Dial In Number Pin: 3959 Information About Microsoft December 2012 Security Bulletins Jonathan Ness Security Development Manager Microsoft Corporation Dustin Childs Group Manager, Response Communications Microsoft Corporation
Dial In Number Pin: 3959 Live Video Stream To receive our video stream in LiveMeeting:To receive our video stream in LiveMeeting: –Click on Voice & Video –Click the drop down next to the camera icon –Select Show Main Video
Dial In Number Pin: 3959 What We Will Cover Review of December 2012 Bulletin Release InformationReview of December 2012 Bulletin Release Information –Seven security bulletins –Two updated security Advisories –Five security bulletin re-releases –Microsoft ® Windows ® Malicious Software Removal Tool ResourcesResources Questions and Answers: Please Submit NowQuestions and Answers: Please Submit Now –Submit Questions via Twitter #MSFTSecWebcast
Dial In Number Pin: 3959 Severity and Exploitability Index Exploitability Index 1 RISK 2 3 DP Severity Critical IMPACT Important Moderate Low MS12-077MS12-078MS12-079MS12-080MS12-081MS12-082MS Internet Explorer Windows File Handling DirectPlay Word Exchange IP-HTTPS Kernel
Dial In Number Pin: 3959 Bulletin Deployment Priority
Dial In Number Pin: 3959 MS12-077: Cumulative Security Update for Internet Explorer ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE CriticalNA2 Remote Code Execution Cooperatively Disclosed CVE CriticalNA2 Remote Code Execution Cooperatively Disclosed CVE Critical11 Remote Code Execution Cooperatively Disclosed Affected Products Internet Explorer 9 and 10 on all supported versions of Vista, Windows 7 & 8, and Windows RT Internet Explorer 9 & 10 on all supported versions of Windows Server 2008 and 2008 R2, and 2012 Internet Explorer 6, 7 & 8 on all supported versions of Windows XP, Vista, Windows 7, Windows Server 2003, 2008 & 2008 R2 Affected Components Internet Explorer Deployment Priority 1 Main Target Workstations Possible Attack Vectors An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs)An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. (All CVEs) The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs)The attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. (All CVEs) An attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. (CVE )An attacker could embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. (CVE ) Impact of Attack An attacker could gain the same user rights as the current user. (All CVEs)An attacker could gain the same user rights as the current user. (All CVEs) Mitigating Factors An attacker cannot force users to view the attacker-controlled content. (All CVEs)An attacker cannot force users to view the attacker-controlled content. (All CVEs) By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone. (All CVEs)By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone. (All CVEs) By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs)By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 runs in a restricted mode that is known as Enhanced Security Configuration. (All CVEs) Additional Information Installations using Server Core are not affected.Installations using Server Core are not affected.
Dial In Number Pin: 3959 MS12-078: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Publicly Disclosed CVE Critical11 Remote Code Execution Cooperatively Disclosed Affected Products All supported versions of Windows and Windows Server Affected Components Kernel-Mode Drivers Deployment Priority 2 Main Target Workstations Possible Attack Vectors Web-based: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website.Web-based: an attacker could host a specially crafted website that is designed to exploit this vulnerability and then convince a user to view the website. File Sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability.File Sharing: an attacker could provide a specially crafted document file that is designed to exploit this vulnerability. Local: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system.Local: an attacker could also exploit this vulnerability by running a specially crafted application to take complete control over the affected system. Impact of Attack An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. Mitigating Factors By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone.By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML messages in the Restricted sites zone. An attacker cannot force a user to visit a malicious website.An attacker cannot force a user to visit a malicious website. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.
Dial In Number Pin: 3959 MS12-079: Vulnerability in Microsoft Word Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE CriticalNA1 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Microsoft Word 2007 and Microsoft Word 2010 All supported editions of Microsoft Word 2003, and all supported versions of Microsoft Word Viewer, Microsoft Office Compatibility Pack, and Microsoft Office Web Apps Affected Components Microsoft Word, Word Automation Services Deployment Priority 1 Main Target Workstations Possible Attack Vectors This vulnerability requires that a user open or preview specially crafted RTF-formatted data with an affected version of Microsoft Office software.This vulnerability requires that a user open or preview specially crafted RTF-formatted data with an affected version of Microsoft Office software. an attacker could exploit the vulnerability by sending specially crafted RTF-formatted data in the contents of an message. The vulnerability could be exploited when the specially crafted RTF message is previewed or opened in Outlook while using Microsoft Word as the viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF file as an attachment and convincing the user to open the specially crafted RTF file. an attacker could exploit the vulnerability by sending specially crafted RTF-formatted data in the contents of an message. The vulnerability could be exploited when the specially crafted RTF message is previewed or opened in Outlook while using Microsoft Word as the viewer. An attacker could also exploit the vulnerability by sending a specially crafted RTF file as an attachment and convincing the user to open the specially crafted RTF file. Web-based: an attacker could host a website that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability.Web-based: an attacker could host a website that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. Impact of Attack An attacker could gain the same user rights as the current user.An attacker could gain the same user rights as the current user. An attacker could cause arbitrary code to run with the privileges of the user who opens a specially crafted RTF file or previews or opens a specially crafted RTF message.An attacker could cause arbitrary code to run with the privileges of the user who opens a specially crafted RTF file or previews or opens a specially crafted RTF message. Mitigating Factors An attacker would have no way to force users to visit a specially crafted website.An attacker would have no way to force users to visit a specially crafted website. Additional Information For Microsoft Office Word 2007 & 2010, in addition to security update package KB , customers also need to install the security update for Microsoft Office Compatibility Pack (KB ) to be protected from the vulnerability described in this bulletin.For Microsoft Office Word 2007 & 2010, in addition to security update package KB , customers also need to install the security update for Microsoft Office Compatibility Pack (KB ) to be protected from the vulnerability described in this bulletin.
Dial In Number Pin: 3959 MS12-080: Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE CVE Critical11 Remote Code Execution Publicly Disclosed CVE Important33 Denial of Service Cooperatively Disclosed Affected Products All supported editions of Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010 Affected Components Oracle Outside in Libraries/WebReady Document Viewing Deployment Priority 2 Main Target Exchange Server Systems Possible Attack Vector An attacker with a valid account on the Exchange server could create a specially crafted RSS feed that is designed to exploit this vulnerability and then subscribe to the RSS feed. (CVE )An attacker with a valid account on the Exchange server could create a specially crafted RSS feed that is designed to exploit this vulnerability and then subscribe to the RSS feed. (CVE ) CVE , CVE )An attacker could send an message containing a specially crafted file to a user on an affected version of Exchange. When the user previews the specially crafted file in the browser, arbitrary code could be run on the Exchange server. (CVE , CVE ) Impact of Attack An attacker could cause the Information Store service on the affected system to become unresponsive until the process is forcibly terminated. (CVE )An attacker could cause the Information Store service on the affected system to become unresponsive until the process is forcibly terminated. (CVE ) CVE , CVE )An attacker could run arbitrary code as LocalService on the affected Exchange server. (CVE , CVE ) Mitigating Factors An attacker must have a valid account on the affected Exchange server and be able to create RSS feeds to exploit this vulnerability. (CVE )An attacker must have a valid account on the affected Exchange server and be able to create RSS feeds to exploit this vulnerability. (CVE ) The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. CVE , CVE )The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. (CVE , CVE ) Additional Information This issue was previously described in KB # (CVE )This issue was previously described in KB # (CVE ) CVE and CVE discussed in the Oracle Critical Patch Update Advisory - October 2012 affect Microsoft Exchange Server and are addressed by this updateCVE and CVE discussed in the Oracle Critical Patch Update Advisory - October 2012 affect Microsoft Exchange Server and are addressed by this update
Dial In Number Pin: 3959 MS12-081: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE CriticalNA1 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Windows XP, Vista, Windows 7, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Affected Components Windows File Handling Deployment Priority 2 Main Target Workstations Possible Attack Vectors Network: an attacker could host a file with a specially crafted filename on a network share, a UNC, or WebDAV location and then convince the user to browse to the file.Network: an attacker could host a file with a specially crafted filename on a network share, a UNC, or WebDAV location and then convince the user to browse to the file. an attacker could send a specially crafted file or subfolder as an attachment that is designed to exploit this vulnerability. an attacker could send a specially crafted file or subfolder as an attachment that is designed to exploit this vulnerability. Web-based: an attacker would have to host a website that contains a file with a specially crafted name.Web-based: an attacker would have to host a website that contains a file with a specially crafted name. Impact of Attack An attacker could gain the same user rights as the current user.An attacker could gain the same user rights as the current user. Mitigating Factors The vulnerability cannot be exploited automatically through .The vulnerability cannot be exploited automatically through . An attacker cannot force a user to open an attachment that is sent in an message.An attacker cannot force a user to open an attachment that is sent in an message. Additional Information Installations using Server Core are affected (except Windows Server 2012).Installations using Server Core are affected (except Windows Server 2012). This bulletin deprecates Security Advisory This bulletin deprecates Security Advisory
Dial In Number Pin: 3959 MS12-082: Vulnerability in DirectPlay Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important32 Remote Code Execution Cooperatively Disclosed Affected Products All supported versions of Windows Client (except Windows RT) and Windows Server Affected Components DirectX Deployment Priority 2 Main Target Workstations Possible Attack Vectors An attacker could send a specially crafted Office document with embedded content to the user that is designed to exploit this vulnerability.An attacker could send a specially crafted Office document with embedded content to the user that is designed to exploit this vulnerability. Impact of Attack An attacker could run arbitrary code as the current user.An attacker could run arbitrary code as the current user. Mitigating Factors An attacker cannot force a user to open an attachment that is sent in an message.An attacker cannot force a user to open an attachment that is sent in an message. By default, the DirectPlay ActiveX control is not included in the default allow-list for ActiveX controls in Internet Explorer. Only customers who have explicitly approved this control by using the ActiveX opt-in feature are at risk from attempts to exploit this vulnerability.By default, the DirectPlay ActiveX control is not included in the default allow-list for ActiveX controls in Internet Explorer. Only customers who have explicitly approved this control by using the ActiveX opt-in feature are at risk from attempts to exploit this vulnerability. Additional Information Installations using Server Core are not affected.Installations using Server Core are not affected.
Dial In Number Pin: 3959 MS12-083: Vulnerability in IP-HTTPS Component Could Allow Security Feature Bypass ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantNANA Security Bypass Cooperatively Disclosed Affected Products All supported editions of Windows Server 2008 R2 and Windows Server 2012 Affected Components IP-HTTPS Deployment Priority 3 Main Target Servers Possible Attack Vectors This could allow security feature bypass if an attacker presents a revoked certificate to an IP- HTTPS server commonly used in Microsoft DirectAccess deployments.This could allow security feature bypass if an attacker presents a revoked certificate to an IP- HTTPS server commonly used in Microsoft DirectAccess deployments. Impact of Attack An attacker could bypass a security feature that relies on the validity of certificates.An attacker could bypass a security feature that relies on the validity of certificates. Mitigating Factors An attacker must possess a certificate issued from the domain.An attacker must possess a certificate issued from the domain. Logging on to a system inside the organization would still require system or domain credentials.Logging on to a system inside the organization would still require system or domain credentials. Additional Information Installations using Server Core are affected.Installations using Server Core are affected.
Dial In Number Pin: 3959 Microsoft Security Advisory ( ): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10Microsoft Security Advisory ( ): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 –One December 11, 2012, Microsoft revised a security advisory to announce the availability of a new Adobe Flash update. Microsoft Security Advisory ( ): Compatibility Issues Affecting Signed Microsoft BinariesMicrosoft Security Advisory ( ): Compatibility Issues Affecting Signed Microsoft Binaries –Non-security update to address an issue with certificate timestamps. –This could cause compatibility problems with certain programs. –Added the KB and KB updates described in MS12-043, the KB and KB updates described in MS12-057, and the KB update described in MS to the list of available rereleases. Microsoft Security Advisories
Dial In Number Pin: 3959 The following updates are being re-released to address an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes:The following updates are being re-released to address an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes: –MS12-043: Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution ( ) –MS12-057: Vulnerability in Microsoft Office Could Allow Remote Code Execution ( ) –MS12-059: Vulnerability in Microsoft Visio Could Allow Remote Code Execution ( ) –MS12-060: Vulnerability in Windows Common Controls Could Allow Remote Code Execution ( ) December Security Bulletin Re-releases
Dial In Number Pin: 3959 MS12-050: Vulnerabilities in SharePoint Could Allow Elevation of Privilege ( ) Re-releaseMS12-050: Vulnerabilities in SharePoint Could Allow Elevation of Privilege ( ) Re-release –Rereleased this bulletin to announce availability of an update for Microsoft Windows SharePoint Services 2.0. No other update packages are affected by this rerelease. December Security Bulletin Re-releases Cont…
Dial In Number Pin: 3959 Detection & Deployment 1.The MBSA does not support detection on Windows 8, Windows RT, and Windows Server Yes, but detection only applies to single-server SharePoint deployments, and the detection tools do not support systems configured as part of a multiple-system SharePoint server farm. 3.Windows RT systems only support detection and deployment from Windows Update, Microsoft Update and the Windows Store
Dial In Number Pin: 3959 Other Update Information 1.Uninstall is not supported in all editions of SharePoint Server 2010 and all versions of Web Apps 2010
Dial In Number Pin: 3959 Windows Malicious Software Removal Tool (MSRT) During this release Microsoft will increase detection capability for the following families in the MSRT: Win32/Phdet: A family of backdoor trojans that is used to perform Distributed Denial of Service attacks against specified targets.Win32/Phdet: A family of backdoor trojans that is used to perform Distributed Denial of Service attacks against specified targets.Win32/Phdet: December MSRT will be distributed to Windows 8, x86 and amd64. Available as a priority update through Windows Update or Microsoft Update. Offered through WSUS 3.0 or as a download at:
Dial In Number Pin: 3959 Resources Blogs Microsoft Security Response Center (MSRC) blog: Security Response Center (MSRC) blog: Security Research & Defense blog: Research & Defense blog: Microsoft Malware Protection Center Blog: Malware Protection Center Blog: Twitter Security Centers Microsoft Security Home Page: Security Home Page: TechNet Security Center: Security Center: MSDN Security Developer Center: us/security/default.aspxMSDN Security Developer Center: us/security/default.aspx us/security/default.aspx us/security/default.aspx Bulletins, Advisories, Notifications & Newsletters Security Bulletins Summary: ary.mspxSecurity Bulletins Summary: ary.mspx ary.mspx ary.mspx Security Bulletins Search: Bulletins Search: Security Advisories: Advisories: Microsoft Technical Security Notifications: mspxMicrosoft Technical Security Notifications: mspx mspx mspx Microsoft Security Newsletter: Security Newsletter: Other Resources Update Management Process e/patchmanagement/secmod193.mspxUpdate Management Process e/patchmanagement/secmod193.mspx e/patchmanagement/secmod193.mspx e/patchmanagement/secmod193.mspx Microsoft Active Protection Program Partners: ners.mspxMicrosoft Active Protection Program Partners: ners.mspx ners.mspx ners.mspx
Dial In Number Pin: 3959 Questions and Answers Submit text questions using the “Ask” button.Submit text questions using the “Ask” button. Don’t forget to fill out the survey.Don’t forget to fill out the survey. A recording of this webcast will be available within 48 hours on the MSRC Blog: recording of this webcast will be available within 48 hours on the MSRC Blog: Register for next month’s webcast at: for next month’s webcast at:
Dial In Number Pin: 3959