Dial In Number Pin: 5639 Information About Microsoft January 2012 Security Bulletins Dustin Childs Sr. Security Program Manager, MSRC Microsoft Corporation Pete Voss Sr. Response Communications Manager Microsoft Corporation
Dial In Number Pin: 5639 Live Video Stream To receive our video stream in LiveMeeting:To receive our video stream in LiveMeeting: –Click on Voice & Video –Click the drop down next to the camera icon –Select Show Main Video
Dial In Number Pin: 5639 What We Will Cover Review of January 2012 Bulletin release information:Review of January 2012 Bulletin release information: –New Security Bulletins –Microsoft ® Windows ® Malicious Software Removal Tool ResourcesResources Questions and Answers: Please Submit NowQuestions and Answers: Please Submit Now
Dial In Number Pin: 5639 Severity and Exploitability Index Exploitability Index 1 RISK 2 3 DP Severity Critical IMPACT Important Moderate Low MS12-001MS12-002MS12-003MS12-004MS12-005MS12-006MS WindowsWindowsWindowsWindows Windows Developer Tools & Software Windows
Dial In Number Pin: 5639 Bulletin Deployment Priority
Dial In Number Pin: 5639 MS12-001: Vulnerability in Windows Kernel Could Allow Security Feature Bypass ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Security Feature Bypass Cooperatively Disclosed Affected Products All supported versions of Windows and Windows Server (except XP SP3) Affected Components Windows Kernel Deployment Priority 3 Main Target Servers and Workstations Possible Attack Vectors An attacker could bypass the SafeSEH security feature in a software application.An attacker could bypass the SafeSEH security feature in a software application. Impact of Attack An attacker who successfully exploited this vulnerability could bypass the security feature and then use other vulnerabilities to run arbitrary code.An attacker who successfully exploited this vulnerability could bypass the security feature and then use other vulnerabilities to run arbitrary code. Mitigating Factors Only software applications that were compiled using the original RTM version of the Microsoft Visual C++.NET 2003 (version 7.1) can be used to exploit this vulnerability.Only software applications that were compiled using the original RTM version of the Microsoft Visual C++.NET 2003 (version 7.1) can be used to exploit this vulnerability. Additional Information Can only be exploited in conjunction with another vulnerability.Can only be exploited in conjunction with another vulnerability. Machines to which the update is applied are protected, regardless of whether affected applications are recompiled in an unaffected version of VS.Machines to which the update is applied are protected, regardless of whether affected applications are recompiled in an unaffected version of VS.
Dial In Number Pin: 5639 MS12-002: Vulnerability In Windows Object Packager Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantN/A1 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Windows XP and Windows Server 2003 Affected Components Object Packager Deployment Priority 2 Main Target Workstations Possible Attack Vectors An attacker could place a legitimate file with an embedded packaged object and a specially crafted executable file in a network share, a UNC, or WebDAV location and then convince the user to open the legitimate file.An attacker could place a legitimate file with an embedded packaged object and a specially crafted executable file in a network share, a UNC, or WebDAV location and then convince the user to open the legitimate file. Impact of Attack An attacker who exploits this vulnerability could gain the same user rights as the logged-on user.An attacker who exploits this vulnerability could gain the same user rights as the logged-on user. Mitigating Factors The attacker cannot force the user to visit an untrusted remote file system or WebDAV share and open a legitimate file.The attacker cannot force the user to visit an untrusted remote file system or WebDAV share and open a legitimate file. The file sharing protocol (SMB) is often disabled on the perimeter firewall.The file sharing protocol (SMB) is often disabled on the perimeter firewall. Additional Information Blocking TCP ports 139 and 445 at the firewall is a viable workaround for this vulnerability.Blocking TCP ports 139 and 445 at the firewall is a viable workaround for this vulnerability.
Dial In Number Pin: 5639 MS12-003: Vulnerability In Windows Client/Server Run-Time Subsystem Could Allow Elevation of Privilege ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE ImportantN/A1 Elevation of Privilege Cooperatively Disclosed Affected Products All supported editions of Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008 Affected Components Client Server Run-Time Subsystem (CSRSS) Deployment Priority 2 Main Target Servers and Workstations Possible Attack Vectors An attacker could exploit this vulnerability if they log on to the affected system and run a specially crafted application.An attacker could exploit this vulnerability if they log on to the affected system and run a specially crafted application. Impact of Attack An attacker could take complete control of the affected system.An attacker could take complete control of the affected system. Mitigating Factors An attacker must have valid logon credentials and be able to log on locally or remotely to exploit this vulnerability.An attacker must have valid logon credentials and be able to log on locally or remotely to exploit this vulnerability. This vulnerability can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale.This vulnerability can only be exploited on systems configured with a Chinese, Japanese, or Korean system locale. Additional Information The vulnerability is not exploitable unless the system locale is set to Chinese, Japanese, or Korean.The vulnerability is not exploitable unless the system locale is set to Chinese, Japanese, or Korean.
Dial In Number Pin: 5639 MS12-004: Vulnerabilities in Windows Media Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Critical11 Remote Code Execution Cooperatively Disclosed CVE Important11 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Microsoft Windows XP, Vista, Server 2003 and Server 2008 R1 All editions of Windows 7, Windows Server 2008 R2, Windows Media Center TV Pack for Windows Vista x32 and x64 Affected Components Windows Media Player Deployment Priority 1 Main Target Workstations Possible Attack Vectors CVE : An attacker could exploit this vulnerability by convincing the user to open a specially crafted MIDI file.An attacker could exploit this vulnerability by convincing the user to open a specially crafted MIDI file.CVE : An attacker could exploit the vulnerability by sending a user an message containing a specially crafted media file and convincing the user to open the media file.An attacker could exploit the vulnerability by sending a user an message containing a specially crafted media file and convincing the user to open the media file. In a Web-based attack scenario, an attacker would have to host a website that contains a specially crafted media file.In a Web-based attack scenario, an attacker would have to host a website that contains a specially crafted media file. Impact of Attack An attacker could gain the same user rights as the exploited logged-on user, which could include installing programs, viewing, changing or deleting data, or create new accounts with full user rights.An attacker could gain the same user rights as the exploited logged-on user, which could include installing programs, viewing, changing or deleting data, or create new accounts with full user rights. Mitigating Factors An attacker has to convince the user to open the specially crafted media file.An attacker has to convince the user to open the specially crafted media file. CVE ONLY: In Windows Media Player 10, 11, and 12, the WMP security settings block the display of captions by default.In Windows Media Player 10, 11, and 12, the WMP security settings block the display of captions by default. Additional Information Installations using Server Core are not affected for the following platforms: Windows Server 2008 R2, Windows Server 2008 x64 SP2 (DirectShow only), Windows Server 2008 x32 SP2 (DirectShow only).Installations using Server Core are not affected for the following platforms: Windows Server 2008 R2, Windows Server 2008 x64 SP2 (DirectShow only), Windows Server 2008 x32 SP2 (DirectShow only).
Dial In Number Pin: 5639 MS12-005: Vulnerability In Windows Could Allow Remote Code Execution ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important11 Remote Code Execution Cooperatively Disclosed Affected Products All supported editions of Microsoft Windows Affected Components Windows Deployment Priority 2 Main Target Workstations Possible Attack Vectors In either an -based or web-based scenario, an attacker can exploit this vulnerability by convincing a user to open a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application.In either an -based or web-based scenario, an attacker can exploit this vulnerability by convincing a user to open a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. Impact of Attack This vulnerability allows attackers to embed ClickOnce application installers into Microsoft Office documents and execute code without user interaction.This vulnerability allows attackers to embed ClickOnce application installers into Microsoft Office documents and execute code without user interaction. Mitigating Factors An attacker has to convince the user to open the specially crafted Microsoft Office file.An attacker has to convince the user to open the specially crafted Microsoft Office file. To deploy across a network, the deployment manifest and application manifest of a ClickOnce deployment must both be signed with a digital certificate.To deploy across a network, the deployment manifest and application manifest of a ClickOnce deployment must both be signed with a digital certificate. Additional Information Installations using Server Core are not affected.Installations using Server Core are not affected.
Dial In Number Pin: 5639 MS12-006: Vulnerability In SSL/TLS Could Allow Information Disclosure ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important33 Information Disclosure Publicly Disclosed Affected Products All Supported Editions of Microsoft Windows Affected Components SSL/TLS Deployment Priority 2 Main Target Workstations and Servers Possible Attack Vectors An attacker could exploit this vulnerability by intercepting encrypted web traffic from an affected system, via the web browser.An attacker could exploit this vulnerability by intercepting encrypted web traffic from an affected system, via the web browser. Impact of Attack An attacker could decrypt intercepted encrypted traffic.An attacker could decrypt intercepted encrypted traffic. Mitigating Factors TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. Additional Information This security update also addresses the vulnerability first described in Microsoft Security Advisory This security update also addresses the vulnerability first described in Microsoft Security Advisory This vulnerability affects the SSL/TLS protocol and is not specific to the Windows operating system.This vulnerability affects the SSL/TLS protocol and is not specific to the Windows operating system.
Dial In Number Pin: 5639 MS12-007: Vulnerability In AntiXSS Library Could Allow Information Disclosure ( ) CVESeverity Exploitability CommentNote Latest Software Older Versions CVE Important33 Information Disclosure Cooperatively Disclosed Affected Products Microsoft Anti-Cross Site Scripting Library versions 3.x and 4 Affected Components Anti-Cross Site Scripting (AntiXSS) Library Deployment Priority 3 Main Target Workstations Possible Attack Vectors To exploit this vulnerability, an attacker could send specially crafted HTML to a target website that is using the sanitization module of the AntiXSS Library.To exploit this vulnerability, an attacker could send specially crafted HTML to a target website that is using the sanitization module of the AntiXSS Library. Impact of Attack An attacker could perform a cross-site scripting (XSS) attack on a website that is using the AntiXSS Library to sanitize user provided HTML and pass a malicious script through a sanitization function and expose information not intended to be disclosed.An attacker could perform a cross-site scripting (XSS) attack on a website that is using the AntiXSS Library to sanitize user provided HTML and pass a malicious script through a sanitization function and expose information not intended to be disclosed. Mitigating Factors Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability. Additional Information This bulletin will be available via the Download Center only.This bulletin will be available via the Download Center only. This vulnerability would not allow an attacker to execute code or elevate the attacker’s user rights directly.This vulnerability would not allow an attacker to execute code or elevate the attacker’s user rights directly. Version 4.2 is not affected.Version 4.2 is not affected.
Dial In Number Pin: 5639 Detection & Deployment *Available Via Download Center Only
Dial In Number Pin: 5639 Other Update Information
Dial In Number Pin: 5639 Windows Malicious Software Removal Tool (MSRT) This month, the Windows Malicious Software Removal Tool will add detections for the following family: Win32/Sefnit is a widespread trojan that includes a configurable payload controlled by a set of remote hosts.Win32/Sefnit -- Available as a priority update through Windows Update or Microsoft Update -- Is offered through WSUS Also available as a download at:
Dial In Number Pin: 5639 Resources Blogs Microsoft Security Response Center (MSRC) blog: Security Response Center (MSRC) blog: Security Research & Defense blog: Research & Defense blog: Microsoft Malware Protection Center Blog: Malware Protection Center Blog: Twitter Security Centers Microsoft Security Home Page: Security Home Page: TechNet Security Center: Security Center: MSDN Security Developer Center: Security Developer Center: Bulletins, Advisories, Notifications & Newsletters Security Bulletins Summary: mspxSecurity Bulletins Summary: mspx mspx mspx Security Bulletins Search: Bulletins Search: Security Advisories: Advisories: Microsoft Technical Security Notifications: Technical Security Notifications: Microsoft Security Newsletter: Security Newsletter: Other Resources Update Management Process chmanagement/secmod193.mspxUpdate Management Process chmanagement/secmod193.mspx chmanagement/secmod193.mspx chmanagement/secmod193.mspx Microsoft Active Protection Program Partners: mspxMicrosoft Active Protection Program Partners: mspx mspx mspx
Dial In Number Pin: 5639 Questions and Answers Submit text questions using the “Ask” button.Submit text questions using the “Ask” button. Don’t forget to fill out the survey.Don’t forget to fill out the survey. A recording of this webcast will be available within 48 hours on the MSRC Blog: recording of this webcast will be available within 48 hours on the MSRC Blog: Register for next month’s webcast at: for next month’s webcast at:
Dial In Number Pin: 5639