To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in Information: - 1 (877) Pin: 3959
Review of November 2013 Bulletin Release Information - Eight New Security Bulletins - Three New Security Advisories - Two Updated Security Advisories - Microsoft Windows Malicious Software Removal Tool Changes to TechNet Security Resources Questions and Answers: Please Submit Now - Submit Questions via Twitter #MSFTSecWebcast
Severity & Exploitability Index Exploitability Index 1 RISK 2 3 DP Severity Critical IMPACT Important Moderate Low MS13-088MS13-089MS MS13-091MS13-092MS13-093MS13-094MS Internet Explorer ActiveX Kill Bits Windows GDI XML Digital Signatures Office Windows AFD Outlook Hyper-V
Bulletin Deployment Priority
CVESeverity Exploitability | Versions ImpactDisclosure LatestOlder CVE CVE CVE CVE Critical11Remote Code ExecutionCooperatively Disclosed CVE Critical12Remote Code ExecutionCooperatively Disclosed CVE CVE CVE CriticalNA1Remote Code ExecutionCooperatively Disclosed CVE CVE ImportantNA3Information DisclosureCooperatively Disclosed Affected Products IE6 – IE11 on all supported versions of Windows Client (except for IE11 on Windows 7) IE6 – IE10 on all supported versions of Windows Server IE11 on all supported versions of Windows Server (except Windows Server 2008 R2) Affected ComponentsInternet Explorer Deployment Priority1 Main TargetWorkstations Possible Attack Vectors An attacker could use active scripting to initiate the print preview of a specially crafted webpage. (CVE ) In a web-based attack scenario, an attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs) An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (CVE , CVE , CVE , CVE , CVE , CVE , CVE , CVE , CVE ) MS13-088: Cumulative Security Update for Internet Explorer ( )
Impact of Attack An attacker could gather information from any page that the victim is viewing. (CVE ) When a user views a webpage, an attacker could view content from another domain or Internet Explorer zone other than the domain or zone of the attacker's webpage. (CVE ) An attacker could gain the same user rights as the current user. (CVE , CVE , CVE , CVE , CVE , CVE , CVE , CVE ) Mitigating Factors If active scripting is disabled in the victims browser, an attacker would have to convince the victim to manually initiate a print preview of a specially crafted webpage. (CVE ) An attacker cannot force users to visit the attacker-controlled websites or view the attacker-controlled content. (All CVEs) By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone. (CVE , CVE , CVE , CVE , CVE , CVE , CVE , CVE ) By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. (CVE , CVE , CVE , CVE , CVE , CVE , CVE , CVE ) Additional Information Installations using Server Core are not affected. The update is available for Internet Explorer 11 Preview for Windows 8.1 Preview and Windows RT 8.1 Preview. Customers with Internet Explorer 11 Preview are encouraged to apply the updates to their systems. The updates are available on Windows Update. In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes defense-in-depth updates to help improve security-related features in Internet Explorer. MS13-088: Cumulative Security Update for Internet Explorer ( ) continued….
CVESeverity Exploitability | Versions ImpactDisclosure LatestOlder CVE Critical1 1Remote Code ExecutionCooperatively Disclosed Affected ProductsAll supported versions of Windows Client and Windows Server Affected ComponentsWindows Graphics Device Interface (GDI) Deployment Priority1 Main TargetWorkstations and terminal servers Possible Attack Vectors In a web-based attack scenario, an attacker could host a website that contains a specially crafted Windows Write file that is used to attempt to exploit this vulnerability. The attacker could take advantage of compromised websites and websites that accept or host user- provided content. Impact of AttackAn attacker could gain the same user rights as the current user. Mitigating Factors The vulnerability cannot be exploited automatically through . For an attack to be successful a user must open an attachment that is sent in an message. An attacker would have no way to force users to view attacker-controlled content and open a specially crafted file. Additional Information Installations using Server Core are affected. The update is available for Windows 8.1 Preview, Windows RT 8.1 Preview, and Windows Server 2012 R2 Preview. Customers running these operating systems are encouraged to apply the update to their systems. The update is available on Windows Update. MS13-089: Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution ( )
CVESeverity Exploitability | Versions ImpactDisclosure LatestOlder CVE Critical11Remote Code ExecutionCooperatively Disclosed Affected ProductsAll supported versions of Windows ClientAll supported versions of Windows Server Affected ComponentsActiveX Kill Bits Deployment Priority1 Main TargetWorkstations Possible Attack Vectors An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. An attacker could take advantage of compromised websites and websites that accept or host user- provided content or advertisements. Impact of AttackAn attacker could gain the same user rights as the current user. Mitigating Factors An attacker would have no way to force users to view attacker-controlled content. By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. Additional Information Installations using Server Core are not affected. Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability. The update is available for Windows 8.1 Preview and Windows RT 8.1 Preview. Customers running these operating systems are encouraged to apply the updates to their systems. The updates are available on Windows Update. MS13-090: Cumulative Security Update of ActiveX Kill Bits ( )
CVESeverity Exploitability | Versions ImpactDisclosure LatestOlder CVE ImportantNA3Remote Code ExecutionCooperatively Disclosed CVE Important11Remote Code ExecutionCooperatively Disclosed CVE ImportantNA1Remote Code ExecutionCooperatively Disclosed Affected ProductsAll supported versions of Microsoft Office Affected ComponentsMicrosoft Office Deployment Priority2 Main TargetWorkstations Possible Attack Vectors Exploitation of this vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Office software. (All CVEs) In an attack scenario, an attacker could send a specially crafted file to the user and convince the user to open the file in an affected version of Microsoft Office software. (All CVEs) In a web-based attack scenario, an attacker could host a website that contains a specially crafted WordPerfect document file that is used to attempt to exploit this vulnerability. (All CVEs) An attacker could take advantage of compromised websites and websites that accept or host user-provided content that contain specially crafted content. (All CVEs) Impact of AttackAn attacker could run arbitrary code in the context of the current user. (All CVEs) Mitigating Factors The vulnerability cannot be exploited automatically through . For an attack to be successful a user must open an attachment that is sent in an message. (All CVEs) An attacker would have no way to force users to view attacker-controlled content and open a specially crafted file. (All CVEs) Additional Information Although updates are available for Microsoft Office 2010 Service Pack 2, the software is not affected by the vulnerabilities described in this bulletin. Users who choose not to apply the updates for Microsoft Office 2010 Service Pack 2 will not increase the security risk of their system. However, Microsoft recommends that users install all updates offered to their systems. This helps to maintain consistency for shared files across Office products. MS13-091: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution ( )
CVESeverity Exploitability | Versions ImpactDisclosure LatestOlder CVE ImportantNA1Elevation of PrivilegeCooperatively Disclosed Affected ProductsWindows 8 for 64-bit Systems and Windows Server 2012 Affected ComponentsHyper-V Deployment Priority2 Main TargetAny affected system running the affected versions of Hyper-V Possible Attack Vectors An authenticated attacker with administrator privileges on the source VM could exploit this vulnerability by passing a specially crafted function parameter in a hypercall to the host hypervisor. Impact of Attack An attacker could cause the Hyper-V host to crash, subsequently causing the guest VMs to crash as well. An attacker could also potentially execute code on another guest VM. For this to be possible, the target VM must be on the same host as the VM from which the attacker is operating. Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability. Additional InformationInstallations using Server Core are affected. MS13-092: Vulnerability in Hyper-V Could Allow Elevation of Privilege ( )
CVESeverity Exploitability | Versions ImpactDisclosure LatestOlder CVE ImportantNA3Information DisclosureCooperatively Disclosed Affected Products All supported 64-bit editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 Affected ComponentsWindows Ancillary Function Driver (AFD) Deployment Priority2 Main TargetItanium- and x64-based workstations Possible Attack Vectors An attacker would have to log on to an affected system as a local user and run a specially crafted application that is designed to enable the attacker to obtain information from a higher- privileged account. Impact of Attack An attacker could disclose information from kernel memory on the local system. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Mitigating Factors An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. Additional Information Installations using Server Core are affected. Although the RTM editions of Windows 8.1 for 64-bit Systems and Windows Server 2012 R2 are not affected by the vulnerability addressed in this bulletin, the 64-bit Preview editions are affected. Therefore, customers running Windows 8.1 Preview for 64-bit Systems or Windows Server 2012 R2 Preview are encouraged to apply the update to their systems. The update is available on Windows Update. MS13-093: Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure ( )
CVESeverity Exploitability | Versions ImpactDisclosure LatestOlder CVE Important33Information DisclosurePublicly Disclosed Affected ProductsAll supported versions of Microsoft Outlook (except Microsoft Outlook 2003) Affected ComponentsMicrosoft Outlook Deployment Priority3 Main TargetWorkstations Possible Attack Vectors Exploitation of this vulnerability requires that a user open or preview a specially crafted message with an affected version of Microsoft Outlook. In an attack scenario, an attacker could send a specially crafted S/MIME certificate in an message to the user, and then convince the user to preview or open the . Impact of Attack An attacker could ascertain system information, such as the IP address and open TCP ports, from the target system and other systems that share the network with the target system. Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability. Additional Information In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update adds the functionality to specify, via a registry key setting, whether or not Microsoft Outlook will retrieve remote certificates referenced in an Authority Information Access (AIA) extension. For more information about this change, see Microsoft Knowledge Base Article MS13-094: Vulnerability in Microsoft Outlook Could Allow Information Disclosure ( )
CVESeverity Exploitability | Versions ImpactDisclosure LatestOlder CVE Important33Denial of ServiceCooperatively Disclosed Affected ProductsAll supported versions of Windows Client and Windows Server Affected ComponentsXML Digital Signatures Deployment Priority3 Main TargetServers Possible Attack Vectors An attacker could send a specially crafted X.509 certificate to a web service that performs certificate validation. Impact of Attack An attacker could cause the web service performing certificate validation to become non- responsive. Mitigating FactorsMicrosoft has not identified any mitigating factors for this vulnerability. Additional InformationInstallations using Server Core are affected. MS13-095: Vulnerability in XML Digital Signatures Could Allow Denial of Service ( )
Microsoft Security Advisory ( ): Vulnerability in DirectAccess Could Allow Security Feature Bypass - Microsoft is announcing the availability of an update for all supported releases of Windows to address a vulnerability in how DirectAccess authenticates DirectAccess server connections to DirectAccess clients. - An attacker who successfully exploited the vulnerability could use a specially crafted DirectAccess server to pose as a legitimate DirectAccess Server in order to establish connections with legitimate DirectAccess clients. The attacker-controlled system, appearing to be a legitimate server, could cause a client system to automatically authenticate and connect with the attacker-controlled system, allowing the attacker to intercept the target user's network traffic and potentially determine their encrypted domain credentials. Microsoft is not aware of any active attacks that are exploiting this vulnerability as of the release of this advisory. Recommendation: Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
New Microsoft Security Advisories Microsoft Security Advisory ( ): Update for Disabling RC4 - Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012 and Windows RT to address known weaknesses in RC4. The update supports the removal of RC4 as an available cipher on affected systems through registry settings. It also allows developers to remove RC4 in individual applications through the use of the SCH_USE_STRONG_CRYPTO flag in the SCHANNEL_CRED structure. These options are not enabled by default. Recommendation: Microsoft recommends that customers download and install the update immediately and then test the new settings in their environments. Please see the Suggested Actions section of this advisory for more information.
New Microsoft Security Advisories Microsoft Security Advisory ( ): Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA- 1 hashing algorithm for the purposes of SSL and code signing after January 1, Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. Recommendation: Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.
Updated Microsoft Security Advisories Microsoft Security Advisory ( ): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - On November 12, 2013, Microsoft released an update ( ) for Internet Explorer 10 on all supported editions of Windows 8, Windows Server 2012 and Windows RT, and for Internet Explorer 11 on Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2. The update addresses the vulnerabilities described in Adobe Security bulletin APSB For more information about this update, including download links, see Microsoft Knowledge Base Article APSB13-26 Notes: The update for Windows RT is available via Windows Update only. The update is also available for Internet Explorer 11 Preview in Windows 8.1 Preview and Windows RT 8.1 Preview releases. The update is available via Windows Update.
Updated Microsoft Security Advisories Microsoft Security Advisory ( ): Updates to Improve Cryptography and Digital Certificate Handling in Windows - Microsoft released an update ( ) for all supported editions of Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT to address known weaknesses in RC4. The update supports the removal of RC4 as an available cipher on affected systems through registry settings. It also allows developers to remove RC4 in individual applications through the use of the SCH_USE_STRONG_CRYPTO flag in the SCHANNEL_CRED structure. These options are not enabled by default. After applying the update, Microsoft recommends that customers test any new settings for disabling RC4 prior to implementing them in their environments. For more information, see Microsoft Security Advisory Microsoft announced a policy change to the Microsoft Root Certificate Program for the deprecation of the SHA-1 hashing algorithm in X.509 digital certificates. For more information, see Microsoft Security Advisory Microsoft Confidential – For Internal Use Only
Detection & Deployment 1.MBSA 2.2 does not support detection on Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R2. The MBSA 2.3 Customer Preview has concluded. The final release will add support for Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.MBSA 2.3 Customer Preview 2.Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store.
Other Update Information
Windows Malicious Software Removal Tool (MSRT) During this release, Microsoft will add detection capability for the following families in the MSRT: - Win32/Deminnix - A family of trojans that perform bitcoin mining on an affected system and may modify the user’s browser settings.Win32/Deminnix - Win32/Napolar - A family of trojans that performs file download, DDoS attack, network traffic monitoring for FTP/POP3/Web credentials, and also deploys user-mode rootkit for hiding its presence.Win32/Napolar Available as a priority update through Windows Update or Microsoft Update Offered through WSUS 3.0 or as a download at:
Submit text questions using the “Ask” button. Don’t forget to fill out the survey. A recording of this webcast will be available within 48 hours on the MSRC blog. Register for next month’s webcast at: