879 Bulletin Deployment Priority

Dial In Number Pin: 3879 MS12-029: Vulnerability In Microsoft Word Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE CriticalN/A1 Remote Code Execution Cooperatively Disclosed Affected Products Office 2007 SP2, SP3 Office 2003 SP3, Office 2008 For Mac, Office For Mac 2011, Office Compatibility Pack SP2, Office Compatibility Pack SP3 Affected Components Microsoft Word Deployment Priority 1 Main Target Workstations Possible Attack Vectors Web-Browsing Scenario: An attacker could host a website that contains an RTF file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.Web-Browsing Scenario: An attacker could host a website that contains an RTF file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability. Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an attachment, and convince the user to open the attachment. Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an attachment, and convince the user to open the attachment. Impact of Attack An attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opens a specially crafted RTF file or previews or opens a specially crafted RTF message.An attacker who successfully exploited this vulnerability could cause arbitrary code to run with the privileges of the user who opens a specially crafted RTF file or previews or opens a specially crafted RTF message. Mitigating Factors An attacker would have no way to force a user to visit a malicious website.An attacker would have no way to force a user to visit a malicious website. Additional Information For Microsoft Word 2007, in addition to security update package KB , customers also need to install the security update for Microsoft Office Compatibility Pack (KB ) to be protected from the vulnerability described in this bulletin.For Microsoft Word 2007, in addition to security update package KB , customers also need to install the security update for Microsoft Office Compatibility Pack (KB ) to be protected from the vulnerability described in this bulletin.KB KB KB KB Workarounds:Workarounds: Read in plain text (for more, consult KB831607).Read in plain text (for more, consult KB831607).KB Use Office File Block Policy to block the opening of RTF documents from unknown or untrusted sources or locations.Use Office File Block Policy to block the opening of RTF documents from unknown or untrusted sources or locations.

Dial In Number Pin: 3879 MS12-030: Vulnerabilities In Microsoft Office Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important33 Remote Code Execution Cooperatively Disclosed CVE Important33 Remote Code Execution Cooperatively Disclosed CVE ImportantN/A1 Remote Code Execution Publicly Disclosed CVE Important31 Remote Code Execution Cooperatively Disclosed CVE Important22 Remote Code Execution Cooperatively Disclosed CVE Important11 Remote Code Execution Cooperatively Disclosed Affected Products Microsoft Office 2010 SP1, Office 2010, Office 2007 SP3, Office 2007 SP2, Office 2003 SP3, Office 2008 for Mac, Office for Mac 2011, Microsoft Excel Viewer, Office Compatibility Pack SP2 and SP3 Affected Components Microsoft Excel Deployment Priority 2 Main Target Workstations Possible Attack Vectors Web-Browsing Scenario: An attacker could host a website that contains a specially crafted Excel file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.Web-Browsing Scenario: An attacker could host a website that contains a specially crafted Excel file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability. Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an attachment, and convince the user to open the attachment. Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an attachment, and convince the user to open the attachment. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. Mitigating Factors An attacker would have no way to force users to visit a website or open an attachment.An attacker would have no way to force users to visit a website or open an attachment. The vulnerability cannot be exploited automatically through . For an attack to be successful a user must open an attachment that is sent in an message.The vulnerability cannot be exploited automatically through . For an attack to be successful a user must open an attachment that is sent in an message. Additional Information For Microsoft Excel 2007, in addition to security update package KB , customers also need to install the security update for the Microsoft Office Compatibility Pack (KB ).For Microsoft Excel 2007, in addition to security update package KB , customers also need to install the security update for the Microsoft Office Compatibility Pack (KB ).KB KB KB KB Microsoft Excel Viewer must be updated to a supported service pack level (Excel Viewer 2007 Service Pack 2 or Excel Viewer 2007 Service Pack 3) before installing this update.Microsoft Excel Viewer must be updated to a supported service pack level (Excel Viewer 2007 Service Pack 2 or Excel Viewer 2007 Service Pack 3) before installing this update.

Dial In Number Pin: 3879 MS12-031: Vulnerability In Microsoft Visio Viewer Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important1N/A Remote Code Execution Cooperatively Disclosed Affected Products All supported versions of Microsoft Visio Viewer 2010 Affected Components Visio Viewer Deployment Priority 2 Main Target Workstations Possible Attack Vectors Web-Browsing Scenario: An attacker could host a website that contains a Visio file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user- provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.Web-Browsing Scenario: An attacker could host a website that contains a Visio file that is used to exploit this vulnerability. Compromised websites and websites that accept or host user- provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability. Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an attachment, and convince the user to open the attachment. Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an attachment, and convince the user to open the attachment. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user.An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. Mitigating Factors An attacker would have no way to force users to visit a website or open an attachment.An attacker would have no way to force users to visit a website or open an attachment. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.Enhanced Security ConfigurationEnhanced Security Configuration By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted Sites Zone.By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted Sites Zone.

Dial In Number Pin: 3879 MS12-032: Vulnerability In TCP/IP Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantN/AN/A Security Bypass Cooperatively Disclosed CVE Important1N/A Elevation of Privilege Publicly Disclosed Affected Products All supported versions of Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 Affected Components Windows Firewall, TCP/IP Deployment Priority 3 Main Target Workstations and Servers Possible Attack Vectors CVE :CVE : In order to use this vulnerability, an attacker would first have to gain access to the local subnet of the target computer. An attacker could then use another vulnerability to acquire information about the target system or execute code on the target system.In order to use this vulnerability, an attacker would first have to gain access to the local subnet of the target computer. An attacker could then use another vulnerability to acquire information about the target system or execute code on the target system. CVE :CVE : To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system. Impact of Attack CVE :CVE : An attacker who successfully exploited this vulnerability could bypass Windows Firewall.An attacker who successfully exploited this vulnerability could bypass Windows Firewall. CVE :CVE : An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process.An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. Mitigating Factors CVE :CVE : An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. CVE :CVE : Microsoft has not identified any mitigating factors for this vulnerability.Microsoft has not identified any mitigating factors for this vulnerability.

Dial In Number Pin: 3879 MS12-033: Vulnerability In Windows Partition Manager Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Elevation of Privilege Cooperatively Disclosed Affected Products All supported versions of Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 Affected Components Windows Partition Manager Deployment Priority 3 Main Target Workstations and Servers Possible Attack Vectors To exploit this vulnerability, an attacker would first have to log on to the system. Then, an attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.To exploit this vulnerability, an attacker would first have to log on to the system. Then, an attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system.An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and take complete control of an affected system. Mitigating Factors An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.

Dial In Number Pin: 3879 MS12-034: Combined Security Update For Microsoft Office, Windows,.NET Framework, and Silverlight ( ) Slide 1 of 3 CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Publicly Disclosed CVE Critical11 Remote Code Execution Cooperatively Disclosed CVE Critical1N/A Remote Code Execution Cooperatively Disclosed CVE ModerateN/AN/A Denial of Service Publicly Disclosed CVE Important21 Remote Code Execution Cooperatively Disclosed CVE ImportantN/A1 Remote Code Execution Cooperatively Disclosed CVE CriticalN/A1 Remote Code Execution Cooperatively Disclosed CVE Important11 Elevation of Privilege Cooperatively Disclosed CVE Important31 Elevation of Privilege Publicly Disclosed CVE Important11 Elevation of Privilege Cooperatively Disclosed Affected Products and Components All supported versions of Windows and Windows Server, All supported versions of.NET 3,.NET 3.5.1, and.NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5 All supported versions of Office (except Compatibility Pack SP2 and SP3, and Office For Mac).NET Framework Deployment Priority 1 Main Target Workstations and Servers

Dial In Number Pin: 3879 Affected Products and Components All supported versions of Windows and Windows Server; All supported versions of.NET 3,.NET 3.5.1, and.NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5 All supported versions of Office (except Compatibility SP2 and SP3, and Office For Mac).NET Framework Possible Attack Vectors CVE , CVE , CVE :CVE , CVE , CVE : File Sharing Scenario: An attacker could exploit this vulnerability by convincing a user to open a specially crafted document file or malicious image on a file or network share.File Sharing Scenario: An attacker could exploit this vulnerability by convincing a user to open a specially crafted document file or malicious image on a file or network share. CVE , CVE , CVE , CVE , CVE , CVE :CVE , CVE , CVE , CVE , CVE , CVE : Web-Browsing Scenario: An attacker could host a website that contains a webpage that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability. In the case of CVE , a webpage would have to host a specially crafted Office document.Web-Browsing Scenario: An attacker could host a website that contains a webpage that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability. In the case of CVE , a webpage would have to host a specially crafted Office document. CVE , CVE , CVE , CVE :CVE , CVE , CVE , CVE : Local Attack Scenario: To exploit this vulnerability, an attacker would first have to log on to the system. Then, an attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.Local Attack Scenario: To exploit this vulnerability, an attacker would first have to log on to the system. Then, an attacker could run a specially crafted application that could exploit the vulnerability and take complete control over the affected system. CVE :CVE : An unauthenticated attacker could send a small number of specially crafted requests to an affected site.An unauthenticated attacker could send a small number of specially crafted requests to an affected site. CVE , CVE :CVE , CVE : Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an attachment, and convince the user to open the attachment. Attack Scenario: An attacker could exploit this vulnerability by sending the user the malicious file as an attachment, and convince the user to open the attachment. CVE RCE CVE RCE CVE RCE CVE DoS CVE RCE CVE RCE CVE RCE CVE EoP CVE EoP CVE EoP MS12-034: Combined Security Update For Microsoft Office, Windows,.NET Framework, and Silverlight ( ) Slide 2 of 3

Dial In Number Pin: 3879 Affected Products and Components All supported versions of Windows and Windows Server, All supported versions of.NET 3,.NET 3.5.1, and.NET 4; Microsoft Silverlight 4, Microsoft Silverlight 5 All supported versions of Office (except Compatibility SP2 and SP3, and Office For Mac).NET Framework Impact of Attack CVE , CVE , CVE , CVE , CVE , CVE : An attacker successfully exploiting this issue could gain the same user rights as a logged-on user. CVE : An attacker who successfully exploited this vulnerability could run arbitrary code in Kernel mode and take complete control of an affected system. CVE , CVE : An attacker who successfully exploited this vulnerability could run arbitrary code in the context of another process. CVE : An attacker could cause applications created using WPF APIs that are running on a user's system to stop responding until manually restarted. Mitigating Factors CVE , CVE , CVE , CVE , CVE , CVE : An attacker would have no way to force users to visit a website or open an attachment. CVE , CVE : By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted Sites Zone. CVE , CVE , CVE : By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.Enhanced Security Configuration CVE , CVE : An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. CVE : On systems where MS has been applied, users will be prompted before XBAP applications will execute when in the Internet Zone of Internet Explorer. A user must click through this prompt in order to run the XBAP application on their system.MS CVE : Microsoft has not identified any mitigating factors for this vulnerability. CVE RCE CVE RCE CVE RCE CVE DoS CVE RCE CVE RCE CVE RCE CVE EoP CVE EoP CVE EoP MS12-034: Combined Security Update For Microsoft Office, Windows,.NET Framework, and Silverlight ( ) Slide 3 of 3

Dial In Number Pin: 3879 MS12-035: Vulnerabilities in.NET Framework Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Cooperatively Disclosed CVE Critical11 Remote Code Execution Cooperatively Disclosed Affected Products All supported versions of.NET Framework on all supported versions of Windows and Windows Server Affected Components.NET Framework Deployment Priority 2 Main Target Workstations and Servers Possible Attack Vectors Web-Browsing Scenario: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability.Web-Browsing Scenario: An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that is used to exploit this vulnerability. Compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could be used to exploit this vulnerability. This vulnerability could also be used by Windows.NET applications to bypass Code Access Security (CAS) restrictions.This vulnerability could also be used by Windows.NET applications to bypass Code Access Security (CAS) restrictions. Impact of Attack An attacker successfully exploiting this issue could gain the same user rights as a logged-on user.An attacker successfully exploiting this issue could gain the same user rights as a logged-on user. Mitigating Factors An attacker would have no way to force users to visit a website.An attacker would have no way to force users to visit a website. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration.Enhanced Security ConfigurationEnhanced Security Configuration Standard.NET Framework applications are not affected by this vulnerability. Only specially crafted.NET Framework applications could exploit this vulnerability. (CVE )Standard.NET Framework applications are not affected by this vulnerability. Only specially crafted.NET Framework applications could exploit this vulnerability. (CVE ) Additional Information.NET Framework 4 and.NET Framework 4 Client Profile Affected.NET Framework 4 and.NET Framework 4 Client Profile Affected

Dial In Number Pin: 3879 Security Advisory – Remote Code Execution Update Rollup For Active X Kill Bits This update sets the kill bits for the following third-party software: Cisco Clientless VPN solution.This update sets the kill bits for the following third-party software: Cisco Clientless VPN solution. – –Installing this update will block the vulnerable control from running in Internet Explorer. – –For more information regarding security issues in the Cisco Clientless VPN solution ActiveX control, please see the Cisco Security Advisory, Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability.Cisco ASA 5500 Series Adaptive Security Appliance Clientless VPN ActiveX Control Remote Code Execution Vulnerability This advisory affects all supported versions of Windows.This advisory affects all supported versions of Windows.

Dial In Number Pin: 3879 Detection & Deployment *Except in Microsoft Office 2008 for Mac and Microsoft Office for Mac 2011 **Except Silverlight 4 installed on Mac OS

Dial In Number Pin: 3879 Other Update Information

Dial In Number Pin: 3879 Windows Malicious Software Removal Tool (MSRT) During this release Microsoft will increase detection capability for the following families in the MSRT:During this release Microsoft will increase detection capability for the following families in the MSRT: – –Win32/Unruy: A trojan that is capable of connecting to certain remote servers to download and execute arbitrary files. It can also delete files, schedule tasks, and perform other actions. Depending on the computer's Internet Explorer settings, may also disable third-party browser extensions and BHOs from running.Win32/Unruy: – –Win32/Dishigy: A trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". It sends captured data to a remote attacker and is capable of downloading additional malicious components.Win32/ For the first time, Microsoft is releasing MSRT to Windows 8 machines.For the first time, Microsoft is releasing MSRT to Windows 8 machines. Available as a priority update through Windows Update or Microsoft Update.Available as a priority update through Windows Update or Microsoft Update. Is offered through WSUS 3.0 or as a download at: offered through WSUS 3.0 or as a download at:

Dial In Number Pin: 3879 Resources Blogs Microsoft Security Response Center (MSRC) blog: Security Response Center (MSRC) blog: Security Research & Defense blog: Research & Defense blog: Microsoft Malware Protection Center Blog: Malware Protection Center Blog: Twitter Security Centers Microsoft Security Home Page: Security Home Page: TechNet Security Center: Security Center: MSDN Security Developer Center: Security Developer Center: Bulletins, Advisories, Notifications & Newsletters Security Bulletins Summary: mspxSecurity Bulletins Summary: mspx mspx mspx Security Bulletins Search: Bulletins Search: Security Advisories: Advisories: Microsoft Technical Security Notifications: Technical Security Notifications: Microsoft Security Newsletter: Security Newsletter: Other Resources Update Management Process chmanagement/secmod193.mspxUpdate Management Process chmanagement/secmod193.mspx chmanagement/secmod193.mspx chmanagement/secmod193.mspx Microsoft Active Protection Program Partners: mspxMicrosoft Active Protection Program Partners: mspx mspx mspx

Dial In Number Pin: 3879 Questions and Answers Submit text questions using the “Ask” button.Submit text questions using the “Ask” button. Don’t forget to fill out the survey.Don’t forget to fill out the survey. A recording of this webcast will be available within 48 hours on the MSRC Blog: recording of this webcast will be available within 48 hours on the MSRC Blog: Register for next month’s webcast at: for next month’s webcast at:

Dial In Number Pin: 3879